adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3f5bd3de2d1affa01e2f6c2066c6bb0fc6413bc
metasploit-gs/api/Msf/Exploit/JavaDeserialization.html
T

550 lines
23 KiB
HTML
Raw Normal View History

Reboot gh-pages
2026-05-08 17:08:43 +00:00
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Module: Msf::Exploit::JavaDeserialization
&mdash; Documentation by YARD 0.9.37
</title>
<link rel="stylesheet" href="../../css/style.css" type="text/css" />
<link rel="stylesheet" href="../../css/common.css" type="text/css" />
<script type="text/javascript">
pathId = "Msf::Exploit::JavaDeserialization";
relpath = '../../';
</script>
<script type="text/javascript" charset="utf-8" src="../../js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="../../js/app.js"></script>
</head>
<body>
<div class="nav_wrap">
<iframe id="nav" src="../../class_list.html?1"></iframe>
<div id="resizer"></div>
</div>
<div id="main" tabindex="-1">
<div id="header">
<div id="menu">
<a href="../../_index.html">Index (J)</a> &raquo;
<span class='title'><span class='object_link'><a href="../../Msf.html" title="Msf (module)">Msf</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../Exploit.html" title="Msf::Exploit (class)">Exploit</a></span></span>
&raquo;
<span class="title">JavaDeserialization</span>
</div>
<div id="search">
<a class="full_list_link" id="class_list_link"
href="../../class_list.html">
<svg width="24" height="24">
<rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
</svg>
</a>
</div>
<div class="clear"></div>
</div>
<div id="content"><h1>Module: Msf::Exploit::JavaDeserialization
</h1>
<div class="box_info">
<dl>
<dt>Includes:</dt>
<dd><span class='object_link'><a href="Powershell.html" title="Msf::Exploit::Powershell (module)">Powershell</a></span></dd>
</dl>
<dl>
<dt>Included in:</dt>
<dd><span class='object_link'><a href="Remote/JndiInjection.html" title="Msf::Exploit::Remote::JndiInjection (module)">Remote::JndiInjection</a></span></dd>
</dl>
<dl>
<dt>Defined in:</dt>
<dd>lib/msf/core/exploit/java_deserialization.rb</dd>
</dl>
</div>
<h2>
Class Method Summary
<small><a href="#" class="summary_toggle">collapse</a></small>
</h2>
<ul class="summary">
<li class="public ">
<span class="summary_signature">
<a href="#gadget_chains-class_method" title="gadget_chains (class method)">.<strong>gadget_chains</strong> &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'></div></span>
</li>
</ul>
<h2>
Instance Method Summary
<small><a href="#" class="summary_toggle">collapse</a></small>
</h2>
<ul class="summary">
<li class="public ">
<span class="summary_signature">
<a href="#generate_java_deserialization_for_command-instance_method" title="#generate_java_deserialization_for_command (instance method)">#<strong>generate_java_deserialization_for_command</strong>(name, shell, command) &#x21d2; String </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Generate a binary blob that when deserialized by Java will execute the specified command using the platform-specific shell.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#generate_java_deserialization_for_payload-instance_method" title="#generate_java_deserialization_for_payload (instance method)">#<strong>generate_java_deserialization_for_payload</strong>(name, payload) &#x21d2; String </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Generate a binary blob that when deserialized by Java will execute the specified payload.</p>
</div></span>
</li>
</ul>
<h3 class="inherited">Methods included from <span class='object_link'><a href="Powershell.html" title="Msf::Exploit::Powershell (module)">Powershell</a></span></h3>
<p class="inherited"><span class='object_link'><a href="Powershell.html#bypass_powershell_protections-instance_method" title="Msf::Exploit::Powershell#bypass_powershell_protections (method)">#bypass_powershell_protections</a></span>, <span class='object_link'><a href="Powershell.html#cmd_psh_payload-instance_method" title="Msf::Exploit::Powershell#cmd_psh_payload (method)">#cmd_psh_payload</a></span>, <span class='object_link'><a href="Powershell.html#compress_script-instance_method" title="Msf::Exploit::Powershell#compress_script (method)">#compress_script</a></span>, <span class='object_link'><a href="Powershell.html#decode_script-instance_method" title="Msf::Exploit::Powershell#decode_script (method)">#decode_script</a></span>, <span class='object_link'><a href="Powershell.html#decompress_script-instance_method" title="Msf::Exploit::Powershell#decompress_script (method)">#decompress_script</a></span>, <span class='object_link'><a href="Powershell.html#encode_script-instance_method" title="Msf::Exploit::Powershell#encode_script (method)">#encode_script</a></span>, <span class='object_link'><a