10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
Programmatically create hunting rules for deserialization exploitation with multiple
Rules generated by this tool are intended for hunting/research purposes and are not designed for high fidelity/blocking purposes.
Please test thoroughly before deploying to any production systems.
The Yara rules are primarily intended for scanning web server logs. Some of the “object prefixes” are only 2 bytes long, so they can make large scans a bit slow. (Translation: please don’t drop them all into VT Retrohunt.)
Help: python3 heyserial.py -h
Examples:
python3 heyserial.py -c 'ExampleChain::condition1+condition2' -t JavaObj python3 heyserial.py -k cmd.exe whoami 'This file cannot be run in DOS mode' python3 heyserial.py -k Process.Start -t NETViewState -e base64 "base64+utf16le"
This is a tool to automate bulk testing of Snort and Yara rules on a variety of sample files.
Usage: python3 checkyoself.py [-y rules.yara] [-s rules.snort] [-o file_output_prefix] [--matches] [--misses] -d malware.exe malware.pcap
Examples: python3 checkyoself.py -y rules/javaobj -s rules/javaobj -d payloads/javaobj pcaps --misses -o java_misses
YSoSerial.NET v1.34 payload generation. Run on Windows from the ./utils directory.
YSoSerial payload generation. Run on Linux from the ./utils directory.
Installing Snort on a Debian based system was a bit finnicky for me, so I wrote my install notes here.
Use at your own risk in a VM that you have snapshotted recently.
Simple Python script that runs an HTTP server on 127.0.0.1:12345 and accepts POST requests.
Handy for generating test PCAPs.
Copyright © 2021 Alyssa Rahman, Mandiant, Inc. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at: [package root]/LICENSE.txt Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Check out the Developers’ guide (DEVELOPERS.md) for more details on extending HeySerial!
Tools
Vulnerabilities
Talks and Write-Ups
Author: Alyssa Rahman @ramen0x3f
Created: 2021-10-27
Last Updated: 2021-12-02
Blog: <https://www.mandiant.com/resources/hunting-deserialization-exploits>
For more details on this tool and the research process behind it, check out our blog!
github.com/0xacb/viewgen
github.com/frohoff/marshalsec
github.com/frohoff/marshalsec/blob/master/marshalsec.pdf
github.com/frohoff/ysoserial
github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
github.com/mandiant/heyserial
github.com/pwntester/ysoserial.net
github.com/pwntester/ysoserial.net/tree/v2
github.com/veracode-research/rogue-jndi
github.com/VulnerableGhost/.Net-Sterilized--Deserialization-Exploitation/blob/master/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf
github.com/wh1t3p1g/ysoserial
mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%