ysoserial v-0.0.3 - A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

ysoserial v-0.0.3 – A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

Changelog v0.0.3:
+ Refactors and included new JRE <= 1.7u21 gadget chain

ysoserial is a collection of utilities and property-oriented programming “gadget chains” discovered in common java libraries that can, under the right conditions, exploit Java applications performing unsafe deserialization of objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.

It should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in having gadgets on the classpath.

Example Command: java -jar ysoserial-0.0.3-all.jar CommonsCollections1 calc.exe | xxd

Example Command:
java -jar ysoserial-0.0.3-all.jar CommonsCollections1 calc.exe | xxd

Usage & Installation:

Download : v0.0.3.tar.gz  | v0.0.3.zip
Source : https://github.com/frohoff | Our Post Before