href="Powershell.html#generate_psh_args-instance_method" title="Msf::Exploit::Powershell#generate_psh_args (method)">#generate_psh_args</a></span>, <span class='object_link'><a href="Powershell.html#generate_psh_command_line-instance_method" title="Msf::Exploit::Powershell#generate_psh_command_line (method)">#generate_psh_command_line</a></span>, <span class='object_link'><a href="Powershell.html#initialize-instance_method" title="Msf::Exploit::Powershell#initialize (method)">#initialize</a></span>, <span class='object_link'><a href="Powershell.html#make_subs-instance_method" title="Msf::Exploit::Powershell#make_subs (method)">#make_subs</a></span>, <span class='object_link'><a href="Powershell.html#process_subs-instance_method" title="Msf::Exploit::Powershell#process_subs (method)">#process_subs</a></span>, <span class='object_link'><a href="Powershell.html#read_script-instance_method" title="Msf::Exploit::Powershell#read_script (method)">#read_script</a></span>, <span class='object_link'><a href="Powershell.html#run_hidden_psh-instance_method" title="Msf::Exploit::Powershell#run_hidden_psh (method)">#run_hidden_psh</a></span></p>
<div id="class_method_details" class="method_details_list">
<h2>Class Method Details</h2>
<div class="method_details first">
<h3 class="signature first" id="gadget_chains-class_method">
.<strong>gadget_chains</strong> &#x21d2; <tt>Object</tt>
</h3><table class="source_code">
<tr>
<td>
<pre class="lines">
69
70
71
72
73</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/java_deserialization.rb', line 69</span>
<span class='kw'>def</span> <span class='kw'>self</span><span class='period'>.</span><span class='id identifier rubyid_gadget_chains'>gadget_chains</span>
<span class='id identifier rubyid_chains'>chains</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Util.html" title="Msf::Util (module)">Util</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Util/JavaDeserialization.html" title="Msf::Util::JavaDeserialization (class)">JavaDeserialization</a></span></span><span class='period'>.</span><span class='id identifier rubyid_ysoserial_payload_names'><span class='object_link'><a href="../Util/JavaDeserialization.html#ysoserial_payload_names-class_method" title="Msf::Util::JavaDeserialization.ysoserial_payload_names (method)">ysoserial_payload_names</a></span></span>
<span class='id identifier rubyid_chains'>chains</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>BeanFactory</span><span class='tstring_end'>&#39;</span></span> <span class='comment'># not a ysoserial payload, but still supported
</span> <span class='id identifier rubyid_chains'>chains</span><span class='period'>.</span><span class='id identifier rubyid_sort'>sort</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
</div>
<div id="instance_method_details" class="method_details_list">
<h2>Instance Method Details</h2>
<div class="method_details first">
<h3 class="signature first" id="generate_java_deserialization_for_command-instance_method">
#<strong>generate_java_deserialization_for_command</strong>(name, shell, command) &#x21d2; <tt>String</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Generate a binary blob that when deserialized by Java will execute the specified command using the platform-specific shell. Many deserialization gadget chains pass the command to Runtime.getRuntime().exec()` as a string which has limitations on characters in the command such as whitespace and quotes. Using a specific shell will cause the command to be invoked as an array using that shell and thus work around those limitations.</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>name</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>The name of the YSoSerial payload to use.</p>
</div>
</li>
<li>
<span class='name'>shell</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>The shell to use for executing the command. Must be one of bash, cmd or powershell.</p>
</div>
</li>
<li>
<span class='name'>command</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>The OS command to execute.</p>
</div>
</li>
</ul>
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>The opaque data blob.</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/java_deserialization.rb', line 19</span>
<span class='kw'>def</span> <span class='id identifier rubyid_generate_java_deserialization_for_command'>generate_java_deserialization_for_command</span><span class='lparen'>(</span><span class='id identifier rubyid_name'>name</span><span class='comma'>,</span> <span class='id identifier rubyid_shell'>shell</span><span class='comma'>,</span> <span class='id identifier rubyid_command'>command</span><span class='rparen'>)</span>
<span class='comment'># here we force usage of a modified type to avoid compatibility issues with command characters that are present in
