Added RCE (Remote Code Execution) challenge with vulnerable Java dese…

…rialization, updated fonts, increased version to 1.1.0

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 All notable changes to this project will are documented in this changelog file.
 
+## [1.1.0] - 2023-09-09
+### Added
+- added RCE Deserialization challenge
+
 ## [1.0.1] - 2023-06-02
 ### Added
 - fixed macOS icon

README.md

@@ -1,21 +1,76 @@
 # ![Vulnerable Client-Server Application (VuCSA)](http://vucsa.warxim.com/img/logo.png)
 # Vulnerable Client-Server Application (VuCSA)
-Vulnerable client-server application (VuCSA) is made for learning/presenting how to perform penetration tests of non-http thick clients.
+Vulnerable client-server application (VuCSA) is made for learning/presenting
+how to perform penetration tests of non-http client-server applications.
 It is written in Java (with JavaFX graphical user interface).
 
-Currently the vulnerable application contains the following challenges:
-1. Buffer Over-read (simulated)
-2. Command Execution
-3. SQL Injection
-4. Enumeration
-5. XML
-6. Horizontal Access Control
-7. Vertical Access Control
+Currently, the vulnerable application contains the following challenges:
+
+1. **Buffer Over-read (simulated)**
+2. **Command Execution**
+3. **SQL Injection**
+4. **Enumeration**
+5. **XML**
+6. **Horizontal Access Control**
+7. **Vertical Access Control**
+8. **RCE Deserialization**
 
 If you want to know how to solve these challenges, take a look at the [PETEP website](https://petep.warxim.com/methodology/), 
 which describes how to use the open-source tool PETEP to exploit them.
 
-**Tip:** Before you start hacking, do not forget to check the data structure of messages bellow.
+**Tip 1:** Before you start hacking, do not forget to check the data structure of messages bellow. 
+When modifying the network traffic, you will probably have to consider the structure, 
+especially payload length bytes.
+
+**Tip 2:** Most of the challenges can be exploited through modification of network traffic.
+Therefore, it is recommended to use TCP proxy or process hooks for the testing.
+
+**Tip 3:** Some challenges have input validation and restrictions in place, which is common in thick clients, 
+but it does not mean that the server uses the same validation.
+
+### Buffer Over-read (simulated) Vulnerability
+In this challenge, your goal is to manipulate the network traffic between the client and the server in a way
+that leads to buffer over-read.
+
+### Command Execution Vulnerability
+Command execution challenge represents a very simple command execution vulnerability.
+The goal is to execute malicious command on the server. 
+
+### SQL Injection Vulnerability
+SQL Injection challenge contains a search input vulnerable to SQL injection, 
+but as you will soon notice, the input does not allow you to input the characters you need.
+
+### Enumeration Vulnerability
+Enumeration challenge is based on simulated login form that is not protected from enumeration.
+Will you be able to find all 5 users and guess their passwords?
+
+### XML Vulnerabilities
+In this challenge, you can find multiple XML vulnerabilities:
+- XML External Entity Attack (XXE Injection)
+- XInclude Attack
+- XML Bomb Attack
+
+### Horizontal Access Control Vulnerability
+Horizontal Access Control challenge represents document reader that allows the user to see 
+own documents and read their content. 
+The goal is to find 5 documents of other users.
+
+### Vertical Access Control Vulnerability
+Vertical Access Control challenge is based on simulated user panel, which shows basic user 
+information. The goal is to find a hidden admin functionality and check if it is possible 
+to use it as a Guest user.
+
+### RCE Deserialization Vulnerability
+RCE Deserialization vulnerability uses Java deserialization/serialization for transmitting data through the network.
+The application contains two paths that you can use to achieve remote code execution through 
+the vulnerable Java deserialization. 
+
+You can find both paths by examining the server's JAR file 
+or by looking into the [source code](vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization).
+
+The goal is to create exploits for both paths and execute malicious command on the server.
+
+**Tip:** You can use the server JAR as library to make the exploit creation easier.
 
