Practical Serialization Attacks

hello gran I'm Nikki blue and I'm sad it's talking about practical serialization attacks I am imagine security consultant NCC group have been out for about five and a half years now an X software developer ran all kinds of software from desktop applications to web web stuff to games ICS stuff I think of myself as a as a hacker I like to solve problems I like to break stuff build stuff I like to build stuff to break stuff outside of work and technology and always kind of stuff I'm a hacker rock climb I might look look it but I am and I am next to DB on the internet so Twitter and so on so stuff hands up if you would know what

to do with that bucket if you saw a packet during a application assessment would you know what to do with it cool so start with quick story and I went to customer site to do a web application assessment and and when I rocks up on site they said you need this version of Java that that's a bit strange for a web application assessment okay so I figured it might be a Java and the client application that communicates over HTTP so I got a VM built corrupt version of Java on there and well as a way of logging credentials from the customer I stopped playing around with the application submit some false credentials to Evernote what what

happened I saw a bit of traffic flow and fruit verb sweet but everything then seams were going through there so so a couple of login attempts an application responded and said something like I can't blocks out or whatever and sign up a bit strange so fired up by a shark and said some one of these logging requests to see what was happening and any login attempts that I submitted ended up and with a packet similar to the one I just showed you and traversing the network so it was actually a job applications served by HTTP page nothing else was and had anything to do a web application assessment so but packet I just showed you was a dummy logging

packet so I submitted just random credentials and they in the application and actually led to the discovery of a vulnerability that's had survived multiple previous pen tests and allowed me to access a server that's for the most part looked but he was raw secured on the outside but on the inside was well the server in the old whole environment was weak insecure but not server managed to jump around the entire supporting infrastructure I think I had access to certain twenty or thirty servers multiple datacenters the drop between their pre part of the blood environments at the UNIX admins running around going crazy going what are you doing I think my sides have booked it up

a bit there but and I would have missed that vulnerability as well I survived multiple previous pen test I would have missed that one ability as well quite a bit of exposure so Java sterilization because in some bits of research over the last few years and so soon as I saw that packet I recognized it straight away and I knew exactly what was going to do and and I saw putting together some scripts and attacking that application and I saw about half an hour think it took well together I'd really the first server from there or could basically jump around the whole whole network and I can actually read raw serialization by hex bytes because

of lots of that looks of it that many times and manually decoding that in debugging so obviously that packet I showed you contains serialize Java data and the goal is start today is to help improve your understanding of Java d serialization firm abilities lower the bar to attacking these vulnerabilities and so help you to recognize essentially the vulnerable targets and then use existing tools to enumerate and attack these targets first I should probably say about this is that practical doesn't mean by and click generally attacks against serialization more evolved than the Nova coming for nobility classes and but with the right tools and knowledge the complexity should be similar to manual SQL injection so you've got to

put a bit of work in to to exploit the target but the real worlds are quite significant so we can often get remote command execution using serialization attacks so it's absolutely important to understand how serious a ssin works in order to attack it so we start off with a bit of key background information briefly serialization is the process of converting one-time program dates are variables objects in some program into a format that can be stored or transmitted so into a byte stream or various different formats and the reverse process do sterilization converts records are stored on disk or a database or network packets back into in memory variables and objects the more complex the data structures are so if we've got

we're using a language that supports object-oriented programming the more complex the serialization process needs to be to be able to turn arbitrary data structures into by extremum back and the more complex the serialization process is the more scope the for school name and bond abilities things to go wrong it's no fixed bar map for serialize data data and you know you can serialize data into simple text formats such as JSON and XML binary farmer or you can use a lot of higher-level languages have a built in format and built-in civilization functionality for this start we're going to focus on Java's built-in serialization just keep things simple but the high-level concepts same kind of ideas and do apply

