Merge pull request #3 from phith0n/feature/jdk8u20

Supported parsing the JDK8u20 payload generated by <https://github.com/pwntester/JRE8u20_RCE_Gadget>
phith0n · Mar 18, 2022 · 3edb228 · 3edb228
2 parents f879b6b + 51183c1
commit 3edb228
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -114,14 +114,15 @@ equal to the original one.
 | URLDNS              | ysoserial | ✅     | ✅       | 21.502µs   |
 | Vaadin1             | ysoserial | ✅     | ✅       | 438.729µs  |
 | Wicket1             | ysoserial | ✅     | ✅       | 23.509µs   |
-| Jdk8u20             | pwntester | ❌     | ❌       | 312.882µs  |
+| JDK8u20*            | pwntester | ✅     | ✅       | 529.3µs    |
 
-[JDK/JRE 8u20 gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget) is not supported now, I am current working on it.
+Notice: For parsing JDK8u20 payload, you should add `--jdk8u20` flag to `dump` command.
+As the payload is not a valid serialized data stream, it's necessary to tell ZKar patches the data through this flag.
 
 ## 📝 TODO
 
 - [ ] Java bytecodes parser and generator
-- [ ] JDK/JRE 8u20 Gadget supporting
+- [x] JDK/JRE 8u20 Gadget supporting
 - [ ] Serialization payloads generator
 - [ ] An implementation of RMI/LDAP in Go
 

diff --git a/main.go b/main.go
@@ -61,6 +61,13 @@ func main() {
 						Required: false,
 						Value:    false,
 					},
+					&cli.BoolFlag{
+						Name: "jdk8u20",
+						Usage: "This payload is a JDK8u20 payload generated by " +
+							"<https://github.com/pwntester/JRE8u20_RCE_Gadget>",
+						Required: false,
+						Value:    false,
+					},
 				},
 				Action: func(context *cli.Context) error {
 					var filename = context.String("file")
@@ -81,7 +88,12 @@ func main() {
 						return err
 					}
 
-					obj, err := serz.FromBytes(data)
+					var obj *serz.Serialization
+					if context.Bool("jdk8u20") {
+						obj, err = serz.FromJDK8u20Bytes(data)
+					} else {
+						obj, err = serz.FromBytes(data)
+					}
 					if err != nil {
 						log.Fatalln(err)
 						return nil

diff --git a/serz/parser.go b/serz/parser.go
@@ -51,6 +51,16 @@ func FromBytes(data []byte) (*Serialization, error) {
 	return ser, nil
 }
 
+func FromJDK8u20Bytes(data []byte) (*Serialization, error) {
+	data = bytes.Replace(
+		data,
+		[]byte{0x00, 0x7e, 0x00, 0x09},
+		[]byte{0x00, 0x7e, 0x00, 0x09, JAVA_TC_ENDBLOCKDATA},
+		1,
+	)
+	return FromBytes(data)
+}
+
 func (ois *Serialization) ToString() string {
 	var b = commons.NewPrinter()
 	b.Printf("@Magic - %s", commons.Hexify(ois.MagicNumber))
@@ -71,3 +81,13 @@ func (ois *Serialization) ToBytes() []byte {
 
 	return bs
 }
+
+func (ois *Serialization) ToJDK8u20Bytes() []byte {
+	var data = ois.ToBytes()
+	return bytes.Replace(
+		data,
+		[]byte{0x00, 0x7e, 0x00, 0x09, JAVA_TC_ENDBLOCKDATA},
+		[]byte{0x00, 0x7e, 0x00, 0x09},
+		1,
+	)
+}
diff --git a/serz/parser_test.go b/serz/parser_test.go
@@ -12,6 +12,9 @@ import (
 	"time"
 )
 
+const existsFlag = "✅"
+const notExistsFlag = "❌"
+
 func extractName(name string) string {
 	name = filepath.Base(name)
 	blocks := strings.Split(name, ".")
@@ -40,16 +43,13 @@ func TestYsoserial(t *testing.T) {
 }
 
 func TestJDK8u20(t *testing.T) {
-	// current skipped
-	t.SkipNow()
-
 	var filename = "../testcases/pwntester/JDK8u20.ser"
 	data, err := ioutil.ReadFile(filename)
 	require.Nil(t, err)
 
-	ser, err := FromBytes(data)
+	ser, err := FromJDK8u20Bytes(data)
 	require.Nilf(t, err, "an error is occurred in file %v", filename)
-	require.Truef(t, bytes.Equal(data, ser.ToBytes()), "original serz data is different from generation data in file %v", filename)
+	require.Truef(t, bytes.Equal(data, ser.ToJDK8u20Bytes()), "original serz data is different from generation data in file %v", filename)
 }
 
 func TestMain(m *testing.M) {
@@ -77,23 +77,33 @@ func TestMain(m *testing.M) {
 	fmt.Println("| Gadget | Package | Parsed | Rebuild | Parse Time |")
 	fmt.Println("|--------|--------|--------|--------|--------|")
 	for _, name := range files {
+		var isJDK8u20 = strings.Contains(name, "JDK8u20")
 		data, err := ioutil.ReadFile(name)
 		if err != nil {
 			exitCode = exitCode | 1
 			goto cleanup
 		}
 
-		parseFlag := "❌"
-		rebuildFlag := "❌"
-		start := time.Now()
-		serialization, err := FromBytes(data)
-		duration := time.Since(start)
+		var parseFlag = notExistsFlag
+		var rebuildFlag = notExistsFlag
+		var serialization *Serialization
+		var start = time.Now()
+
+		if isJDK8u20 {
+			serialization, err = FromJDK8u20Bytes(data)
+		} else {
+			serialization, err = FromBytes(data)
+		}
+
+		var duration = time.Since(start)
 
 		if err == nil {
-			parseFlag = "✅"
+			parseFlag = existsFlag
 
-			if bytes.Equal(serialization.ToBytes(), data) {
-				rebuildFlag = "✅"
+			if isJDK8u20 && bytes.Equal(serialization.ToJDK8u20Bytes(), data) {
+				rebuildFlag = existsFlag
+			} else if !isJDK8u20 && bytes.Equal(serialization.ToBytes(), data) {
+				rebuildFlag = existsFlag
 			}
 		}