tag:blogger.com,1999:blog-3855375622571068952.post6679778266738009904..comments2024-01-24T01:16:14.778-08:00Comments on Attack and Defense Labs: Re-visiting JAVA De-serialization: It can't get any simpler than this !!.http://www.blogger.com/profile/15085653727055105783noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-3855375622571068952.post-8222762441718802252013-01-16T07:04:44.676-08:002013-01-16T07:04:44.676-08:00Hi
Can't seem to find the updated versions as...Hi<br /><br />Can't seem to find the updated versions as mentioned above - does anyone have a current link?<br /><br />Thanks<br /><br />GrahamAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-91804629721067105912012-05-31T18:22:39.590-07:002012-05-31T18:22:39.590-07:00You can download a copy here: http://blogs.fishsec...You can download a copy here: http://blogs.fishsec.com/wp-content/uploads/2012/05/DSer.zipAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-33573204677535855542012-03-14T01:52:42.482-07:002012-03-14T01:52:42.482-07:00Any news about this XMLified version of DSer? I ha...Any news about this XMLified version of DSer? I have run across a situation where the custom Java objects are very complex and any GUI help would be good.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-40574078760732770552012-01-17T20:48:38.997-08:002012-01-17T20:48:38.997-08:00Can't wait for the updated version and thank y...Can't wait for the updated version and thank you very much for all your work!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-17664344582016126762011-12-22T14:27:21.527-08:002011-12-22T14:27:21.527-08:00Hi Johnny,
Glad that worked. Yeah I have been laz...Hi Johnny,<br /><br />Glad that worked. Yeah I have been lazy not to upload the new version with the XML editing in a GUI. Feel free to distribute your version and add functionalities that would help enhance or simplify this. I'll surely upload my version. My version of the code allows the user to edit the XML with any XML editor of his/her choice. I initially used the jtextarea but ran into some issues (probably some threading issues) so I gave up on that and used an external editor instead.Manish S.https://www.blogger.com/profile/12906149745016763725noreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-33281885494666885102011-12-21T17:06:42.860-08:002011-12-21T17:06:42.860-08:00Hi Manish,
Thanks for your response. I can succes...Hi Manish,<br /><br />Thanks for your response. I can successfully edit custom java objects now. In addition, I implemented your idea of using xstream to edit serialized java object through a jtextarea each time a java object interception occurs. It sure makes life easier and served me well for my gig.<br /><br />Do you plan to release your implementation of the xstream and GUI code? If you don't have time, I can give you my copy and you can check it out or distribute it. I am sure other folks would prefer GUI editing than through the IRB shell. <br /><br />Thanks for making and sharing DSer.<br /><br />JohnnyAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-56848482720439157892011-12-17T10:29:10.834-08:002011-12-17T10:29:10.834-08:00Hi Johnny,
By default DSer will load any jar file ...Hi Johnny,<br />By default DSer will load any jar file from the lib folder provided with the tool. You can either load the downloaded app by placing creating a jar with the applet classes within it and placing it in the lib folder or check this link for loading class files http://goo.gl/upJnW<br /><br />Anyway if you look at the source code, the first few lines will tell you how to load the custom classes. Hope that helps.Manish S.https://www.blogger.com/profile/12906149745016763725noreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-17435039962631979882011-12-16T09:01:04.213-08:002011-12-16T09:01:04.213-08:00Hi,
I am encountering a problem where the seriali...Hi,<br /><br />I am encountering a problem where the serialized Java Object is a custom object. The tool obviously cannot deserialize it since the custom class file/object structure is not in memory. <br /><br />So if i am assessing a Java Applet, and it passes serialized custom Java Object, I can download the Applet, but is there a way I can load it with the DSer tool so the DSer tool can deserialize those custom Java object?<br /><br />Thanks,<br />JohnnyAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-89807263422574419132010-11-18T12:28:25.466-08:002010-11-18T12:28:25.466-08:00@Anonymous: Chilik is my colleague :) I think you ...@Anonymous: Chilik is my colleague :) I think you did not read thorough this post completely. I have credited him for helping me out :D<br /><br />Also his Burp plugin is named Belch. And definitely try it out, it is good.Manish S.https://www.blogger.com/profile/12906149745016763725noreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-54989735094223015742010-11-18T11:10:08.429-08:002010-11-18T11:10:08.429-08:00Check it out Chilk tamir bleach: http://invalid-pa...Check it out Chilk tamir bleach: http://invalid-packet.blogspot.com/<br />Its easier and simpler than DSer.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-27623028465003525822010-09-09T03:54:04.453-07:002010-09-09T03:54:04.453-07:00Hi Svend,
Glad you liked the post.
As far as mar...Hi Svend,<br /><br />Glad you liked the post.<br /><br />As far as marshalling / un-marshalling is concerned, you are right, we would require the '.class' files defining the objects. Whenever you test any thick client or applets, the class files for that do exist on your machine.<br /><br />The pentester needs to copy all the client jars in DSer's lib folder.<br /><br />Please check this video for a short demonstration of DSer: http://andlabs.org/videos.html#attack_jsManish S.https://www.blogger.com/profile/12906149745016763725noreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-90578671296377238372010-09-08T23:58:21.564-07:002010-09-08T23:58:21.564-07:00HI,
Thanks for the post.
As you point out, your ...HI,<br /><br />Thanks for the post.<br /><br />As you point out, your examples are based on java classes present directly in the JDK, i.e. present both on the "victim" side and on the pen tester side.<br /><br />I do not know about DSer, but XStream at least is not going to be able to marshall from Java to XML without the ".class" defining the objects sent on the wire, i.e. without the class structure definition.<br /><br />Nowever it should be possible to setup a tool that can infer a viable class definition from the object instance (but that is probably hard - and interresting :-> - work, though).<br /><br />The pen tester would also need to make sure to use the same JVM version.<br /><br />CheersSvend Vandervekenhttps://www.blogger.com/profile/00952808823404875333noreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-15074783370128063042010-09-08T04:09:50.669-07:002010-09-08T04:09:50.669-07:00Great! Now it is finally simple enough for me to u...Great! Now it is finally simple enough for me to use it :D<br />Love the XML representation of Objects,<br />makes it really easy to understand the app.lavahttp://www.andlabs.orgnoreply@blogger.com