GithubHelp home page GithubHelp logo

jackofmosttrades / gadgetinspector Goto Github PK

View Code? Open in Web Editor NEW
967.0 967.0 219.0 98 KB

A byte code analyzer for finding deserialization gadget chains in Java applications

License: MIT License

Java 100.00%

gadgetinspector's People

Contributors

jackofmosttrades avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

holax352 nickstadb 0c0c0f angrypapa shengqi158 bit4woo zonksec amanvir jjsmida harry1080 dean2021 unclejim rongqinglee xiaohuihui1113 jarlob cheaphunter wkmc kaide0521 alaamub t4di5 hjkyoyo lordsky lengyun123456 cocococococoli crackercat unixsec modulexcite 0x554simon korniltsev jangelesg iicoming lfysec threedr3am raystyle magiczer0 imulmul zhangymjlu pwntester xbeark hello-xbugs shimizukawasaki longofo a1kaid thanhuutuan shellmethods kaisaryousuf ntgitdude23 silversnowcloud hungchang wh0ale the-bumble iiiusky makefunny sthagen rajivraj shahid1996 chouaibhm materaj2 any-how fzxcp3 vf3ng f4ct0r 5l1v3r1 kakakpy monopole-zh keyman9848 god-god-god chanpu9 hktalent fengjixuchui xiaomingx mmg1 axt functfan lethanhtrung222 panhongwei ethancck want2live233 michael101096 v3geb1rd ishog magnologan report090 9tail123 gavz wadewfsssss welk1n dnsmaitreya hartl3y94 canliture y360u kaizhiyu w0r1dhe110 020monkey anubisant sig1nt hongson97 jas502n heyzm 20200629

gadgetinspector's Issues

XstreamSerializableDecider is not utilized

Hi,

XstreamDeserializationConfig.getSourceDiscovery() returns a SimpleSourceDiscovery, which still takes SimpleSerializableDecider as its decider instead of XstreamSerializableDecider. So the sources discovered might be incomplete even if I use --config xstream.

Java 11 compatibility

When running the tool against a set of jar files, the following errors are thrown when using Java 11.0.14 (Zulu). The same doesn't happen when using Java 8.

java.lang.UnsupportedOperationException
	at org.objectweb.asm.ClassVisitor.visitNestHostExperimental(ClassVisitor.java:158)
	at org.objectweb.asm.ClassReader.accept(ClassReader.java:541)
	at org.objectweb.asm.ClassReader.accept(ClassReader.java:391)
	at gadgetinspector.CallGraphDiscovery.discover(CallGraphDiscovery.java:35)
	at gadgetinspector.GadgetInspector.main(GadgetInspector.java:110)
2022-03-10 18:21:12,637 gadgetinspector.CallGraphDiscovery [ERROR] Error analyzing: gadgetinspector/Util$1.class
java.lang.UnsupportedOperationException
	at org.objectweb.asm.ClassVisitor.visitNestHostExperimental(ClassVisitor.java:158)
	at org.objectweb.asm.ClassReader.accept(ClassReader.java:541)
	at org.objectweb.asm.ClassReader.accept(ClassReader.java:391)
	at gadgetinspector.CallGraphDiscovery.discover(CallGraphDiscovery.java:35)
	at gadgetinspector.GadgetInspector.main(GadgetInspector.java:110)
2022-03-10 18:21:12,638 gadgetinspector.CallGraphDiscovery [ERROR] Error analyzing: gadgetinspector/Util.class
java.lang.UnsupportedOperationException
	at org.objectweb.asm.ClassVisitor.visitNestMemberExperimental(ClassVisitor.java:248)
	at org.objectweb.asm.ClassReader.accept(ClassReader.java:651)
	at org.objectweb.asm.ClassReader.accept(ClassReader.java:391)
	at gadgetinspector.CallGraphDiscovery.discover(CallGraphDiscovery.java:35)
	at gadgetinspector.GadgetInspector.main(GadgetInspector.java:110)

java.io.FileNotFoundException: methods.dat

Exception in thread "main" java.lang.RuntimeException: java.io.FileNotFoundException: methods.dat (No such file or directory)
at gadgetinspector.data.DataLoader.loadMethods(DataLoader.java:64)
at gadgetinspector.CallGraphDiscovery.discover(CallGraphDiscovery.java:24)
at gadgetinspector.CallGraphDiscovery.main(CallGraphDiscovery.java:266)
Caused by: java.io.FileNotFoundException: methods.dat (No such file or directory)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.(FileInputStream.java:138)
at com.google.common.io.Files$FileByteSource.openStream(Files.java:129)
at com.google.common.io.Files$FileByteSource.openStream(Files.java:119)
at com.google.common.io.ByteSource$AsCharSource.openStream(ByteSource.java:458)
at com.google.common.io.CharSource.readLines(CharSource.java:359)
at com.google.common.io.Files.readLines(Files.java:525)
at gadgetinspector.data.DataLoader.loadData(DataLoader.java:14)
at gadgetinspector.data.DataLoader.loadMethods(DataLoader.java:59)
... 2 more

