we have just released EnumJavaLibs to perform java classes enumeration against java services.
To discover a deserialization vulnerability is often easy. When source code is available, it comes down to finding calls to readObject() and finding a way for user input to reach that function. In case we donâ??t have source code available, we can spot serialized objects on the wire by looking for binary blobs or base64 encoded objects (recognized by â??rO0..â??). The hard part comes with exploitation. Sure you can throw all exploits from ysoserial at it and hope for the best, but if it doesnâ??t work there are not much other things you can try.
The big piece of information which is missing at this point, is information about the classpath of the remote application. If we know what libraries are loaded, we might be able to construct a gadget chain (or adjust the existing ysoserial exploit to match the version of the library on the remote application, for example). Thatâ??s where the idea of EnumJavaLibs came from: just let it deserialize arbitrary objects from different (popular) 3rd party java libraries. More specifically:
– Create a local database of the most common Java libraries
– For each of these libraries, find a class that is serializable
– Create an instance of this object, serialize it, and send it to the remote application
– If we get a ClassNotFoundException back, we know the library is not on the classpath
At Redtimmy Sec we have released the code of this project on GitHub, together with a tool that can build a database of libraries (JavaClassDB.py).
You can download the pre-compiled version from: https://github.com/redtimmy/EnumJavaLibs/raw/master/bin/EnumJavaLibs.jar
The source code is instead over here -> https://github.com/redtimmy/EnumJavaLibs
A wider description of how the tool works in our blog -> https://www.redtimmy.com/uncategorized/remote-java-classpath-enumeration