ysoserial v0.0.6 – a POC tool for payload generator that exploits unsafe Java object deserialization.
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software.
Changelog ysoserial v0.0.6:
+ fixes, refactoring
+ More Payload, Authors and Dependencies.
Originally released as part of AppSecCali 2015 Talk “Marshalling Pickles: how deserializing objects will ruin your day” with gadget chains for Apache Commons Collections (3.x and 4.x), Spring Beans/Core (4.x), and Groovy (2.3.x). Later updated to include additional gadget chains for JRE <= 1.7u21 and several other libraries.
ysoserial is a collection of utilities and property-oriented programming “gadget chains” discovered in common java libraries that can, under the right conditions, exploit Java applications performing unsafe deserialization of objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.
+ Java 1.7+ and Maven 3.x+
Usage, Download and Build:
git clone https://github.com/frohoff/ysoserial && cd ysoserial
mvn clean package -DskipTests
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections1 calc.exe | xxd
git pull origin master