| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <fbd90e4655d628b9cd7bd85de23423a2@redtimmy.com> Date: Fri, 21 Feb 2020 17:20:05 +0100 From: Red Timmy Security <info@...timmy.com> To: fulldisclosure@...lists.org Subject: [FD] [SerialTweaker] Interactive modification of Java Serialized Objects Hi, We have just released SerialTweaker to modify Java Serialized Objects. This tool can be used for advanced Java Deserialization attacks, when existing gadget chains don't work or when there is a whitelist mechanism in place (like LookAheadDeserialization). In that case we have to work with the classes that are in the whitelist and thus accepted by the application. Instead of sending a gadget chain containing classes not familiar to the application, the idea is to modify the existing serialized objects that are used by the application during normal operations. At Red Timmy Security we have released the code of this project on GitHub. You can download the pre-compiled version from -> https://github.com/redtimmy/SerialTweaker/blob/master/bin/SerialTweaker.jar The source code is instead over here -> https://github.com/redtimmy/SerialTweaker A wider description of how the tool works in our blog -> https://www.redtimmy.com/web-application-hacking/interactive-modification-of-java-serialized-objects-with-serialtweaker/ Regards, _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists