From 3a2968f8daf0a81c540a23974c52e20111f3307a Mon Sep 17 00:00:00 2001
From: Mariusz <mb@binary-offensive.com>
Date: Wed, 2 May 2018 11:39:24 +0200
Subject: [PATCH 1/4] Update java-XMLDecoder-RCE.md

---
 web/java-XMLDecoder-RCE.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/web/java-XMLDecoder-RCE.md b/web/java-XMLDecoder-RCE.md
index 09e9f3c..580e96e 100644
--- a/web/java-XMLDecoder-RCE.md
+++ b/web/java-XMLDecoder-RCE.md
@@ -78,3 +78,7 @@ Then the payload would look like:
   </void>
 </java>
 ```
+
+For more payloads and guides how to leverage **XMLDecoder** deserialization vulnerability, one can refer to following good quality sources:
+- http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
+- https://github.com/o2platform/DefCon_RESTing/tree/master/Demos/_O2_Scripts/XmlEncoder%20-%20Restlet/exploits

From 942899a70482d5229ccd44ff55f2a8f8e78e622f Mon Sep 17 00:00:00 2001
From: Mariusz <mb@binary-offensive.com>
Date: Wed, 5 Sep 2018 15:02:29 +0200
Subject: [PATCH 2/4] Improved ysoserial-generator.py to offer assistance in
 finding Java interpreter

---
 web/ysoserial-generator.py | 64 ++++++++++++++++++++++++++++++++++----
 1 file changed, 58 insertions(+), 6 deletions(-)

diff --git a/web/ysoserial-generator.py b/web/ysoserial-generator.py
index 8b9ecfa..0335730 100755
--- a/web/ysoserial-generator.py
+++ b/web/ysoserial-generator.py
@@ -63,7 +63,7 @@ import re
 import sys
 import base64
 import urllib
-import commands
+import subprocess
 import argparse
 from sys import platform
 
@@ -74,6 +74,7 @@ config = {
     'debug' : True,
 
     'ysoserial-path' : '',
+    'java-path' : '',
     'command' : '',
 
     # Do not modify below ones
@@ -240,7 +241,8 @@ def generate(name, cmd):
             redir = '2>NULL_STREAM'
 
         cmd2 = processCmd(cmd, name, gadget)
-        out = shell('java -jar {ysoserial} {gadget} "{command}" {redir}'.format(
+        out = shell('"{java}" -jar "{ysoserial}" {gadget} "{command}" {redir}'.format(
+            java = config['java-path'],
             ysoserial = config['ysoserial-path'], 
             gadget = gadget, 
             command = cmd2,
@@ -284,6 +286,9 @@ def processShellCmd(cmd):
         },
     }
 
+    # Strip "2>nul" part as we switched from commands.getstatusoutput to subprocess.Popen
+    cmd = cmd.replace(" 2>NULL_STREAM", "")
+
     for k, v in replaces.items():
         if k in cmd:
             cmd = cmd.replace(k, v[config['platform']])
@@ -292,11 +297,16 @@ def processShellCmd(cmd):
 
 def shell(cmd, noOut = False):
     cmd = processShellCmd(cmd)
-    out = commands.getstatusoutput(cmd)[1]
+    out, err = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate()
+
+    if not out and err:
+        out = err
+
     if not noOut:
-        Logger.dbg('shell("{}") returned:\n"{}"'.format(cmd, out))
+        Logger.dbg('shell(\'{}\') returned:\n"{}"\n'.format(cmd, out))
     else:
-        Logger.dbg('shell("{}")\n'.format(cmd))
+        Logger.dbg('shell(\'{}\')\n'.format(cmd))
+
     return out
 
 def tryToFindYsoserial():
@@ -317,10 +327,32 @@ def tryToFindYsoserial():
 
     return True
 
+def tryToFindJava():
+    global config
+    if config['java-path']:
+        return True
+
+    out = shell('WHICH_COMMAND java 2>NULL_STREAM')
+    out1 = ''
+
+    if out:
+        out1 = out.split('\n')[0].strip()
+
+    if out1 and os.path.isfile(out1):
+        config['java-path'] = out1
+    else:
+        Logger.err('Could not find "java" interpreter in neither PATH nor current directory.')
+        Logger.err('Please specify where to find "java" using "-j" option.')
