pwntester/SerialKillerBypassGadgetCollection pwntester/SerialKillerBypassGadgetCollection

  • Stars
    star
    339
  • Rank 120,580 (Top 3 %)
  • Language
    Java
  • Created about 8 years ago
  • Updated about 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
pwntester/SerialKillerBypassGadgetCollection
github

pwntester

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Collection of bypass gadgets to extend and wrap ysoserial payloads

SerialKiller: Bypass Gadget Collection

Description

Collection of Bypass Gadgets that can be used in JVM Deserialization Gadget chains to bypass "Look-Ahead ObjectInputStreams" desfensive deserialization.

Released as part of RSA 2016 Talk "SerialKiller: Silently Pwning Your Java Endpoints" by Alvaro Muñoz (@pwntester) and Christian Schneider (@cschneider4711).

Details about bypass gadget technique can be found in the following resources:

Disclaimer

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

Requirements

The current status of this project heavily depends on "YSoSerial". project and the idea is to integrate it there in the near future (see below). It can actually be considered an extension of ysoserial and it reuses some parts of the code and all the payload gadgets in order to facilitate future integration.

Copy the current version (ysoserial-0.0.5-SNAPSHOT-all.jar) to /external and adjust the pom.xml if using a different version.

The following Jar files are required from Weblogic and WebSphere application servers and not distributed with SerialKiller Bypass Gadget Collection. Copy them from your authorized version of the application server to the /external directory.

com.ibm.jaxws.thinclient_8.5.0.jar
com.ibm.ws.ejb.embeddableContainer_8.5.0.jar
com.oracle.weblogic.iiop-common.jar
com.ibm.mq.jmqi.jar
com.ibm.ws.ejb.thinclient_8.5.0.jar
com.ibm.msg.client.jms.jar
com.ibm.ws.runtime.coregroupbridge.jar

Build

mvn clean compile assembly:single

Usage

java -jar target/serialkiller-bypass-gadgets-0.0.1-SNAPSHOT-all.jar <Payload Gadget, eg: CommonsCollections2> <Bypass Gadget, eg: Weblogic1> <Command, eg: 'touch /tmp/test'>

Future

The idea is to integrate this project into YsoSerial project as soon as it supports wrapping payloads in bypass gadgets and handle missing dependencies.

More Repositories

1

ysoserial.net

Deserialization payload generator for a variety of .NET formatters
C#
2,976
star
2

octo.nvim

Edit and review GitHub issues and pull requests from the comfort of your favorite editor
Lua
1,946
star
3

cheatsheets

random brain dumps
345
star
4

JRE8u20_RCE_Gadget

JRE8u20_RCE_Gadget
Java
250
star
5

DupeKeyInjector

DupeKeyInjector
Java
131
star
6

S2-046-PoC

S2-046-PoC
Java
114
star
7

codeql.nvim

CodeQL plugin for Neovim
Lua
84
star
8

codeql_grehack_workshop

GreHack 2021 CodeQL for Java workshop
CodeQL
75
star
9

BlockingServer

Web Server that serves a single file and keeps the connection open until user releases it.
Java
69
star
10

XMLDecoder

RCE Exploit PoC for XMLDecoder
Java
62
star
11

dotnet-deserialization-scanner

.NET Deserialization Passive Scanner
Java
43
star
12

SpringBreaker

Exploit PoC for Spring RCE issue (CVE-2011-2894)
Java
42
star
13

dotfiles

Shell
34
star
14

ViewStatePayloadGenerator

ViewState Payload Generator
C#
24
star
15

XStreamServer

RCE Exploit PoC for Spring based RESTFul APIs using XStream as Unmarshaler
Java
20
star
16

nautilus.nvim

A nice and cobaltish neovim theme
Lua
18
star
17

JVMDeserialization

PoC for Scala and Groovy
XSLT
14
star
18

RSA_RESTing

Demos for RSA talk: RESTing on your laurels will get you owned
Java
12
star
19

XStreamPOC

POC for XStream RCE
Java
12
star
20

logging-log4j2

Java
7
star
21

pwntester-blog

Pwntester Blog
HTML
7
star
22

OWASP-GoatDroid-Dolphis

OWASP GoatDroid Exploit Apps
Java
5
star
23

cobalt2.vim

Color scheme for vim
Vim Script
5
star
24

OGNLInjection

OGNL Expression Injection Tescase
Java
5
star
25

hc0n_log4j

Java
5
star
26

jdeserialize

Automatically exported from code.google.com/p/jdeserialize
Java
3
star
27

StaticInitializerPayload

Java
3
star
28

RestletXMLDecoder

Restlet API consuming XML serialized Java Objects. Vulnerable to XXE and RCE (if third party libraries like GroovyShell are found in the classpath)
Java
3
star
29

cobange

Neovim color scheme
Vim Script
2
star
30

pwntester.github.io

pwntester Blog
HTML
2
star
31

XQueryInjection

XQuery Injection Testcases
JavaScript
2
star
32

csaw2016_rock

Python
2
star
33

gh-cdr

gh-cdr
Go
2
star
34

crane.nvim

Lua
2
star
35

test-project

Dockerfile
2
star
36

docs

1
star
37

gh-mrva

1
star
38

codeql-cs-template

Dockerfile
1
star
39

FortifyHighlighter

Sublime Text Editor Themes for Fortify rulepacks and NSTs
1
star