Instead of embedding static Java serialized objects, Metasploit offers ysoserial-generated binaries with built-in randomization. The benefits of using the Metasploit library include quicker module development, easier-to-read code, and future-proof Java serialized objects.
- **payload_name** - The payload name parameter must be one of the supported payloads stored in the `ysoserial` cache. As of this writing, the list includes: `BeanShelll1`, `Clogure`, `CommonBeanutils1`, `CommonsCollections2`, `CommonsCollections3`, `CommonsCollections4`, `CommonsCollections5`, `CommonsCollections6`, `Groovy1`, `Hibernate1`, `JBossInterceptors1`, `JRMPClient`, `JSON1`, `JavassistWeld1`, `Jdk7u21`, `MozillaRhino1`, `Myfaces1`, `ROME`, `Spring1`, `Spring2`, and `Vaadin1`. While `ysoserial` includes additional payloads that are not listed above, they are unsupported by the library due to the need for complex inputs. Should there be use cases for additional payloads, please consider opening an issue and submitting a pull request to add support.
- **command** - The command parameter will be executed by the remote system. The parameter is OS-agnostic, meaning that the module must determine the OS and architecture, if necessary, before generating a payload.
- **modified_type** - Use a modified version that invokes the specified shell (except in the case of `original`). For more information regarding the invocation, see [`CmdExecuteHelper.java`][1]. The value must be one of the following:
- **bash** - A modified version that will invoke the command using the `bash` executable
- **cmd** - A modified version that will invoke the command using the Windows `cmd.exe` executable.
- **original** - The original ysoserial invocation without an OS-specific shell. **Be careful when using this option** as some ysoserial payloads (as specified using the *payload_name* parameter are incompatible with commands that contain the `"` character. For this reason, it is recommended that an OS-specific version be used when available. Some ysoserial payloads pass the OS command to execute to `Runtime.getRuntime().exec` as a string instead of an array of strings, leading to execution errors.
- **powershell** - A modified version that will invoke the command using the Windows `powershell.exe` executable.
To avoid invoking Java (and all its dependencies) at runtime, the serialized objects are generated and cached within a JSON file. The JSON file can be refreshed using a standalone Ruby script, which comes prepackaged with a Docker image that handles downloading `ysoserial` and necessary dependencies. The script, `Dockerimage` and a high-level `runme.sh` script is stored within `tools/payloads/ysoserial`. An example run looks like:
At completion, the `data/ysoserial_payloads.json` file is overwritten and the 22 dynamic payloads are ready for use within the framework. Afterward, the developer should follow the standard `git` procedures to `add` and `commit` the new JSON file before generating a pull request and landing the updated JSON into the framework's `master` branch.