to although technologies such as PHP so in Java but I'd say realizations dead easy to use if you want to if you create class and your Java program and you want cost to be serializable simply implement implement the interface Java dot IO dot serializable you have to do anything more you can then pass that object to object output stream dot write object and it will serialize it into a byte stream whether that's going to a file and over the network whatever and then to get that object back to deserialize it you call object to input streams up read objects and you can get those bytes convert them back into a one-time objects the actual data format can be

described as a simple stream farmer consists are starts off with a see byte magic number hex a CEB should be a start of any civilization stream that's followed by a 2-bike version number and I've always seen version 5 there might be older versions and future there might be new versions and then following that there is at least one content element the first byte of a Content element tells us the type of the content Hellman and the from site we can infer the structure of the data that follows in the stream there can be more content elements and and you can continue reading depending on how you're reading that serialize data Java Mac can might keep reading

that day until it hits the end of streaming and thus the return the result and the various there are various types of content elements so for example null which is nothing so if you have a class description and it's not got a superclass then you might see an old console element for the superclass object array so on and I said the first byte tells us the format of the date of the follows the serialization protocol can be found at the specification at the farm it can be found online on the Oracle website but it's a bit unclear in places so got some examples to show you what serialize Java do you can look like first one is a minimal stream so we've

got the a CED they so the serialization header 0 0 0 5 which is a version number and then 7 0 which is no string AAA this time by 5 is 7 4 which is a string constant element and the next two bytes are the length of the string so 4 and then the string bytes and then set themselves and they've got simple objects and the objects has no properties so that the data in upstream 73 is an object 7-series a class description we've got the length of the class name the class name itself serial version UID and there's some other things like cross description flags and super class so in Java we deserialize objects using the java dot io object

input stream class date so that's passed to this cross and is our sequentially so with each bite one by one theta is instantiated instantly so if there is an object element in the stream as soon as the as soon as Java gets to the end of that object objects data it will instantiate that objects in memory and there's little to no validation them so validation is essentially handled by exceptions so if for example we we want to read a string objects from a stream we can do objects input stream reader Jets cast that to a string and then assign that to a string variable if the objects returned by read objects cannot be cast so a string I said exception

will be thrown their cost cast cast exception so that's where validation happens but at this point read object read objects is already read the bytes from the stream instantiated that objects in memory and then that's the point where generally our payload has already executed if we make a class serializable by implement in the serializable interface we can provide a read object method and that can be used in place of Java's default read objects or it can be used alongside it so you can for example use your own read object method to implement backwards compatibility with different versions of the same data for different versions your application but we can use that essentially to handle the the object

loaded event so given class implements serializable we have a read object method and we can handle the event that an object of that type is loaded into memory an example use of that might be cross that manages database connectivity and interaction with a database we could serialize it to save the day best connection settings and then deserialize it and at that time we might use read objects to establish a connection to the database automatically so gonna bail is this serialization vulnerabilities occur when we as an attacker control the date has being deserialized that allows us to control the properties of the objects being deserialized or even the type of the objects being deserialized or instantiated but controlling that date

sir we control we can potentially control the flow of code that uses that data so if there's an if statement that is based on the based on the property of an object that's deserialized we can control the outcome of that if statement which branch it takes so we can control code that's is within the serializable that read object method that we implement on a class and we can control code potentially the interrupts will be loaded object so if a program calls objects inputstreamreader yet uses that return value in some way we can potentially control that code there so exploitation of detail ization biroba is known as how expire by controlling properties of objects and using that to manipulate the flow of

execution of code is called property oriented programming a payload consists of objects properties of objects that's control adjusting code and that's something that seems to tripoli block with the sterilization vulnerability is we're not providing cold to the target to execute we're providing properties that manipulate the code already exists so the code that we control is known as a pop gadget a property oriented programming gadget and it's just a snippet of code that we can control through the properties of an object and you can think of it like a high-level rock gadget but instead of just pushing a value to a stuck we might have a budget that rights they are we control to a file