Missing detection of JdbcRowSetImpl in Jackson config

It looks like gadgetinspector fails to find com/sun/rowset/JdbcRowSetImpl.setAutoCommit (which is described in the marshalsec paper) due to the fact that the getDataSourceName is not explicitly defined in JdbcRowSetImpl, but is inherited from javax/sql/rowset/BaseRowSet (which is hinted at in the inheritance map).

One other issue is that setAutoCommit accepts a boolean (instead of an L value) and should taint the first argument rather than the return value. This will fail the following check in JacksonSourceDiscovery.java:

if (method.getName().startsWith("set") && method.getDesc().matches("\\(L[^;]*;\\)V")) {
    addDiscoveredSource(new Source(method, 0));
}

I think the issue can be resolved by tainting and tracking inherited methods when creating the callgraph AND by updating JacksonSourceDiscovery.java to include the following check:

if (method.getName().startsWith("set") && Type.getArgumentTypes(method.getDesc()).length == 1) {
    addDiscoveredSource(new Source(method, 1));
}

Apologies if I'm misunderstanding something. I'm super excited about this tool and I'm interested to learn more about the inner workings.

inspector throws exceptions on some clojure code

clojure 1.8.0. JDK 8.

there's several exceptions being throw in core clojure classes, 3rd party classes and app classes, here is an example, they are all roughly the same exception:

2019-08-26 14:01:46,280 gadgetinspector.PassthroughDiscovery [ERROR] Exception analyzing clojure/core/rrb_vector/rrbt/Vector
java.lang.ArrayIndexOutOfBoundsException: -1
	at java.util.ArrayList.elementData(ArrayList.java:422)
	at java.util.ArrayList.get(ArrayList.java:435)
	at gadgetinspector.TaintTrackingMethodVisitor.getStackTaint(TaintTrackingMethodVisitor.java:900)
	at gadgetinspector.PassthroughDiscovery$PassthroughDataflowMethodVisitor.visitMethodInsn(PassthroughDiscovery.java:433)
	at org.objectweb.asm.tree.MethodInsnNode.accept(MethodInsnNode.java:116)
	at org.objectweb.asm.tree.InsnList.accept(InsnList.java:145)
	at org.objectweb.asm.tree.MethodNode.accept(MethodNode.java:789)
	at org.objectweb.asm.commons.JSRInlinerAdapter.visitEnd(JSRInlinerAdapter.java:150)
	at org.objectweb.asm.ClassReader.readMethod(ClassReader.java:1278)
	at org.objectweb.asm.ClassReader.accept(ClassReader.java:679)
	at org.objectweb.asm.ClassReader.accept(ClassReader.java:391)
	at gadgetinspector.PassthroughDiscovery.calculatePassthroughDataflow(PassthroughDiscovery.java:87)
	at gadgetinspector.PassthroughDiscovery.discover(PassthroughDiscovery.java:30)
	at gadgetinspector.GadgetInspector.main(GadgetInspector.java:103)

ArrayIndexOutOfBoundsException 

java.lang.ArrayIndexOutOfBoundsException: -1
        at java.util.ArrayList.elementData(ArrayList.java:422)
        at java.util.ArrayList.remove(ArrayList.java:499)
        at gadgetinspector.TaintTrackingMethodVisitor.pop(TaintTrackingMethodVisitor.java:145)
        at gadgetinspector.TaintTrackingMethodVisitor.visitVarInsn(TaintTrackingMethodVisitor.java:540)
        at org.objectweb.asm.tree.VarInsnNode.accept(VarInsnNode.java:75)
        at org.objectweb.asm.tree.InsnList.accept(InsnList.java:145)
        at org.objectweb.asm.tree.MethodNode.accept(MethodNode.java:789)
        at org.objectweb.asm.commons.JSRInlinerAdapter.visitEnd(JSRInlinerAdapter.java:150)
        at org.objectweb.asm.ClassReader.readMethod(ClassReader.java:1278)
        at org.objectweb.asm.ClassReader.accept(ClassReader.java:679)
        at org.objectweb.asm.ClassReader.accept(ClassReader.java:391)
        at gadgetinspector.PassthroughDiscovery.calculatePassthroughDataflow(PassthroughDiscovery.java:87)
        at gadgetinspector.PassthroughDiscovery.discover(PassthroughDiscovery.java:30)
        at gadgetinspector.GadgetInspector.main(GadgetInspector.java:103)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.