Skip to content

Latest commit

 

History

History
36 lines (27 loc) · 1.28 KB

README.md

File metadata and controls

36 lines (27 loc) · 1.28 KB

What are we proving

  1. Jackson Databind Deserialization vulnerability

Context of application

  1. Microservice based on Spark Framework (http://sparkjava.com/)
  2. Depends on
    1. com.fasterxml.jackson.core:jackson-databind:2.8.8
    2. xalan:xalan:2.7.2
  3. Unsafe deserializaiton (Polymorphic Typing)
  4. Untrusted input acceptance

Directory Structure

  1. src/... : Source code to depict Deserializaiton Exploit (uses http://sparkjava.com/)
  2. exploit : Source code to craft a gadget/exploit for DeSerializaiton Vulnerability
  3. attackscripts : Misc shell scripts to induce normal and malicious requests upon applicaiton service

How can I use this?

Spin up a shell prompt (start vulnerable web instance)

  1. git clone https://github.com/conikeec/jackspoilt.git
  2. cd jackspoilt
  3. mvn package
  4. Start application server : java -jar target/jackspoilt-1.0-SNAPSHOT.jar

Spin up a shell prompt (To create gadget or exploit)

  1. cd jackspoilt
  2. mvn exec:java -D"exec.mainClass"="EncodeExploit"
  3. The command above creates attack.json in the attackscripts directory
  4. cd attackscripts
  5. ./add.sh
  6. ./list.sh
  7. ./exploit.sh - This command will ineject the malicious payload, trigger gadget chain (Edit exploit/Exploit.java to add your exploit command of choice)