we might not control a file name so generally say we brought gadgets we multiple to create a football x-play so we might need another gadget it's going to rename a file or move a file exploitation relies on knowledge of the source code if we don't know what source codes there we don't know how we communicate it how do we attack serialization vulnerabilities without source code there's a tool why so serial have you know much anything about Java D serialization fun abilities and attacking them then you're a pair of it so there are lots of libraries that are out there if you develop in a big application you don't want to be reinventing the wheel so use existing

libraries that do whatever you need to do and but those libraries are obviously obviously containing code and we know what code is so why saw serial has a lot of pop gadget chains that work for common libraries nice amazing so for attacking serialization vulnerabilities and most of the payloads not all of them but most of them lead to blind command execution we're going to focus on those payloads for this talk so the background information covered off let's have a look at how we attack serialization first thing we need three things two main things but we're gonna talk about three to attack serialization first thing we need is an entry point we need to know where we can provide data

to the application so that the application would be sterilize it and rescue a payload we need pop gadgets pop gadget chains that the application is aware of so that we can manipulate those to do something advantageous and because we're looking at blind command execution we need appropriate commands it's much skew on the target so the enterprise could be any part of the application that deserialize is data if we have access to source code then we can look for things like objects inputs dreamed up read objects go up first serializable classes in the read objects methods and look at what code is in those methods are around that code if we're looking at the application from a

blackbox perspective then we can look for the serialization header sort of ice a CED zero zero zero five followed by a bytes in the range hex 7 0 to 17 so here we've got an example of some data that's obviously binary data in burp suite switch over to the hex view and we can see a c e d 0 0 0 5 7 3 again Wireshark TCP packet AC e d0 0 0 5 7 3 sex mate protocols and formats so just say HTTP and XML could also rupp serialized data and but they're more likely to basically throwing Kove the data because it's binary it's a binary farmer and but that also generates a recognizable pattern so

we're looking at basics prone coded data we see low case are ok so 0 up case a B X and that's the serialization header so there are other hints and indicators that we can use so identify Java serialization if we look at suspected serialize data in a text our ask you view then there are various strings that should stand out the first and most obvious Java cross names Java dot line got objects come top feeder and so on they might also be in an alternative form and that's just that's the serialization protocol and the specification where they where they use sometimes need this format and begins when capital L and ends with a semicolon and instead of that's between the

namespace parts and the class name we've got four slashes and we've also got the strings s are exp they appear just again as a side effects of the serialization format so s are commonly appears like that that means we've got essentially an object content element followed by a class description content element so you'll see you'll see this by its seven three seven two which is sr XP similar so a class description can have annotations and they must end with a and block data content element which is the X and then if the class has no super class we'll have a null content element that selasa P so we go back to that login packet we can see

those indicators so we've got string s our Java dot Lancashire Java doc blank number and we've got X P well there's one thing missing in this packet we don't have this serialization header and so that first the first part of the packet there seven nine that's a reset content element so in a serialization stream certain concert elements how I resigned to handle so we I was stringing for example in a consonant in a civilization stream that string might be repeated throughout the stream and other parts of the stream for whatever reason there's no reason on it and it's easier to assign that string a handle and then later on if you need to seize a

string you have a reference to that that original instance and so the first handle that gets assigned to an element that has a handle as a specific value 70000 zero and then each each one has that incremented by one the reset element resets that counselor that handle value back to the default it's just basically it's like saying start a new stream here that's followed by 73 which is an object 7c which is a class description but the important point is you might not see the serialization header and the story that started off with but client out an IDs in place which looked for serialization attacks missed everything that I did because it was looking for this in the same packet

as it was looking for the payload objects so we've identified an application that's using serialization and so it's the next thing that we need to do is work up where we can inject our payload into that stream so a simple case is we have the serialization header followed by a byte in their range X 7 0 0 7 6 or X 7 bisa 7e and those by those C ranges are the content types that Java can when you call object input stream that read objects so there are things like no can be returned reference and a string an object a class description things fall in those those ranges and if you call object input stream not read

