Using Python javaserialization tools module to generate 8u20 gadget

Wide byte security 2021-01-21 16:44:00
using python javaserialization tools module

brief introduction

Recently, I was entrusted by my friends , In the use of python Write a scanner about java Deserialization vulnerability exp in , It's not easy to generate payload. At the moment, there are only two ways :

  1. python Call... By command java Of Ysoerial.jar To get gadget. There are too many shortcomings , And prepare one in the online environment jdk, For special gadget, such as 7u21 such payload, You need to prepare multiple versions of jdk.
  2. python Write directly to death gadget Bytecode .

Of course , One of the most fatal drawbacks of both methods is , It's that you can't change it at will Suid Value, etc . In the context of a deserialization attack . Often suid A case of failure to attack due to inconsistency , Of course , All kinds of tricks are in jar Find a way out of the bag , And very few people do it on deserialized files .

therefore , I follow java Deserialization protocol standard , Use python Write a module , You can read and write freely java Deserializing files . Of course , It may also be launched later Java edition .

Generate 8u20 gadget That's the most challenging thing , Because online tools , It's basically complicated , It needs to be calculated by hand handle etc. . I don't know about this one java Deserialization protocol , Very unfriendly . and ,8u20 gadget It's a malformed deserialized data .

Let's start with dnslog Speaking of , From easy to difficult , See how to use javaSerializationTools Module reading and writing java Serialized files

modify Dnslog gadget The website of

Here we don't care about dnslog This gadget How to trigger , We only care about how to modify dnslog Address .

modify dnslog The address of , In fact, it's just a modification Object's host Value of field . So let's read one first dnslog Deserialization file for , After successful parsing, save as yaml Templates for text formats .

json Storage of complex objects is not supported , such as java Circular references to objects often appear in ,json There's no way to express this relationship , and yaml Can express , But at the expense of partial readability . Mainly to reduce the workload

The sample code is as follows :

 with open("../files/dnslog.ser", "rb") as f:
a = ObjectRead(f)
dnslog = a.readContent()

Here I use the module's javaObject Class to represent a java class . Because in deserialized data , Only objects , Fields in objects and classes of objects , If there's extra data , Add to javaObject Object objectAnnoation In the list . Now let's look at the screenshot , to glance at dnslog How is it parsed

loadFactor and threshold yes HasnMap Two properties of an object , There's nothing to say here . Here's how I save java The value of the field in the object .

stay java A class in may inherit from a parent class , A parent class may also inherit from a grandparent class .java In order to save an object accurately , All fields of the object will be saved . In the deserialization restore object , First, read the class description of the object . That is, as shown in the picture above javaClass It's the same as . Then restore the value of the object , In the order of the fields in the description of the read class , Read the value of the parent class first , Then read the value of the subclass . So I save the fields as multidimensional arrays , Layer by layer . The order of the fields is related to javaCLass The order of the fields described in must be consistent .

Let's talk about it again objectAnnoation What is it . In deserialization , All values of the object are saved by default . But for HashMap For this kind of object , Value in object , That is to say key and value It's not fixed , There's no way to save . At this time writeObject and readObject The method is coming out .writeObject Methods are special ways to write extra values in an object . after writeObject Method , Will be written to ObjectAnnotation in .readObject Read , Also read ObjectAnnotation Information in . In deserialization , First write the field value of the parent class , If the parent class exists writeObject, Call again writeObject Write extra information . Then write the field value of the subclass .writeObject After the function is successfully called , Will send to ObjectAnnotation writes EndBlock Identity termination .

about hashmap The object is ,key and value Store them separately in ObjectAnnotation in . We need to find a way to modify URL Object's host Field .URL The layout of the object is shown in the figure below

It's easy to change , The code is as follows

 dnslogUrl = ''
with open('dnslog.yaml', "r") as f:
dnslog = yaml.load(f, Loader=yaml.FullLoader)
UrlObject = dnslog.objectAnnotation[2]
# modify Of host Property is new dnslog Address
dnslog.objectAnnotation[1].fields[0][4].value.string = dnslogUrl
with open('dnslog.ser', 'wb') as f:

dnslog.yaml The screenshot is as follows

Generate JRE 8u20 gadget

I've finished with the simple objects above , Now let's talk about the reading and writing of complex objects . We just need to know about jre 7u21 payload The trigger process of the . And how the fix is bypassed .

7u21 Of gadget in LinkedHashMap Of readObject Trigger sun.reflect.annotation.AnnotationInvocationHandler, Final trigger RCE. The repair method is shown in the figure below .readObject Will determine the type of deserialization , If not expected , Throws an exception directly .