 ## How to Run
 In order to run the vulnerable server and client, you can use one of releases on GitHub
@@ -24,6 +79,8 @@ These packages contain sh/bat scripts that will run the server and client using
 
 You need Java 11 or newer version to run VuCSA.
 
+***Note:** For Mac with ARM64 architecture (M1, M2 chips), use special build for Java 17.*
+
 ## Project Structure
 Project is divided into three modules:
 - **vucsa-common** - common functionality for both client and server (including protocol processing utilities)
@@ -38,6 +95,18 @@ Messages transmitted between server and client have the following simple format:
 
 These four parts have the following meaning:
 - **type** - type of the message (used for serialization/deserialization)
-- **target** - target handler that will receive the message 
+- **target** - target handler that will receive the message (identifier)
 - **length** - length of the payload
 - **payload** - data serialized into bytes
+
+In order to send custom payloads, you might have to update the payload length. 
+Otherwise, it will not work properly. In the [tutorial](https://petep.warxim.com/methodology/analysis/), 
+automatic script is developed to auto-fix the payload length bytes.
+
+# Tutorial (Solutions)
+Vulnerable client-server application (VuCSA) contains multiple vulnerabilities,
+which can be exploited in various ways. Official guide for exploiting these vulnerabilities
+uses open-source PEnetration TEsting Proxy (see [PETEP Methodology](https://petep.warxim.com/methodology/)).
+
+In the PETEP methodology, the whole process of exploiting the challenges is explained,
+including useful payloads.

build.gradle

@@ -4,7 +4,7 @@ plugins {
 }
 
 group 'com.warxim'
-version '1.0'
+version '1.1'
 
 repositories {
     mavenCentral()

vucsa-client/build.gradle

@@ -12,7 +12,7 @@ javafx {
 }
 
 group 'com.warxim'
-version '1.0'
+version '1.1'
 mainClassName = 'com.warxim.vucsa.client.Main'
 
 repositories {

vucsa-client/src/main/java/com/warxim/vucsa/client/challenge/rcedeserialization/RceDeserializationController.java

@@ -0,0 +1,78 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see <https://www.gnu.org/licenses/>.
+ */
+package com.warxim.vucsa.client.challenge.rcedeserialization;
+
+import com.warxim.vucsa.client.Bundle;
+import com.warxim.vucsa.client.challenge.ChallengeController;
+import com.warxim.vucsa.common.ChallengeConstant;
+import com.warxim.vucsa.common.message.rcedeserialization.MessageContent;
+import com.warxim.vucsa.common.message.rcedeserialization.TextMessage;
+import javafx.application.Platform;
+import javafx.event.ActionEvent;
+import javafx.fxml.FXML;
+import javafx.fxml.Initializable;
+import javafx.scene.control.TextArea;
+
+import java.net.URL;
+import java.util.ResourceBundle;
+
+/**
+ * RCE Deserialization controller handles RCE Deserialization challenge, which acts as echo server using object serialization.
+ */
+public class RceDeserializationController extends ChallengeController implements Initializable {
+    private final RceDeserializationHandler handler = new RceDeserializationHandler(this);
+
+    @FXML
+    private TextArea dataInput;
+    @FXML
+    private TextArea dataOutput;
+
+    @Override
+    public void initialize(URL location, ResourceBundle resources) {
+        initHandler();
+    }
+
+    /**
+     * Sets data to the output component
+     * @param data Output to be set
+     */
+    public void setOutput(String data) {
+        Platform.runLater(() -> dataOutput.setText(data));
+    }
+
+    /**
+     * Sends items to the server.
+     */
+    @FXML
+    private void onSendClick(ActionEvent event) {
+        var data = dataInput.getText();
+        var messageContent = new MessageContent(data);
+
+        var message = TextMessage.builder()
+                .target(ChallengeConstant.RCE_DESERIALIZATION_TARGET)
+                .content(messageContent)
+                .build();
+        sendMessage(message);
+    }
+
+    /**
+     * Initializes RCE deserialization message handler.
+     */
+    private void initHandler() {
+        Bundle.getInstance().getClientManager().registerHandler(ChallengeConstant.RCE_DESERIALIZATION_TARGET, handler);
+    }
+}

vucsa-client/src/main/java/com/warxim/vucsa/client/challenge/rcedeserialization/RceDeserializationHandler.java