objects and any of those exists in the stream at that point the current offset they'll be read as on objects what that means is we can inject an arbitrary objects in so stream in that location and that will be read as an object so we can infer kind of reverse ooh further that offset will be read as an object so comment also save it start the stream instead of one of the backs listed there we might have a what data or what gates a long element so we'll have the serialization header followed by one of the two either hex 77 and then a single byte that represents the length of the block data and then that many bytes of

data similarly 7 a for blood day along which has a 4 byte length field followed by that many bytes of data if that is then followed by byte and one of these ranges but is that we can inject payloader that at the offset of that a byte so here we can see an example with a block data element and start so we've got seven seven zero eight we've got the bytes 1 1 2 2 so on and then that's followed by 7 3 which is an object so we can inject a payload at that offset but what about more complex cases we're basically this is why I said I've read I can read sex-role serialized data

because I've spent loads of time I've answered decode things and debug things I've done it that many times I wrote a tool that will do it for me now and so what we can do with serialization dumping I'm releasing this I've got the link at the end of the slides released it sorry yeah we can pass the raw hex bikes of a serialization stream to serialization don't put a doctor I don't what in accordance with the civilization civilization Parma specification doesn't pass everything at the minute it passes everything I've needed to pass that let's say decode and which should do for most cases and but you can see there it's dumps out we've got a TC string

element TC know TC reference all of those ups offsets in the stream can be replaced with an arbitrary object I payload and provided the application that reads the state sir calls read objects to read those then we can ask you a payload one thing to note there is you can take the hex values that were dumped out by serialization dumper I'm rebuilt the stream from them except you need to ignore the new handle lines because that's the handle value that was assigned to that string so we can see their string with handle value 7000 0 0 and then a reference that references that string sets of put Fe 0 0 that should be 7e at the bottom and so what

we can do with that is we can bus up I talk of serious data we've seen passed around by some application decode it work out if there is a content element of so things like TC string where the byte that tells us the type of the concept I want is in the range seven zero two seven six or seven beats 70 and we can replace that element in the stream send that at the target and it should attempt to deserialize it as an object so record entry point we were to identify entry points we need to find some pop gadgets that we can use to find gadgets like said before we need to know really access to source code we can

review read object methods code around read objects work out what that code does with with the day and it's read from the stream but it's not very practical doing that and we don't might not obvious always have the sauce cold so and yeah we're going to we're going to use essentially and I saw cereal look that's how I get common libraries and so the first thing that we need to do is work out what libraries are there what libraries can we can we attack because they're alive why so I saw sales payloads for maybe 15 or 20 libraries or 15 or 20 different payloads and when it's work out which libraries are the application uses so

ideally we've got we'll use background knowledge or an information disclosure issue to identify libraries that we can use and then if that fails we can catch and sync it we can throw everything but the kitchen sink okay so we know what libraries are available to the tag application we know what gadget chains we can use so this is a partial mapping of Java file names of libraries to Y source aerial pop gadget chains so comes collections - for old jar we can tap that with the white sauce aerial payload comes questions for and so on um there are some overlaps in white sauce serial payloads so for example is a commons bean utils payload that relies on and

outdated come into collections library in order to attack that in order to exploit that by generator to get command execution so we might as well just use the comments collections payload in that case so kitchen sink in this is step at a Python that I've used a few times in attacking these these kind of vulnerabilities essentially just got a list of Y source aerial command execution and gadget chains we call Y source aerial we have a given command payload command generate the bikes and then we pass those on so function fire payload which is implement it in whatever way needed needed to deliver that payload so target first and that should say about that is that kitchen

