Exploiting a Java De-serialisation Attack on Windows Demo

The following example is a write-up of an example of payload execution that I performed for a University assignment. Read moreā€¦.

The following example is a write-up of an example of payload execution that I performed for a University assignment.

I have also created a
![https://tryhackme.com/room/cerealctf]("TryHackMe room based upon this")

This write-up is an example of the Serialisation process of an application (in this instance, Java) can be maliciously intercepted, facilitating code execution via the form of launching an applicaton on Windows.

I have replicated an application that you may find locally. In my case, this application seralises "Customer" data - ready for traversal across the network. Outputting it to a file named "Customerdetails.ser"

Of which, when inspected, the contents results as follows:

This is a seralised abstraction of the data that we have just saved (cust.name and cust.email). Notice the small quantity of data here for later.

If I was to "De-Serialise" this data, we would see the Object containing the data being reconstructed from this byte stream

Introducing Ysoserial

Ysoserial uses Apache Java's libraries such as CommonCollections, amongst others to generate malicious p ayloads where commands can be executed.

Let's generate our first payload using Ysoserial!

We are calling the Ysoserial jar file, specifying the payload type CommonsCollections5 and providing a command to execute. In this case, this is calc.exe and then piping it to a file named "exploit.ser"

Reverting Back to the Application

If we was to inspect this "exploit.ser" file, notice how there is much more data contained within?

This is our payload...

Now, when returning to my application that is acting as the "De-Serialisation" in the process, instead of submitting a file to a vulnerable URL (Like that of a JBoss Server), this app simply takes seralised data stored within a file - "exploit.ser" which is where we have saved our payload too.

When running the code, we can see that calculator has appeared! There's a lot of ways to adapt this, for example, launching cmd.exe. It is very possible, but hard to illustrate - as it runs "in the background", a MS-DOS prompt is not shown, but believe me it runs.

Think about how this can be adapted to Linux, say pinging another server? Or perhaps even a remote shell...?