</span> <span class='comment'># some ysoserial payloads
</span> <span class='kw'>unless</span> <span class='qwords_beg'>%w{</span><span class='words_sep'> </span><span class='tstring_content'>bash</span><span class='words_sep'> </span><span class='tstring_content'>cmd</span><span class='words_sep'> </span><span class='tstring_content'>powershell</span><span class='words_sep'> </span><span class='tstring_end'>}</span></span><span class='period'>.</span><span class='id identifier rubyid_include?'>include?</span> <span class='id identifier rubyid_shell'>shell</span>
<span class='id identifier rubyid_raise'>raise</span> <span class='const'>RuntimeError</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Invalid shell for Java Deserialization payload generation</span><span class='tstring_end'>&#39;</span></span>
<span class='kw'>end</span>
<span class='kw'>if</span> <span class='id identifier rubyid_name'>name</span> <span class='op'>==</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>BeanFactory</span><span class='tstring_end'>&#39;</span></span>
<span class='id identifier rubyid_blob'>blob</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Util.html" title="Msf::Util (module)">Util</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Util/JavaDeserialization.html" title="Msf::Util::JavaDeserialization (class)">JavaDeserialization</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Util/JavaDeserialization/BeanFactory.html" title="Msf::Util::JavaDeserialization::BeanFactory (class)">BeanFactory</a></span></span><span class='period'>.</span><span class='id identifier rubyid_generate'><span class='object_link'><a href="../Util/JavaDeserialization/BeanFactory.html#generate-class_method" title="Msf::Util::JavaDeserialization::BeanFactory.generate (method)">generate</a></span></span><span class='lparen'>(</span><span class='id identifier rubyid_command'>command</span><span class='comma'>,</span> <span class='label'>shell:</span> <span class='id identifier rubyid_shell'>shell</span><span class='rparen'>)</span>
<span class='kw'>else</span>
<span class='id identifier rubyid_blob'>blob</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Util.html" title="Msf::Util (module)">Util</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Util/JavaDeserialization.html" title="Msf::Util::JavaDeserialization (class)">JavaDeserialization</a></span></span><span class='period'>.</span><span class='id identifier rubyid_ysoserial_payload'><span class='object_link'><a href="../Util/JavaDeserialization.html#ysoserial_payload-class_method" title="Msf::Util::JavaDeserialization.ysoserial_payload (method)">ysoserial_payload</a></span></span><span class='lparen'>(</span><span class='id identifier rubyid_name'>name</span><span class='comma'>,</span> <span class='id identifier rubyid_command'>command</span><span class='comma'>,</span> <span class='label'>modified_type:</span> <span class='id identifier rubyid_shell'>shell</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_blob'>blob</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="generate_java_deserialization_for_payload-instance_method">
#<strong>generate_java_deserialization_for_payload</strong>(name, payload) &#x21d2; <tt>String</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Generate a binary blob that when deserialized by Java will execute the specified payload. This routine converts the payload automatically based on the platform and architecture. Due to this, not all combinations are supported.</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>name</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>The name of the YSoSerial payload to use.</p>
</div>
</li>
<li>
<span class='name'>payload</span>
<span class='type'>(<tt><span class='object_link'><a href="../EncodedPayload.html" title="Msf::EncodedPayload (class)">Msf::EncodedPayload</a></span></tt>)</span>
&mdash;
<div class='inline'>
<p>The payload to execute.</p>
</div>
</li>
</ul>
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>The opaque data blob.</p>
</div>
</li>
</ul>
<p class="tag_title">Raises:</p>
<ul class="raise">
<li>
<span class='type'>(<tt>RuntimeError</tt>)</span>
&mdash;
<div class='inline'>
<p>This raises a RuntimeError of the specified payload can not be automatically converted to an operating system command.</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/java_deserialization.rb', line 45</span>
<span class='kw'>def</span> <span class='id identifier rubyid_generate_java_deserialization_for_payload'>generate_java_deserialization_for_payload</span><span class='lparen'>(</span><span class='id identifier rubyid_name'>name</span><span class='comma'>,</span> <span class='id identifier rubyid_payload'>payload</span><span class='rparen'>)</span>
