[Tools] whysoserial-cpp PoC

Published on 2 July 2025 at 11:49

whysoserial-cpp: An Advanced C++ Implementation for Java Object Serialization Payload Generation

whysoserial-cpp is a robust C++ implementation of Java object serialization, specifically designed for generating malicious payloads. Unlike its Java counterpart, ysoserial, this C++ tool focuses on "weaponizing" serialization capabilities to exploit vulnerabilities in Java Virtual Machine (JVM) environments. As an advanced Proof of Concept (PoC), whysoserial-cpp enables security professionals to create and manipulate serialized object streams for security assessment and penetration testing purposes.

 

Purpose and Operational Mechanism

The primary objective of whysoserial-cpp is to create serialized payloads that, when deserialized by a vulnerable Java application, trigger arbitrary code execution. This is crucial in scenarios where applications handle serialized data from untrusted sources without adequate validation. The tool simulates Java's internal serialization process, allowing the injection of commands or manipulation of application logic through the creation of malformed objects or those loaded with code execution "gadgets."

 

Technical Details and Code Architecture

The core of whysoserial-cpp lies in its ability to faithfully replicate the Java object serialization format, a complex binary process that dictates how objects are converted into a byte stream and vice versa. The C++ implementation requires a deep understanding of the Java Object Serialization Stream Protocol specification.

 

The tool is structured into key components:

JavaSerialization: This module handles the constants and data types inherent to the Java serialization protocol. This includes defining type markers (TC_OBJECT, TC_CLASS, TC_STRING, TC_ARRAY), serialization flags, and the metadata structure of classes. Essentially, JavaSerialization provides the fundamental "pieces" that are assembled to construct a valid serialization stream.

 

JavaPayloadGen: This is the main class that orchestrates the construction and serialization of malicious objects in C++. JavaPayloadGen encapsulates the logic for:

  • Object and Field Creation: It simulates the instantiation of Java objects, assigning values to their fields, even if these fields are themselves complex objects.

  • Reference Management: The Java serialization protocol manages object references to prevent repeated serialization of the same instance. JavaPayloadGen must replicate this behavior to generate correct and efficient payloads.

  • String and Type Encoding: It handles the encoding of text strings (UTF) and ensures that data types (primitive and object) are correctly represented in the binary stream according to the Java specification.

  • "Gadget" Inclusion: This is where whysoserial-cpp excels. It allows the injection of deserialization "gadget" chains. A "gadget" is a sequence of method calls existing in the target application's classpath that, when triggered through a malicious deserialized object, lead to arbitrary code execution. For example, when constructing an TransformedList object from Apache Commons Collections, the tool manipulates its internal fields so that Runtime.getRuntime().exec() is invoked during deserialization.

 

This architecture ensures the compatibility of the generated payloads with target JVMs, allowing a C++ program to produce a byte stream that a JVM will interpret as a legitimate, albeit malicious, Java object.

 

Key Features and Capabilities

  • Flexible Executable Payload Generation: whysoserial-cpp offers great flexibility for command execution. It can generate payloads that execute direct operating system commands, such as cmd /c calc on Windows or whoami on Unix-like systems. Furthermore, it supports advanced command encoding, for example, using -enc for PowerShell, which allows for the execution of complex and obfuscated scripts.

  • Integrated Obfuscation Techniques: To evade signature-based or heuristic detections, the tool incorporates obfuscation capabilities. This is demonstrated by the injection of special characters (\${IFS}) into commands, allowing payloads like p\${IFS}ing\${IFS}8.8.8.8 to bypass certain protections and be executed by the target system.

  • Environment Variable Manipulation: whysoserial-cpp allows the injection and use of environment variables within executed commands. A clear example is the use of \$SHELL -c 'whoami', which facilitates payload adaptation to the specific environment of the compromised server and command execution within the shell's context.

 

Latest Java Serialization Vulnerabilities (2024-2025): Attack Vectors and Exploitation

Java deserialization vulnerabilities persist as a critical threat, with new variants and attack vectors continuously being discovered in 2024 and 2025. Below is a detailed analysis of the most recent and significant flaws, focusing exclusively on their nature and exploitation potential.

 

Critical Recent Vulnerabilities

CVE-2025-24813: Apache Tomcat Critical RCE

A critical Remote Code Execution (RCE) vulnerability affects Apache Tomcat under specific conditions:

  • Incorrect configuration that allows HTTP PUT methods.

