/zkar

ZKar is a Java serialization protocol analysis tool implement in Go.

Primary LanguageGoMIT LicenseMIT

ZKar

ZKar is a Java serialization protocol analysis tool implement in Go. This tool is still work in progress, so no complete API document and contribution guide.

ZKar provides:

  • A Java serialization payloads parser and viewer in pure Go, no CGO or JDK is required
  • From the Java serialization protocol to a Go struct
  • A Go library that can manipulate the Java serialization data
  • WIP: ysoserial implement in Go
  • WIP: Java class bytecodes parser, viewer and manipulation
  • WIP: An implementation of RMI/LDAP in Go

šŸ“¦ Installing

Using ZKar is easy. use go get to install the ZKar along with the library and its dependencies:

go get -u github.com/phith0n/zkar

Next, use github.com/phith0n/zkar/* in your application:

package main

import (
	"fmt"
	"github.com/phith0n/zkar/serz"
	"io/ioutil"
	"log"
)

func main() {
	data, _ := ioutil.ReadFile("./testcases/ysoserial/CommonsCollections6.ser")
	serialization, err := serz.FromBytes(data)
	if err != nil {
		log.Fatal("parse error")
	}

	fmt.Println(serialization.ToString())
}

šŸ’» Command line utility tool

ZKar also provides a command line utility tool that you can use it directly:

$ go run main.go
NAME:
   zkar - A Java serz tool

USAGE:
   main [global options] command [command options] [arguments...]

COMMANDS:
   generate  generate Java serz attack payloads
   dump      parse the Java serz streams and dump the struct
   help, h   Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --help, -h  show help (default: false)

For example, you are able to dump the payload CommonsBeanutils3 from ysoserial like:

$ go run main.go dump -f "$(pwd)/testcases/ysoserial/CommonsBeanutils3.ser"

asciicast

šŸ›  Tests

ZKar is a well-tested tool that passed all ysoserial generated gadgets parsing and rebuilding tests. It means that gadget generating by ysoserial can be parsed by ZKar, and parsed struts can be converted back into bytes string which is equal to the original one.

Gadget Package Parse Rebuild Parse Time
AspectJWeaver ysoserial āœ… āœ… 80.334Āµs
BeanShell1 ysoserial āœ… āœ… 782.613Āµs
C3P0 ysoserial āœ… āœ… 98.321Āµs
Click1 ysoserial āœ… āœ… 573.298Āµs
Clojure ysoserial āœ… āœ… 72.415Āµs
CommonsBeanutils1 ysoserial āœ… āœ… 461.15Āµs
CommonsCollections1 ysoserial āœ… āœ… 64.484Āµs
CommonsCollections2 ysoserial āœ… āœ… 508.918Āµs
CommonsCollections3 ysoserial āœ… āœ… 564.071Āµs
CommonsCollections4 ysoserial āœ… āœ… 535.449Āµs
CommonsCollections5 ysoserial āœ… āœ… 137.609Āµs
CommonsCollections6 ysoserial āœ… āœ… 68.753Āµs
CommonsCollections7 ysoserial āœ… āœ… 178.549Āµs
FileUpload1 ysoserial āœ… āœ… 35.39Āµs
Groovy1 ysoserial āœ… āœ… 150.991Āµs
Hibernate1 ysoserial āœ… āœ… 789.674Āµs
Hibernate2 ysoserial āœ… āœ… 168.624Āµs
JBossInterceptors1 ysoserial āœ… āœ… 632.581Āµs
JRMPClient ysoserial āœ… āœ… 32.967Āµs
JRMPListener ysoserial āœ… āœ… 38.263Āµs
JSON1 ysoserial āœ… āœ… 2.157225ms
JavassistWeld1 ysoserial āœ… āœ… 468.596Āµs
Jdk7u21 ysoserial āœ… āœ… 355.01Āµs
Jython1 ysoserial āœ… āœ… 216.862Āµs
MozillaRhino1 ysoserial āœ… āœ… 1.775193ms
MozillaRhino2 ysoserial āœ… āœ… 409.124Āµs
Myfaces1 ysoserial āœ… āœ… 22.997Āµs
Myfaces2 ysoserial āœ… āœ… 38.131Āµs
ROME ysoserial āœ… āœ… 485.804Āµs
Spring1 ysoserial āœ… āœ… 797.469Āµs
Spring2 ysoserial āœ… āœ… 358.041Āµs
URLDNS ysoserial āœ… āœ… 21.502Āµs
Vaadin1 ysoserial āœ… āœ… 438.729Āµs
Wicket1 ysoserial āœ… āœ… 23.509Āµs
JDK8u20* pwntester āœ… āœ… 529.3Āµs

Notice: For parsing JDK8u20 payload, you should add --jdk8u20 flag to dump command. As the payload is not a valid serialized data stream, it's necessary to tell ZKar patches the data through this flag.

šŸ“ TODO

  • Java bytecodes parser and generator
  • JDK/JRE 8u20 Gadget supporting
  • Serialization payloads generator
  • An implementation of RMI/LDAP in Go

āš–ļø License

ZKar is released under the MIT license. See LICENSE

šŸ‘€ See Also

  • SerializationDumper: A tool to dump and rebuild Java serialization streams and Java RMI packet contents in a more human readable form.
  • ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
  • Java-Deserialization-Cheat-Sheet: The cheat sheet about Java Deserialization vulnerabilities