We also need to review what we just said writeObject Method . Suppose an object is in serialization , call writeObject Method . be java In serialization , It doesn't serialize any field values , It's up to the object writeObject How to deal with . So in general writeObject In the method , Just save extra information , Object's field value , All to be handed over to defaultReadObject() To deal with .

although sun.reflect.annotation.AnnotationInvocationHandler Throw an exception , But objects and all the properties , In fact, it has been restored . And you can call .

Let's analyze the reasons , open java The part about restoring objects in the serialization protocol standard or I wrote it myself ObjectRead Class readObject Method

stay java In the serialization protocol , To prevent circular references , Or to save space after serialization , There will be exactly the same object , The second same object uses reference Instead of , You can understand it as c The pointer to language . In the restore object , First, create... For the restored object reference, Second, restore the value of the object .

stay sun.reflect.annotation.AnnotationInvocationHandler Of readObject in , We can see behind the code that throws the exception , And there's no extra information for us to read . therefore , Even if an exception is thrown , But the object was also successfully restored , Before throwing an exception , All the fields of the object have been restored . So we try to intercept the abnormal information , Do not interrupt the normal deserialization process . This is it. 8u20 gadget A popular explanation of .

Here we look directly at java.beans.beancontext.BeanContextSupport#readChildren Method . Extra objects are read here , And also capture exception information . Does not interrupt the normal deserialization process .

Just now we said ,ObjectAnnotation Ending , Deposit JavaEndBlockData, identification readObject The end of the read . But now it throws an exception , Lead to BeanContextSupport Of ObjectAnnotation in ,JavaEndBlockData Can't be handled properly . It will also cause all subsequent reading errors . This is the same. jre 8u20 Can't be resolved by third party software . We're generating BeanContextSupport in , Not according to the rules , stay ObjectAnnotation At the end of JavaEndBlockData identification . This is the same. 8u20 Sources of anomaly data .

So let's see 7u21 The resolution result of , Pictured

We just said , In the deserialization process , Generally, the value of the field in the object is restored first , To restore objectAnnotation The value in . We just need to insert a fake field into LinkedHashSet in ,java In deserialization , If a false deserialization value is encountered , It will not affect the normal deserialization process .

Easier said than done ,java Serialization doesn't generate this kind of malformed data . To modify by hand 7u21 Of payload, Insert a new object , All references need to be changed one by one . This workload sounds scary , And it's easy to make mistakes .

So I use javaSerializationTools modular , modify 7u21 Of gadget, Automatically calculate references, etc .

First of all to LinkedHashSet Add a new field to , Name is fake, The type is BeanContextSupport

The code is as follows

with open("../files/7u21.ser", "rb") as f:
a = ObjectRead(f)
obj = a.readContent()
# First step , towards HashSet Add a fake field , name fake
signature = JavaString("Ljava/beans/beancontext/BeanContextSupport;")
fakeSignature = {'name': 'fake', 'signature': signature}

And then construct BeanContextSupport The value of the object

 # Construct a fake BeanContextSupport Deserialize object , Be careful to quote the following AnnotationInvocationHandler
# Read BeanContextSupportClass A brief introduction to the class of
with open('BeanContextSupportClass.yaml', 'r') as f1:
BeanContextSupportClassDesc = yaml.load(, Loader=yaml.FullLoader)
# towards beanContextSupportObject add to beanContextChildPeer attribute
beanContextSupportObject = JavaObject(BeanContextSupportClassDesc)
beanContextChildPeerField = JavaField('beanContextChildPeer',
# towards beanContextSupportObject add to serializable attribute
serializableField = JavaField('serializable', 'I', 1)

Finally deal with objectAnnotation, because BeanContextSupport The superclass of has writeObject Method . According to the agreement , Our first value is javaEndBlock, The second value is sun.reflect.annotation.AnnotationInvocationHandler object , Here we directly quote 7u21 Of AnnotationInvocationHandler object . such , Really working AnnotationInvocationHandler For the first successful restore AnnotationInvocationHandler The object of . And the referenced object , It will not be called in the process of being referenced again readObject Methodical .

