Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the payload for CVE-2011-2894 (Spring AOP) #16

Closed
wants to merge 0 commits into from
Closed

Add the payload for CVE-2011-2894 (Spring AOP) #16

wants to merge 0 commits into from

Conversation

h3xstream
Copy link
Contributor

I'm analyzing the various known gadgets. I decide to integrate this "old" payload created by @pwntester. It could be useful for others researcher to include it to the collections.

Reflections.setFieldValue() was changed to set field to the first class or subclass.

The payload is not added to the test suite because it require a version change in the pom.xml.

I have added some utility to display the state of a Java object before and after serialisation.

@frohoff
Copy link
Owner

frohoff commented Mar 4, 2016

This is great! Unfortunately we may need to figure out a solution for #10 before we can accept this. I presume this causes a compilation error with the current spring version(s)?

@pwntester
Copy link
Contributor

@h3xstream, Thanks for adding my exploit, really cool!

Just one note, I saw you are just returning the proxy and then modifying PayloadRunner.java to call toString() in the deserialized proxy. This should not be necessary, just use a trigger gadget to dispatch the call to the invocation handler during deserialization:

Comparator proxy = (Comparator) Proxy.newProxyInstance(Comparator.class.getClassLoader(), new Class<?>[]{Comparator.class}, handler);

PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, proxy);
Object[] queue = new Object[] {templates, templates};
Reflections.setFieldValue(priorityQueue, "queue", queue);
Reflections.setFieldValue(priorityQueue, "size", 2);

return priorityQueue;

@frohoff frohoff mentioned this pull request Mar 8, 2016
Open
@frohoff
Copy link
Owner

frohoff commented Mar 13, 2016

It looks like this compiles OK against Spring 4.x. Can you update with @pwntester's suggested changes and rebase against the latest master to resolve conflicts? If so I'll try to get this pulled in soon and add support for dynamic dependency loading at payload generation time.

@frohoff frohoff mentioned this pull request Mar 14, 2016
Open
h3xstream added a commit to GoSecure/ysoserial that referenced this pull request Mar 14, 2016
@h3xstream
Remove manual interaction needed on the proxy using a PriorityQueue f…
cf6d4e2 
…rohoff#16
@h3xstream
Copy link
Contributor Author

@frohoff This gadget does compile with 4.1.4 and the payload will be generated. But the deserialization can't be tested.
The "powerful" classes used in this gadget are no longer deserializable in 4.1.4.

pwntester additional trick is to avoid the need of manual interaction with the Proxy. The PriorityQueue will trigger the compareTo() call during the deserialization making the gadget "plug-n-play" for all applications. (I just introduce the code snippet in cf6d4e2)

@h3xstream h3xstream closed this Mar 13, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@h3xstream @frohoff @pwntester