Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
require 'rex'
2

3
RSpec.describe Msf::Util::JavaDeserialization do
4
  let(:payload_name) do
5
    'PAYLOAD_NAME'
6
  end
7

8
  let(:default_command) do
9
    nil
10
  end
11
  describe '#ysoserial_payload' do
12

13
    context 'when default payload is not found' do
14
      it 'raises a RuntimeError' do
15
        stub_const('Msf::Util::JavaDeserialization::PAYLOAD_FILENAME', 'INVALID')
16
        expect{Msf::Util::JavaDeserialization::ysoserial_payload(payload_name, default_command)}.to raise_error(RuntimeError, /Unable to load JSON data from:/)
17
      end
18
    end
19

20
    context 'when default payload is not JSON format' do
21
      it 'raises a RuntimeError error' do
22
        allow(File).to receive(:read).and_return('BAD DATA')
23
        expect{Msf::Util::JavaDeserialization::ysoserial_payload(payload_name, default_command)}.to raise_error(RuntimeError, /Unable to load JSON data from:/)
24
      end
25
    end
26

27
    context 'when payload status is unsupported' do
28
      it 'raises a unsupported error' do
29
        json_data = %Q|{"none":{"BeanShell1":{"status":"unsupported","bytes":"AAAA"}}}|
30
        allow(File).to receive(:read).and_return(json_data)
31
        expect{Msf::Util::JavaDeserialization::ysoserial_payload(payload_name, default_command)}.to raise_error(ArgumentError)
32
      end
33
    end
34

35
    context 'when payload status is static' do
36
      let(:payload_name) do
37
        'BeanShell1'
38
      end
39

40
      it 'returns a Base64 string' do
41
        original_bytes = 'AAAA'
42
        b64 = Rex::Text.encode_base64(original_bytes)
43
        json_data = %Q|{"none":{"BeanShell1":{"status":"static","bytes":"#{b64}"}}}|
44
        allow(File).to receive(:read).and_return(json_data)
45
        p = Msf::Util::JavaDeserialization::ysoserial_payload(payload_name, default_command)
46
        expect(p).to eq(original_bytes)
47
      end
48
    end
49

50
    context 'when payload status is dynamic' do
51
      let(:payload_name) do
52
        'CommonsCollections1'
53
      end
54

55
      context 'when missing a command' do
56
        it 'raises an argument error' do
57
          expect{Msf::Util::JavaDeserialization::ysoserial_payload(payload_name, default_command)}.to raise_error(ArgumentError)
58
        end
59
      end
60

61
      context 'when a modified type is not found' do
62
        it 'raises an argument error' do
63
          type = 'unknown_type'
64
          expect{Msf::Util::JavaDeserialization::ysoserial_payload(payload_name, default_command, modified_type: type)}.to raise_error(ArgumentError)
65
        end
66
      end
67

68
      context 'when a command is provided' do
69
        it 'returns serialized data' do
70
          default_command = 'id'
71
          p = Msf::Util::JavaDeserialization::ysoserial_payload(payload_name, default_command)
72
          expect(p).to include('java.util.Mapxr')
73
        end
74
      end
75

76
      context 'when command and type are provided' do
77
        it 'returns serialized data' do
78
          default_command = 'id'
79
          type = 'bash'
80
          p = Msf::Util::JavaDeserialization::ysoserial_payload(payload_name, default_command, modified_type: type)
81
          expect(p).to include('java.util.Mapxr')
82
        end
83
      end
84
    end
85
  end
86
end
87

88