The code is as follows

 # towards beanContextSupportObject add to objectAnnontations data
AnnotationInvocationHandler = obj.objectAnnotation[2].fields[0][0].value
# hold beanContextSupportObject Object added to fake In the attribute
fakeField = JavaField('fake', fakeSignature['signature'], beanContextSupportObject)

Of course, there's no need to calculate handle 了 , Just use ObjectWrite Object write to file , It can be calculated automatically handle Waiting for all the fussy things

 with open("8u20.ser", 'wb') as f:
o = ObjectWrite(f)

8u20 gadget The layout is shown in the figure below

See... For the complete code

welcome fork star project , It's still in design , It will be easier to use then

Project address

本文为[Wide byte security]所创,转载请带上原文链接,感谢

  1. Centos7 installing Python 3.8
  2. Centos7 installing Python 3.8
  3. Django——图书管理系统(六)
  4. Django——图书管理系统(五)
  5. Django -- library management system (6)
  6. Django -- library management system (5)
  7. python批量插入数据小脚本
  8. Python batch insert data script
  9. ZoomEye-python 使用指南
  10. Zoomeye Python User's Guide
  11. 用Python写代码,一分钟搞定一天工作量,同事直呼:好家伙 - 知乎
  12. Using Python to write code, one minute to complete a day's workload, colleagues call: good guy - Zhihu
  13. Python 上的可视化库——PyG2Plot
  14. Pyg2plot: a visualization library on Python
  15. Python 上的可视化库——PyG2Plot
  16. Python实用代码-无限级分类树状结构生成算法
  17. Pyg2plot: a visualization library on Python
  18. Python utility code - infinite classification tree structure generation algorithm
  19. 奇技淫巧,还是正统功夫?Python推导式最全用法
  20. Pandas 的这个知识点,估计 80% 的人都得挂!
  21. 前后端分离有什么了不起,手把手教你用Python爬下来!
  22. 在 Azure 上执行一些简单的 python 工作
  23. 推荐 :利用Python的混合集成机器学习(附链接)
  24. Cunning or orthodox Kung Fu? The most complete usage of Python derivation
  25. It's estimated that 80% of pandas people have to hang up!
  26. What's so great about the separation of front and rear ends? Hand in hand teach you to climb down with Python!
  27. Doing some simple Python work on azure
  28. Recommendation: hybrid integrated machine learning using python (link attached)
  29. Learning PPO algorithm programming from scratch (Python version)
  30. Python OpenCV 图片模糊操作 blur 与 medianBlur
  31. Python OpenCV image blur operation blur and mediablur
  32. 成功解决cv2.error: OpenCV(4.1.2) C:\projects\opencv-python\opencv\modules\imgproc\src\color.cpp:182: err
  33. Cv2.error solved successfully: opencv (4.1.2) C:: (projects / opencv Python / opencv modules / imgproc / SRC)\ color.cpp:182 : err
  34. Python 中使用 virtualenv 管理虚拟环境
  35. Using virtualenv to manage virtual environment in Python
  36. 如何使用Python执行系统命令?Python学习教程!
  37. How to use Python to execute system commands? Python tutorial!
  38. 快速掌握Python中的循环技术
  39. Quickly grasp the loop technology in Python
  40. Python主流Web框架之Tornado
  41. appium+python自动化63-使用Uiautomator2报错问题解决
  42. Tornado: the mainstream Python Web Framework
  43. Appium + Python automation 63 - using uiautomator2 to solve the problem of error reporting
  44. 爬虫+django,打造个性化API接口
  45. Crawler + Django to create personalized API interface
  46. 爬虫+django,打造个性化API接口
  47. Crawler + Django to create personalized API interface
  48. C、C++、Java、PHP、Python主要应用在哪里方面?
  49. C. Where are the main applications of C + +, Java, PHP and python?
  50. Python 无限级分类树状结构生成算法 「实用代码」
  51. Python infinite classification tree structure generation algorithm "practical code"
  52. 【Azure 存储服务】Python模块(azure.cosmosdb.table)直接对表存储(Storage Account Table)做操作示例
  53. [azure storage service] Python module( azure.cosmosdb.table )Direct operation example of storage account table
  54. 【Azure 存储服务】Python模块(azure.cosmosdb.table)直接对表存储(Storage Account Table)做操作示例
  55. [azure storage service] Python module( azure.cosmosdb.table )Direct operation example of storage account table
  56. openpose c++ 配置教程 + python api
  57. Openpose C + + configuration tutorial + Python API
  58. PYTHON爬虫实战_垃圾佬闲鱼爬虫转转爬虫数据整合自用二手急速响应捡垃圾平台_3(附源码持续更新)
  59. 使用python javaSerializationTools模块拼接生成 8u20 Gadget
  60. 萌新入门之python基础语法