Use an enum for the YSoSerial payload option

2022-01-07 10:11:32 -05:00 · 2022-01-07 10:11:32 -05:00 · f56f328c8d
parent 3cb70c01bf
commit f56f328c8d
2 changed files with 32 additions and 17 deletions
--- a/lib/msf/util/java_deserialization.rb
+++ b/lib/msf/util/java_deserialization.rb
@ -10,19 +10,7 @@ class JavaDeserialization
  PAYLOAD_FILENAME = "ysoserial_payloads.json"

  def self.ysoserial_payload(payload_name, command=nil, modified_type: 'none')
-    # Open the JSON file and parse it
-    path = File.join(Msf::Config.data_directory, PAYLOAD_FILENAME)
-    begin
-      json = JSON.parse(File.read(path))
-    rescue Errno::ENOENT, JSON::ParserError
-      raise RuntimeError, "Unable to load JSON data from: #{path}"
-    end
-
-    # Extract the specified payload type (including cmd, bash, powershell, none)
-    payloads_json = json[modified_type.to_s]
-    if payloads_json.nil?
-      raise ArgumentError, "#{modified_type} type not found in ysoserial payloads"
-    end
+    payloads_json = load_ysoserial_data(modified_type)

    # Extract the specified payload (status, lengthOffset, bufferOffset, bytes)
    payload = payloads_json[payload_name]
@ -67,6 +55,33 @@ class JavaDeserialization
    end
  end

+  def self.ysoserial_payload_names(modified_type: 'none')
+    payloads_json = load_ysoserial_data(modified_type)
+    payloads_json.keys
+  end
+
+  class << self
+    private
+
+    def load_ysoserial_data(modified_type)
+      # Open the JSON file and parse it
+      path = File.join(Msf::Config.data_directory, PAYLOAD_FILENAME)
+      begin
+        json = JSON.parse(File.read(path))
+      rescue Errno::ENOENT, JSON::ParserError
+        raise RuntimeError, "Unable to load JSON data from: #{path}"
+      end
+
+      # Extract the specified payload type (including cmd, bash, powershell, none)
+      payloads_json = json[modified_type.to_s]
+      if payloads_json.nil?
+        raise ArgumentError, "#{modified_type} type not found in ysoserial payloads"
+      end
+
+      payloads_json
+    end
+  end
+
 end # JavaDeserialization
 end # Util
 end # Msf
--- a/modules/exploits/multi/http/log4shell_header_injection.rb
+++ b/modules/exploits/multi/http/log4shell_header_injection.rb
@ -75,9 +75,9 @@ class MetasploitModule < Msf::Exploit::Remote
      OptString.new('HTTP_METHOD', [ true, 'The HTTP method to use', 'GET' ]),
      OptString.new('TARGETURI', [ true, 'The URI to scan', '/']),
      OptString.new('HTTP_HEADER', [ true, 'The header to inject', 'X-Api-Version']),
-      OptEnum.new('YSOSERIAL_LIB', [
-        true, 'Ysoserial library for deserialization', '',
-        %w[CommonsBeanutils1 CommonsCollections1 CommonsCollections2 CommonsCollections3 CommonsCollections4 CommonsCollections5 CommonsCollections6 Groovy1 Hibernate1 JBossInterceptors1 JSON1 JavassistWeld1 Jdk7u21 MozillaRhino1 Myfaces1 ROME Spring1 Spring2]
+      OptEnum.new('YSOSERIAL_PAYLOAD', [
+        true, 'Ysoserial payload to use for deserialization', '',
+        Msf::Util::JavaDeserialization.ysoserial_payload_names
      ]),
      OptPort.new('HTTP_SRVPORT', [true, 'The HTTP server port', 8080]),
      OptBool.new('LDAP_AUTH_BYPASS', [true, 'Ignore LDAP client authentication', true]),
@ -141,7 +141,7 @@ class MetasploitModule < Msf::Exploit::Remote
        [ 'javaCodebase'.to_ber, [ resource_url_string.to_ber ].to_ber_set ].to_ber_sequence,
      ]
    else
-      java_payload = generate_java_deserialization_for_payload(datastore['YSOSERIAL_LIB'], payload)
+      java_payload = generate_java_deserialization_for_payload(datastore['YSOSERIAL_PAYLOAD'], payload)
      # vprint_good("Serialized java payload: #{java_payload}")
      attrs = [
        [ 'javaClassName'.to_ber, [ 'foo'.to_ber ].to_ber_set ].to_ber_sequence,