@@ -0,0 +1,42 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see <https://www.gnu.org/licenses/>.
+ */
+package com.warxim.vucsa.client.challenge.rcedeserialization;
+
+import com.warxim.vucsa.common.connection.Connection;
+import com.warxim.vucsa.common.message.Message;
+import com.warxim.vucsa.common.message.MessageHandler;
+import com.warxim.vucsa.common.message.rcedeserialization.TextMessage;
+import lombok.RequiredArgsConstructor;
+
+/**
+ * Handler for handling messages for RCE Deserialization challenge.
+ */
+@RequiredArgsConstructor
+public class RceDeserializationHandler implements MessageHandler {
+    private final RceDeserializationController controller;
+
+    @Override
+    public boolean supports(Message message) {
+        return message instanceof TextMessage;
+    }
+
+    @Override
+    public boolean handleMessage(Connection connection, Message message) {
+        controller.setOutput(((TextMessage) message).getContent().getText());
+        return true;
+    }
+}

vucsa-client/src/main/java/com/warxim/vucsa/client/gui/controller/ApplicationController.java

@@ -19,6 +19,7 @@
 import com.warxim.vucsa.client.Bundle;
 import com.warxim.vucsa.client.challenge.commandexecution.CommandExecutionController;
 import com.warxim.vucsa.client.challenge.enumeration.EnumerationController;
+import com.warxim.vucsa.client.challenge.rcedeserialization.RceDeserializationController;
 import com.warxim.vucsa.client.challenge.verticalaccesscontrol.VerticalAccessControlController;
 import com.warxim.vucsa.client.challenge.ChallengeController;
 import com.warxim.vucsa.client.challenge.ChallengeWrapper;
@@ -191,5 +192,10 @@ private void initChallengeTabs() {
                 "/fxml/challenge/verticalaccesscontrol/VerticalAccessControlTab.fxml",
                 new VerticalAccessControlController(),
                 ++tabOrder);
+        initChallengeTab(
+                "RCE Deserialization",
+                "/fxml/challenge/rcedeserialization/RceDeserializationTab.fxml",
+                new RceDeserializationController(),
+                ++tabOrder);
     }
 }

vucsa-client/src/main/resources/css/Main.css

@@ -1,4 +1,14 @@
+@font-face {
+    src: url('../fonts/NotoSans-Regular.ttf');
+}
+
+@font-face {
+    font-weight: bold;
+    src: url('../fonts/NotoSans-Bold.ttf');
+}
+
 {
+    -fx-font-family: 'Noto Sans', 'sans-serif';
     -fx-font-size: 12px;
     -fx-color-background-light: #fff;
     -fx-color-text-primary: #000;

vucsa-client/src/main/resources/fxml/challenge/bufferoverread/BufferOverreadTab.fxml

@@ -18,6 +18,6 @@
             <ListView fx:id="responseInput" prefHeight="410.0" prefWidth="248.0" />
          </children>
       </VBox>
-      <Button layoutX="635.0" layoutY="59.0" mnemonicParsing="false" onAction="#onSendClick" prefHeight="25.0" prefWidth="80.0" text="Send" AnchorPane.rightAnchor="10.0" AnchorPane.topAnchor="59.0" />
+      <Button alignment="CENTER" contentDisplay="CENTER" layoutX="635.0" layoutY="59.0" mnemonicParsing="false" onAction="#onSendClick" prefHeight="25.0" prefWidth="80.0" text="Send" AnchorPane.rightAnchor="10.0" AnchorPane.topAnchor="59.0" />
    </children>
 </AnchorPane>

vucsa-client/src/main/resources/fxml/challenge/commandexecution/CommandExecutionTab.fxml