  • Session persistence enabled.

  • Presence of vulnerable libraries, such as Apache Commons Collections 3.2.1.

This flaw enables the upload of malicious serialized Java objects that are deserialized upon server restart, resulting in arbitrary code execution.

CVE-2025-25940: XML Deserialization in Visicut 2.1

Discovered in March 2025, this insecure XML deserialization vulnerability in Visicut 2.1 manifests through:

  • Insecure use of java.beans.XMLDecoder to process user-provided XML files.

  • Allows arbitrary code execution via malicious .plf files.

  • Specifically affects the loadPlfFile method in VisicutModel.java.

CVE-2025-31129: Jooby Framework

A flaw in the web framework Jooby for Java and Kotlin, discovered in March 2025:

  • The io.jooby.internal.pac4j.SessionStoreImpl#get module deserializes untrusted data.

  • CVSS Score: 8.8 (High).

  • Fixed in versions 2.17.0 (2.x) and 3.7.0 (3.x).

CVE-2025-20124: Cisco ISE Java Deserialization

Reported in February 2025, this critical vulnerability in Cisco Identity Services Engine allows:

  • Authenticated attackers to execute arbitrary commands as the root user.

  • Due to insecure deserialization in an API.

  • Exploitable with any valid administrative account, including read-only accounts.

 

Vulnerabilities in Libraries and Frameworks

Apache MINA - CVE-2024-52046

Critical vulnerability in Apache MINA, discovered in December 2024:

  • ObjectSerializationDecoder uses the native Java deserialization protocol without security checks.

  • Allows remote code execution attacks via malicious serialized data.

  • Affects versions 2.0.X, 2.1.X, and 2.2.X.

  • Requires explicit use of the IoBuffer#getObject() method.

IBM ODM - CVE-2024-22320

Java deserialization vulnerability in IBM Operational Decision Manager:

  • CVSS Score: 8.8 (High).

  • Allows unauthenticated remote attackers to execute arbitrary code.

  • Caused by insecure deserialization in certain versions of IBM ODM.

 

Fastjson and Serialization Libraries

CVE-2024-57766: MSFM Fastjson

Critical Fastjson deserialization vulnerability, discovered in January 2025:

  • CVSS Score: 9.1 (Critical).

  • Allows remote code execution and system integrity compromise.

  • Affects the system/table/editField component of MSFM.

  • Fixed in version 2025.01.01.

CVE-2024-29433: Alldata Fastjson

Vulnerability in the Fastjson component of Alldata v0.4.6:

  • Allows attackers to execute arbitrary commands via malicious data.

  • CVSS Score: 7.5.

  • No information on known countermeasures.

 

Log4j: Persistent Threat

 

Log4j continues to be a significant threat in 2024-2025, with new variants and persistent concerns.

CVE-2019-17571 (Updated in 2024)

  • CVSS Score: 9.8 (Critical).

  • SocketServer is vulnerable to untrusted data deserialization.

  • Allows remote code execution when combined with deserialization gadgets.

  • Affects Log4j versions up to 1.2.17.

New Variants

  • JMSSink in all Log4j 1.x versions is vulnerable to deserialization when the attacker has write access.

  • CVSS Score: 8.8 (High).

  • Requires write access to the Log4j configuration.

 

Trends and Attack Patterns

 

Attackers are constantly evolving their methods to exploit deserialization vulnerabilities:

WAF Evasion

Sophisticated techniques have been developed to evade Web Application Firewalls:

  • Modification of class and package names in gadget chains.

  • Obfuscation of strings used in JavaAssist.

  • Avoiding detectable patterns such as Runtime, Process, exec, shell, ysoserial.

New Exploitation Vectors

Modern techniques include:

  • Use of Xalan-J as an alternative to CommonCollections to bypass module restrictions.

  • JNDI exploitation in Apache Tomcat via BeanFactory.

  • "Rogue JNDI" techniques for reliable code execution.

Apache Parquet - CVE-2025-30065

Although initially considered a critical deserialization vulnerability, CVE-2025-30065 has limited offensive utility:

  • CVSS Score: 10.0 (Critical).

  • Only allows arbitrary class loading and constructors with a single String parameter.

  • More difficult to exploit than initially reported.

 

« 

Add comment

Comments

There are no comments yet.