Exploiting a Java De Serialisation Attack on Windows Demo


The following example is a write-up of an example of payload execution that I performed for a University assignment. I have also created a TryHackMe room based upon this.

This write-up is an example of the Serialisation process of an application (in this instance, Java) can be maliciously intercepted, facilitating code execution via the form of launching an applicaton on Windows. I have replicated an application that you may find locally. In my case, this application seralises Customer data - ready for traversal across the network. Outputting it to a file named Customerdetails.ser

Of which, when inspected, the contents results as follows: This is a seralised abstraction of the data that we have just saved (cust.name and cust.email). Notice the small quantity of data here for later. If I was to De-Serialise this data, we would see the Object containing the data being reconstructed from this byte stream

Introducing Ysoserial

Ysoserial uses Apache Java's libraries such as CommonCollections, amongst others to generate malicious p ayloads where commands can be executed.

Let's generate our first payload using Ysoserial!

We are calling the Ysoserial jar file, specifying the payload type CommonsCollections5 and providing a command to execute. In this case, this is calc.exe and then piping it to a file named exploit.ser ## Reverting Back to the Application If we was to inspect this exploit.ser file, notice how there is much more data contained within?

This is our payload… Now, when returning to my application that is acting as the De-Serialisation in the process, instead of submitting a file to a vulnerable URL (Like that of a JBoss Server), this app simply takes seralised data stored within a file - exploit.ser which is where we have saved our payload too.

When running the code, we can see that calculator has appeared! There’s a lot of ways to adapt this, for example, launching cmd.exe. It is very possible, but hard to illustrate - as it runs in the background, a MS-DOS prompt is not shown, but believe me it runs. Think about how this can be adapted to Linux, say pinging another server? Or perhaps even a remote shell…?