@@ -10,7 +10,7 @@
    <children>
       <Label layoutX="14.0" layoutY="14.0" styleClass="h1" text="Command Execution" AnchorPane.leftAnchor="10.0" AnchorPane.topAnchor="10.0" />
       <Label layoutX="14.0" layoutY="14.0" text="Try to exploit this simple command execution vulnerability!" AnchorPane.leftAnchor="10.0" AnchorPane.rightAnchor="10.0" AnchorPane.topAnchor="35.0" />
-      <Button layoutX="635.0" layoutY="59.0" mnemonicParsing="false" onAction="#onPingClick" prefHeight="25.0" prefWidth="80.0" text="Ping" AnchorPane.rightAnchor="10.0" AnchorPane.topAnchor="59.0" />
+      <Button alignment="CENTER" contentDisplay="CENTER" layoutX="635.0" layoutY="59.0" mnemonicParsing="false" onAction="#onPingClick" prefHeight="25.0" prefWidth="80.0" text="Ping" AnchorPane.rightAnchor="10.0" AnchorPane.topAnchor="59.0" />
       <TextField fx:id="hostInput" layoutX="67.0" layoutY="59.0" prefHeight="25.0" prefWidth="562.0" AnchorPane.leftAnchor="65.0" AnchorPane.rightAnchor="96.0" />
       <Label layoutX="10.0" layoutY="63.0" styleClass="input-label" text="Ping:" AnchorPane.leftAnchor="10.0" AnchorPane.topAnchor="63.0" />
       <TextArea fx:id="resultOutput" editable="false" layoutX="14.0" layoutY="90.0" prefHeight="200.0" prefWidth="200.0" AnchorPane.bottomAnchor="10.0" AnchorPane.leftAnchor="10.0" AnchorPane.rightAnchor="10.0" AnchorPane.topAnchor="90.0" />

vucsa-client/src/main/resources/fxml/challenge/enumeration/EnumerationTab.fxml

@@ -10,7 +10,7 @@
    <children>
       <Label layoutX="14.0" layoutY="14.0" styleClass="h1" text="Enumeration" AnchorPane.leftAnchor="10.0" AnchorPane.topAnchor="10.0" />
       <Label layoutX="14.0" layoutY="14.0" text="The login form is vulnerable to user enumeration and password brute-force attacks. Can find all 5 accounts? Can you automate it using external HTTP proxy?" AnchorPane.leftAnchor="10.0" AnchorPane.rightAnchor="10.0" AnchorPane.topAnchor="35.0" />
-      <Button layoutX="200.0" layoutY="176.0" minWidth="80.0" mnemonicParsing="false" onAction="#onLoginClick" prefHeight="25.0" prefWidth="321.0" text="Login" AnchorPane.leftAnchor="200.0" AnchorPane.rightAnchor="200.0" AnchorPane.topAnchor="176.0" />
+      <Button alignment="CENTER" contentDisplay="CENTER" layoutX="200.0" layoutY="176.0" minWidth="80.0" mnemonicParsing="false" onAction="#onLoginClick" prefHeight="25.0" prefWidth="321.0" text="Login" AnchorPane.leftAnchor="200.0" AnchorPane.rightAnchor="200.0" AnchorPane.topAnchor="176.0" />
       <Label alignment="CENTER" layoutX="10.0" layoutY="68.0" styleClass="input-label" text="Username" textAlignment="CENTER" AnchorPane.leftAnchor="10.0" AnchorPane.rightAnchor="10.0" />
       <Label alignment="CENTER" layoutX="10.0" layoutY="121.0" styleClass="input-label" text="Password" textAlignment="CENTER" AnchorPane.leftAnchor="10.0" AnchorPane.rightAnchor="10.0" AnchorPane.topAnchor="121.0" />
       <TextField fx:id="usernameInput" alignment="CENTER" layoutX="200.0" layoutY="91.0" AnchorPane.leftAnchor="200.0" AnchorPane.rightAnchor="200.0" AnchorPane.topAnchor="91.0" />

