conikeec/jackspoilt

Contextual Deserialization vulnerability that causes RCE - Remote Code Execution

What are we proving

1. Jackson Databind Deserialization vulnerability

Context of application

1. Microservice based on Spark Framework (http://sparkjava.com/)
2. Depends on
   1. com.fasterxml.jackson.core:jackson-databind:2.8.8
   2. xalan:xalan:2.7.2
3. Unsafe deserializaiton (Polymorphic Typing)
4. Untrusted input acceptance

Directory Structure

1. src/... : Source code to depict Deserializaiton Exploit (uses http://sparkjava.com/)
2. exploit : Source code to craft a gadget/exploit for DeSerializaiton Vulnerability
3. attackscripts : Misc shell scripts to induce normal and malicious requests upon applicaiton service

How can I use this?

Spin up a shell prompt (start vulnerable web instance)

1. git clone https://github.com/conikeec/jackspoilt.git
2. cd jackspoilt
3. mvn package
4. Start application server : java -jar target/jackspoilt-1.0-SNAPSHOT.jar

Spin up a shell prompt (To create gadget or exploit)

1. cd jackspoilt
2. mvn exec:java -D"exec.mainClass"="EncodeExploit"
3. The command above creates attack.json in the attackscripts directory
4. cd attackscripts
5. ./add.sh
6. ./list.sh
7. ./exploit.sh - This command will ineject the malicious payload, trigger gadget chain (Edit exploit/Exploit.java to add your exploit command of choice)