+        sys.exit(1)
+
+    return True
+
 def collectGadgets():
     global config
 
-    out = shell('java -jar {} --help'.format(config['ysoserial-path']))
+    out = shell('"{}" -jar "{}" --help'.format(
+        config['java-path'], config['ysoserial-path']))
+
     rex = re.compile(r'^\s+(\w+)\s+@\w+.+', re.I|re.M)
     gadgets = rex.findall(out)
     Logger.info('Available gadgets ({}): {}\n'.format(len(gadgets), ", ".join(gadgets)))
@@ -360,6 +392,7 @@ def parseOptions(argv):
     parser.add_argument('-s', '--onefile', action='store_true', help='Output every generated payload to the same file, starting from newline. Makes sense to use with base64 encoding option set (default: False).')
 
     parser.add_argument('-y', '--ysoserial', metavar='PATH', default='', help='Specifies path to ysoserial.jar file to use. If left empty, will try the one from current directory (or PATH environment variable)')
+    parser.add_argument('-j', '--java', metavar='PATH', default='', help='Specifies path to java program to use. If left empty, will try the one from current directory (or PATH environment variable)')
     
     parser.add_argument('-v', '--verbose', action='store_true', help='Display verbose output.')
     parser.add_argument('-d', '--debug', action='store_true', help='Display debug output.')
@@ -409,6 +442,25 @@ def parseOptions(argv):
     else: 
         tryToFindYsoserial()
 
+    if args.java: 
+        config['java-path'] = args.java
+    else: 
+        tryToFindJava()
+
+    ver = shell('"{}" -version'.format(config['java-path']))
+    m = re.search(r'java version "([^"]+)"', ver)
+    if m:
+        ver = "java version " + m.group(1)
+    else:
+        if '\r' in ver:
+            ver = ver.strip().split('\r\n')[0].strip()
+        else:
+            ver = ver.strip().split('\n')[0].strip()
+    Logger.info("Using {}: '{}'".format(
+        ver,
+        config['java-path']
+    ))
+
     return args
 
 def main(argv):

From 3bb258084ee97d816326fc85546d324ddd404b9a Mon Sep 17 00:00:00 2001
From: Mariusz <mb@binary-offensive.com>
Date: Wed, 5 Sep 2018 15:03:26 +0200
Subject: [PATCH 3/4] ysoserial-generator version++

---
 web/ysoserial-generator.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/ysoserial-generator.py b/web/ysoserial-generator.py
index 0335730..b0ad4ca 100755
--- a/web/ysoserial-generator.py
+++ b/web/ysoserial-generator.py
@@ -67,7 +67,7 @@ import subprocess
 import argparse
 from sys import platform
 
-VERSION = '0.1'
+VERSION = '0.2'
 
 config = {
     'verbose' : True,

From 48f40097fe560df2c8863d17de1e1a28f01115a0 Mon Sep 17 00:00:00 2001
From: Mariusz <mb@binary-offensive.com>
Date: Wed, 5 Sep 2018 15:04:24 +0200
Subject: [PATCH 4/4] Added link to official ysoserial.jar in
 ysoserial-generator.py

---
 web/ysoserial-generator.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/ysoserial-generator.py b/web/ysoserial-generator.py
index b0ad4ca..e6c1792 100755
--- a/web/ysoserial-generator.py
+++ b/web/ysoserial-generator.py
@@ -391,7 +391,7 @@ def parseOptions(argv):
 
     parser.add_argument('-s', '--onefile', action='store_true', help='Output every generated payload to the same file, starting from newline. Makes sense to use with base64 encoding option set (default: False).')
 
-    parser.add_argument('-y', '--ysoserial', metavar='PATH', default='', help='Specifies path to ysoserial.jar file to use. If left empty, will try the one from current directory (or PATH environment variable)')
+    parser.add_argument('-y', '--ysoserial', metavar='PATH', default='', help='Specifies path to ysoserial.jar file to use. If left empty, will try the one from current directory (or PATH environment variable). Also, you can download latest ysoserial.jar from official JitPack: https://jitpack.io/com/github/frohoff/ysoserial/master/ysoserial-master.jar')
     parser.add_argument('-j', '--java', metavar='PATH', default='', help='Specifies path to java program to use. If left empty, will try the one from current directory (or PATH environment variable)')
     
     parser.add_argument('-v', '--verbose', action='store_true', help='Display verbose output.')