Java deserialization can be a convenient and easy-to-implement transfer mechanism for sharing complex data, which despite known security risks is one of the reasons it’s still so prevalent today. Demonstrating the full impact of unsafe Java deserialization is a challenge because exploits rely on specific third-party classes being available in the remote classpath. Previously, this resulted in a Hail Mary of known exploits and if they didn’t work, we struggled to write custom exploits with limited information.
GadgetProbe is a tool to probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on a remote Java classpath. By taking a wordlist input of Java classes and transmitting serialized DNS callback objects, GadgetProbe enumerates what's lurking in the remote classpath.
Jake Miller (OSCE, OSCP) is a Bishop Fox alumnus and former lead researcher. While at Bishop Fox, Jake was responsible for overseeing firm-wide research initiatives. He also produced award-winning research in addition to several popular hacking tools like RMIScout and GitGot.
Check out these related resources for GadgetProbe.