sink approach is since the risky there's always a risk of triggering an unhandled exception and Saiga application which my crush the target in practice it's unlikely that we're going to do that because even an nmap version scam would crush the target and all this malformed data and I've never come across anything that one stable but if we scan a box and we not not service over you probably gonna knock it over again if you try this kind of attack against it it goes well saying that throwing all possible payload types at target is noisy it's going to lead to more log entries being generated obviously a lot more network traffic then then just tuck in a

specific library and then the other issue is that these command execution payloads are blind we don't get any command output back when we execute one of these payloads so how do we know that those pop gadgets and chains a available say application which ones are available we run all possible payloads I the application the target how do we know that the actual command we're trying to execute is available so ideally we need some feedback from the target so one option and common option option is to try and ping our own machine mono network traffic to verify whether a payload that the payload command S cubed remember to limit the ping count if you do that at the server pinion and pinion

and pinion and because I spoke at my scripts at the first time well the data again and the server was going nuts pinging me and then it was Sallisaw processes it were just constantly pinging my box

so a better option is actually send an invalid command with all possible gutter chains if the application responds with exceptions which I've found that to be the case I think every time I've come across this kind of stuff we can tell whether the payload works so we get Javadoc Languedoc run time through an exception in Java the IOLTA i/o exception cannot run program the tag application is attempted to run that program it doesn't exist on the target system it's thrown exception alternatively we find if we get a class not found exception coming back generally telling us that's one of the classes used by our gadget chain doesn't exist on the server side it's not present for it's not available to the

application it's not on the cross puff and so that entire gadget chain we can disregard it it's probably not not going to be not gonna get us anywhere so that we've got entry point we've got pop gadgets we need some fellow commands execute ideally we want to get from blind RCE to a shell so we can interrupt with a machine and and gain favour access to the to the server our environment so first thing that we might do is enumerate commands that are available and again we can use same technique kind of run program if we try to execute whatever we get and we get that back then we've not got W get as a

as a central command there are some limitations with the whites or serial RCE gadgets because they use java dot Languedoc runtime that exec with a single string parameter so we can't have white space in command promises so the /a c users is fine this we've got c colon slash documents and settings in double quotes but the way that Javadoc Languedoc runtime splits that command string up means those the separate parts and look being separate parameters so more actually work there's also no shell operator support so we can't pipe output from one command to another we can't redirect outputs or fail or from a fail so some common commands expect some people most people should be

aware of these kind of commands it might use in a unix linux environment knockout showers that are you getting a payload from somewhere and executing that and it's also worth testing for the presence of interpreters perl python they're going to if we can W get a script from somewhere than those those interpreters might be useful windows we might do a copy command a Windows File share its a copy a shell and we might also be able to use that so capture hashes but even better than that and there's a command encoder online that's will basically take arbitrary bash commands PowerShell - perl and encode it such that it doesn't use um shell operators and the

parameters to the command don't contain spaces so we can use whatever we want basically so using a basis for encoding for example that can be really powerful in attacking these with more complex commands so that's everything that we need to execute a serialization attack we will look at some examples now so first one Spring Framework and specifically spring frameworks AC to be remoting this technology allows us to access exposed arbitrary Java crosses over hayseeds piece of our barbeque Java objects and it just does magic in the background so I you can basically just just call a method on it on an object and it will spring we'll do some some work in the background to send that over the network

of HTTP its facilitate facilitated by a remote invocation class which which is part of the Spring Framework it's like say when a client application makes it calls a method on an object's that uses spring cases to be remoting and by client application we haven't seen Spring Framework will generate a pasty to post request send that sort of server decode that request made the rule method coil and then send back a response that's where it looks like Java serialization so Spring Framework say realizes this remote invocation object puts in the body of a hayseed post request sends it to the server and that's an entry point for attack so this scripts and well will will attack that using a kitchen sink method

