The following example is a write-up of an example of payload execution that I performed for a University assignment. I have also created a TryHackMe room based upon this. I replicate a java application and the serialization process; ultimately being able to perform RCE on Windows 10.

1. Scope

This write-up is an example of the serialisation process of an application (in this instance, Java) can be maliciously intercepted, facilitating code execution via the form of launching an applicaton on Windows. I have replicated an application that you may find locally. In my case, this application seralizes Customer data - ready for traversal across the network, which I have simulated across two VM’s. Outputting it to a file named Customerdetails.ser

Note, this isn’t a new exploit or a 0day of any kind. Deserialisation atacks via CommonsCollections isn’t a brand new topic - albeit - still very prevalent today.

2. The Environment

Our data to be serialised across the simulated network: Our Serialised Data

When inspected, it’s hex encoded - aka serialised:

Inspecting our data

This is a seralised abstraction of the data that we have just saved ( and Notice the small quantity of data here for later. If I was to de-serialise this data, we would see the Object containing the data being reconstructed from this byte stream.

This is how the data should derserialise!

Normal serialisation of data

3. Performing Remote Code Execution

Introducing Ysoserial

Ysoserial uses Apache libraries such as CommonCollections, amongst others to generate malicious payloads where commands can be executed - depending on the platform and service(s) running!

using ysoserial

Let’s generate our first payload using Ysoserial!

generating paylaod using ysoserial

Here we can view the hex-encoded payload. Notice how it is considerably larger then our original data in this case.

reviewing our payload

This is our payload… Now, when returning to my application that is acting as the de-serialisation in the process, instead of submitting a file to a vulnerable URL (Like that of a JBoss Server), this app simply takes seralised data stored within a file - exploit.ser which is where we have saved our payload too.

we got RCE