<span class='id identifier rubyid_command'>command</span> <span class='op'>=</span> <span class='kw'>nil</span>
<span class='kw'>if</span> <span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_platform'>platform</span><span class='period'>.</span><span class='id identifier rubyid_platforms'>platforms</span> <span class='op'>==</span> <span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Module.html" title="Msf::Module (class)">Module</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Module/Platform.html" title="Msf::Module::Platform (class)">Platform</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Module/Platform/Windows.html" title="Msf::Module::Platform::Windows (class)">Windows</a></span></span><span class='rbracket'>]</span>
<span class='kw'>if</span> <span class='lbracket'>[</span> <span class='const'><span class='object_link'><a href="../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Arch</span><span class='op'>::</span><span class='const'>ARCH_X86</span><span class='comma'>,</span> <span class='const'><span class='object_link'><a href="../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Arch</span><span class='op'>::</span><span class='const'>ARCH_X64</span> <span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_include?'>include?</span> <span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_arch'>arch</span><span class='period'>.</span><span class='id identifier rubyid_first'>first</span>
<span class='id identifier rubyid_command'>command</span> <span class='op'>=</span> <span class='id identifier rubyid_cmd_psh_payload'>cmd_psh_payload</span><span class='lparen'>(</span><span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_encoded'>encoded</span><span class='comma'>,</span> <span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_arch'>arch</span><span class='period'>.</span><span class='id identifier rubyid_first'>first</span><span class='comma'>,</span> <span class='lbrace'>{</span> <span class='label'>remove_comspec:</span> <span class='kw'>true</span> <span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='kw'>elsif</span> <span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_arch'>arch</span><span class='period'>.</span><span class='id identifier rubyid_first'>first</span> <span class='op'>==</span> <span class='const'><span class='object_link'><a href="../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Arch</span><span class='op'>::</span><span class='const'>ARCH_CMD</span>
<span class='id identifier rubyid_command'>command</span> <span class='op'>=</span> <span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_encoded'>encoded</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_shell'>shell</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>cmd</span><span class='tstring_end'>&#39;</span></span>
<span class='kw'>else</span>
<span class='kw'>if</span> <span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_arch'>arch</span><span class='period'>.</span><span class='id identifier rubyid_first'>first</span> <span class='op'>==</span> <span class='const'><span class='object_link'><a href="../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Arch</span><span class='op'>::</span><span class='const'>ARCH_CMD</span>
<span class='id identifier rubyid_command'>command</span> <span class='op'>=</span> <span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_encoded'>encoded</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_shell'>shell</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>bash</span><span class='tstring_end'>&#39;</span></span>
<span class='kw'>end</span>
<span class='kw'>if</span> <span class='id identifier rubyid_command'>command</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span>
<span class='id identifier rubyid_raise'>raise</span> <span class='const'>RuntimeError</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Could not generate the payload for the platform/architecture combination</span><span class='tstring_end'>&#39;</span></span>
<span class='kw'>end</span>
<span class='id identifier rubyid_generate_java_deserialization_for_command'>generate_java_deserialization_for_command</span><span class='lparen'>(</span><span class='id identifier rubyid_name'>name</span><span class='comma'>,</span> <span class='id identifier rubyid_shell'>shell</span><span class='comma'>,</span> <span class='id identifier rubyid_command'>command</span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
</div>
</div>
<div id="footer">
Generated on Fri May 8 17:02:08 2026 by
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.37 (ruby-3.1.5).
</div>
</div>
</body>
</html>
Reference in New Issue Copy Permalink