Handy payloads for testing Java Deserialization vulnerability
GiitHub project: https://github.com/topolik/ois-dos/
- Heap overflow using nested Object arrays
- Heap overflow using nested ArrayList
- Heap overflow using nested HashMap
- HashMap and Hashtable collisions attacks
Can be used to bypass blacklist protections or whitelists allowing Object array, ArrayList or HashMap.
Payloads to consume 8GB of heap:
Nested Object (44 bytes):
Nested ArrayList (67 bytes):
Nested HashMap (110 bytes):
114 bytes to consume 64GB of heap (nested Object):
Short description of Heap overflow attacksIn order to minimize the size of payload I play with "size" field of the classes and overwrite serialized data so that the size is near Integer.MAX_VALUE, even though there are only few entries.
During deserialization the classes allocate big arrays to be filled with values. However it's not necessary to send all values, OutOfMemoryError is thrown after few nested objects.
For example let's take the Object payload. It has size of the array to with ArrayList.MAX_ARRAY_SIZE = Integer.MAX_VALUE - 8 This means array of 2 billion of pointers (each 4 bytes) => 2^9 * 4B = 8GB
Having 8 such Object arrays nested, JVM allocates 8GB array for the root array, then reads first nested object which is again array. So allocates another 8GB and continues to deserialize 2nd level array with another 8GB, etc. etc., sooner or later fails with OutOfMemoryError.
Short description of HashMap and Hashtable collision attacks
HashMap in Java 1.7, when created with initialCapacity == loadFactor, create one and only one bucket to store all items.
Hashtable during deserialization suffers similar condition and allows negative loadFactor => using just one bucket to store all items.
Please use only for your pen-testing / evaluation of your products.
Reported to Oracle in 2015 with "won't fix" response. Hashtable negative loadFactor bug is treated as a functional bug and should be fixed in one of future releases.