vucsa-client/src/main/resources/fxml/challenge/rcedeserialization/RceDeserializationTab.fxml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.control.TextArea?>
+<?import javafx.scene.layout.AnchorPane?>
+<?import javafx.scene.layout.VBox?>
+
+<AnchorPane prefHeight="468.0" prefWidth="725.0" xmlns="http://javafx.com/javafx/19" xmlns:fx="http://javafx.com/fxml/1">
+   <children>
+      <Label layoutX="14.0" layoutY="14.0" styleClass="h1" text="Remote Code Execution - Deserialization" AnchorPane.leftAnchor="10.0" AnchorPane.topAnchor="10.0" />
+      <Label layoutX="14.0" layoutY="14.0" text="Try to exploit this vulnerable Java deserialization!" AnchorPane.leftAnchor="10.0" AnchorPane.rightAnchor="10.0" AnchorPane.topAnchor="35.0" />
+      <VBox layoutX="-1.0" layoutY="257.0" prefHeight="200.0" prefWidth="267.0" spacing="10.0" AnchorPane.bottomAnchor="10.0" AnchorPane.leftAnchor="10.0" AnchorPane.rightAnchor="10.0" AnchorPane.topAnchor="65.0">
+         <children>
+            <Label styleClass="input-label" text="Input:" />
+            <TextArea fx:id="dataInput" prefHeight="198.0" prefWidth="564.0" VBox.vgrow="ALWAYS" />
+            <Label styleClass="input-label" text="Output:" />
+            <TextArea fx:id="dataOutput" prefHeight="198.0" prefWidth="564.0" VBox.vgrow="ALWAYS" />
+         </children>
+      </VBox>
+      <Button alignment="CENTER" contentDisplay="CENTER" layoutX="635.0" layoutY="23.0" mnemonicParsing="false" onAction="#onSendClick" prefHeight="25.0" prefWidth="80.0" text="Send" AnchorPane.rightAnchor="10.0" AnchorPane.topAnchor="59.0" />
+   </children>
+</AnchorPane>

vucsa-client/src/main/resources/fxml/challenge/sqlinjection/SqlInjectionTab.fxml

@@ -11,7 +11,7 @@
    <children>
       <Label layoutX="14.0" layoutY="14.0" styleClass="h1" text="SQL Injection" AnchorPane.leftAnchor="10.0" AnchorPane.topAnchor="10.0" />
       <Label layoutX="14.0" layoutY="14.0" text="The following functionality is vulnerable to SQL injection! Try exploiting it and loading list of users." AnchorPane.leftAnchor="10.0" AnchorPane.rightAnchor="10.0" AnchorPane.topAnchor="35.0" />
-      <Button layoutX="635.0" layoutY="59.0" mnemonicParsing="false" onAction="#onSearchClick" prefHeight="25.0" prefWidth="80.0" text="Search" AnchorPane.rightAnchor="10.0" AnchorPane.topAnchor="59.0" />
+      <Button alignment="CENTER" contentDisplay="CENTER" layoutX="635.0" layoutY="59.0" mnemonicParsing="false" onAction="#onSearchClick" prefHeight="25.0" prefWidth="80.0" text="Search" AnchorPane.rightAnchor="10.0" AnchorPane.topAnchor="59.0" />
       <TextField fx:id="searchInput" layoutX="67.0" layoutY="59.0" prefHeight="25.0" prefWidth="562.0" AnchorPane.leftAnchor="65.0" AnchorPane.rightAnchor="96.0" />
       <Label layoutX="10.0" layoutY="63.0" styleClass="input-label" text="Search:" AnchorPane.leftAnchor="10.0" AnchorPane.topAnchor="63.0" />
       <TableView fx:id="resultTable" layoutX="10.0" layoutY="91.0" prefHeight="370.0" prefWidth="705.0" AnchorPane.bottomAnchor="10.0" AnchorPane.leftAnchor="10.0" AnchorPane.rightAnchor="10.0" AnchorPane.topAnchor="90.0">