Skip to content

Contextual Deserialization vulnerability that causes RCE - Remote Code Execution

Notifications You must be signed in to change notification settings

conikeec/jackspoilt

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

What are we proving

  1. Jackson Databind Deserialization vulnerability

Context of application

  1. Microservice based on Spark Framework (http://sparkjava.com/)
  2. Depends on
    1. com.fasterxml.jackson.core:jackson-databind:2.8.8
    2. xalan:xalan:2.7.2
  3. Unsafe deserializaiton (Polymorphic Typing)
  4. Untrusted input acceptance

Directory Structure

  1. src/... : Source code to depict Deserializaiton Exploit (uses http://sparkjava.com/)
  2. exploit : Source code to craft a gadget/exploit for DeSerializaiton Vulnerability
  3. attackscripts : Misc shell scripts to induce normal and malicious requests upon applicaiton service

How can I use this?

Spin up a shell prompt (start vulnerable web instance)

  1. git clone https://github.com/conikeec/jackspoilt.git
  2. cd jackspoilt
  3. mvn package
  4. Start application server : java -jar target/jackspoilt-1.0-SNAPSHOT.jar

Spin up a shell prompt (To create gadget or exploit)

  1. cd jackspoilt
  2. mvn exec:java -D"exec.mainClass"="EncodeExploit"
  3. The command above creates attack.json in the attackscripts directory
  4. cd attackscripts
  5. ./add.sh
  6. ./list.sh
  7. ./exploit.sh - This command will ineject the malicious payload, trigger gadget chain (Edit exploit/Exploit.java to add your exploit command of choice)

About

Contextual Deserialization vulnerability that causes RCE - Remote Code Execution

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published