cherry it's all my source aerial payloads puts the whole payload into the body of a HTTP POST request and then looks further costs not found exception and it also was whether that pop got to chain appears to be vulnerable or not this be present Hana so if we run that script again an application using spring Haiti's few remote in its runnable then we'll get our CA what they shouldn't happen applications that deserialize data should validate the type of the day being deserialized so spring framework remote saying expects me to send a remote invocation object to it what I actually sent in this case was a hash step which isn't compatible with a remote invocation so when spring framework PC realizes

this hash that objects then gets returned and spring framework attempts to cast so remote except remote invocation objects at that plane an exception is triggered and exception response is sent back to there so the cryin and nothing else happens on the server side that happens obviously after the objects been deserialized payload is executed we're also happens before that payload ever reaches the application that usually spring AC to be remoting so if you're a developer using spring remote sing you won't ever see that payload and but according to David Saul who makes Spring Framework that's not an issue whispering framework and they refuse to fix it one of the security team has a CBE for a

similar vulnerability in jboss and I actually spoke to that member of their security team about this issue and he said it's not our problem even though an application developer using this won't see the payload to do anything about it so whatever another example case study Acme money obviously it's not called Acme money but I can't talk about this one can't reveal the details this one yet because these are trying to fix it so that login packet from the start obviously that's our entry point the exploit was bit more involved this time but still easily done so after respited thought serialization data in the login packet and I didn't see the serialization header a CED so on so a

course application down completely stared at Wireshark star new packet capture fired the application back up to see what was going on and following the CCP stream in Wireshark showed me this which was everything that I needed to know so first thing we've got here serialization series like serialization header followed by 77 which is a block data element 2 which is the length of the block and then 0 0 0 0 which is the data in that block and we get this data coming back from the server two pockets come back first as a serialization had a second one has an object coming from the server next one that goes out to the server is a

serialized object seven three seven series across description that's everything that I needed to attack the application so this is the exploit script we start off we send the first packet that just show just so a CED so on I did notice every time I did a packet capture this and that packet was same every single time so I made it easier and then receive two packets back from the server let's see that I showed you and I don't care what they are don't care about them so I'll just chuck them away once we received them and then send the payload so this is just a fire payload method that is part of that script I showed earlier so this method

receives a sterilized payload using one of the white sorcery or gadget chains and the reason for the for : in square brackets is that in this case we go back here we've got the serialization had already been sent to the server that should only ever exist once in a serialization stream and the payload generated by Weiss or serial as past to fire payload contains that serialization serialization header so the for : just skipped over that and it sends the rest of the payload and this then in the second packet that we sent to the server so um as we've spring remoting found that the underlying application didn't care if I sent it for example a Java

high set rather than Java dot Lancashire which is why expected you can see there no bottom packet that string Java doc Lancashire it didn't care that I sent it a different type of objects and it's still be sterilizers at an instantiated object in our sunday.and so using a brute force crypto just showed you identified that we use in Commons collections three points epoch one which is one on super vulnerable are to facilitate remote commanders command execution through DC realization so it did a quick test with a ping command and ended up with a few thousand things hitting me because I forgot to set a limit and yeah so so this point I've proved that I'm executing commands on

the server so essentially um but I thought this was quite an interesting example of what you can achieve with these guns are vulnerabilities so we're kind of carry on with the story and obviously I wanted to get from executing commands to obviously having a and interrupts of shell on the box or can do more trainers escalating for religious well this proved fiddly because I didn't have access to any of these commands I did see that pearl was available but honestly at the time I did this I wasn't aware of the payload encoder that I showed earlier so as far as I was aware I with pearl avoidance again say say if I went to do a reverse shell one-liner I

need to use the cold use space socket so I can't actually do that so I ignored that food sign beam and I eventually found that the TFTP command was available on the server so there's a nice little library Python IOB TFT pie run that TFTP server that gave me access to the filesystem on the server I was able to download files upload files so he lorded apparel reversed shelf of the box and it turns out though it was a a IX box which obviously it's the only one I've ever actually encountered and but wanted more so I only had a low privileged user shell there and fortunately most people don't prioritize operating system updates so there was a

nice local privilege escalate escalation except that it was written in seek and the necessary build tools and libraries weren't available on the box so I ended up rewriting that play simple which was horrendous but it was worth it because I got root on that box and that allowed me to jump around the entire infrastructure had I was jumping between data centers between pre prod and prod so raise your hand now if you think that you would know what to do if you saw that packet from the start that's definitely an improvement awesome so let's say we can make it a bit more practical so first thing I've got is a piping script which is essentially what

the snippets were that I was showing which automates some of the things I've been talking about so serial grouped up by and the scripts can automate the process of delivering the various y source Ariel RC e gadget chains to a target by either replaying CCP conversation and in jets in the pack they payload location you specify or by replaying HTTP requests there's actually a burp suite plug-in freely available that and does this stuff HTTP so that might be a bit easier in those cases and but I regularly use their iterating through different payloads for TCP conversations I also looks at the response data that comes back from target if there is any and it looks for

class not found exception and the IO exception that tells us whether payload gadget chains are useless or whether the commands didn't exist on the server yes by no means a robust attack saw it's just add a script that I've used fair few times and it can only handle simple protocols so for example if there's a session sent back from the server and you need to use our session in subsequent requests it's it can't handle that but there is also Sarah Brut sharland the pack which basically has the same loop which calls dispatch payload you just need to implement that to deliver a payload to your application so you can do things like get a session ID back and use that

in the payload packet next and I've got is serialization thumper again some someone github and we can use this to help work out where to inject a payload by pasinetta a sample serialization stream that's used by the application target application decoder net and working out we're interested in almond sour in that stream and then lastly the sale up however you want to prance up which is basically a demo application to allow people to practice this and so run server run the client and then pop some gunk layers I'm going to attempt to do a demo so there we've got the D serialization server

this is the client so yeah shut up

we run that you can see subtext appearing on service telling was that it's received data from the claim and I think you just asked us for a name just there's no reason for a book that's for a name and then a string to hash so the server just hashes a string and send it back now you can see the result printed out so what can do is run why should I capture the packets have a look at the data that's there and see what's going on when that client-server interactions going on happening and if this loads up

hey that's gonna be horrendous so it's just however looks sooo brooken so they're down birthday dates that we can see a CED zero zero zero five so I'm we can see if it's a day of going back and forth and we get answer here you see envy that they said that hash request looks like a sterilized object so I'm just going to get rid of that for now and now what we can do with that data is we can say that whole conversation or if we stop and starve it we can take those packets say that are going outbound that's one sterilization stream the inbound stream is another if we take all the outbound packets copy the bikes and

then pass them to serialization dumper as long as we've got to start we don't have to get the end we can dump out as far as um essentially looks like a sterilization stream so quick example of that no we can see this is our four main thing that we're looking for hey we've got an object in the stream that tells us that the service going to deserialize that object at that point I gave us an app give us an idea where we can inject the payload and then hopefully this will work

so here's what I made earlier dot txt that contains the import fair serial break Oh bollocks has networks wherever right you cannot work out to do that yourselves it's on github I didn't sacrifice a go so just to conclude exploitation of serialization the tax is typically more involved than other common a tactical move owner abilities it's important to understand what's going on helps a validation works how the exploits work in order to attack these vulnerabilities offensively science Emma's SQL injection we need to understand SQL to do manual sqli exploitation is rewarding again similar to SQL I quite often get we walk come to command execution desk well I gives you the full database generally you quite often see this stuff in big in

total enterprise applications that target that I've been talking about a story I've been talking about is something I think it cost like five million to forget html5 interface for the application it's ridiculous so this kind of stuff isn't ready ready to available to just anyone's of research and pull apart that's it questions there's some references and some shameful plugs I brought an article which has a lot of information that I've spoken about today and so go and check that I have a lot give me some feedback tell me it's a lot of rubbish should be one questions cool Thanks [Applause]