diff --git a/CHANGELOG.md b/CHANGELOG.md
index 040b3d8..8c66572 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@
All notable changes to this project will are documented in this changelog file.
+## [1.1.0] - 2023-09-09
+### Added
+- added RCE Deserialization challenge
+
## [1.0.1] - 2023-06-02
### Added
- fixed macOS icon
diff --git a/README.md b/README.md
index 2c92fbd..e7b8867 100644
--- a/README.md
+++ b/README.md
@@ -1,21 +1,76 @@
# 
# Vulnerable Client-Server Application (VuCSA)
-Vulnerable client-server application (VuCSA) is made for learning/presenting how to perform penetration tests of non-http thick clients.
+Vulnerable client-server application (VuCSA) is made for learning/presenting
+how to perform penetration tests of non-http client-server applications.
It is written in Java (with JavaFX graphical user interface).
-Currently the vulnerable application contains the following challenges:
-1. Buffer Over-read (simulated)
-2. Command Execution
-3. SQL Injection
-4. Enumeration
-5. XML
-6. Horizontal Access Control
-7. Vertical Access Control
+Currently, the vulnerable application contains the following challenges:
+
+1. **Buffer Over-read (simulated)**
+2. **Command Execution**
+3. **SQL Injection**
+4. **Enumeration**
+5. **XML**
+6. **Horizontal Access Control**
+7. **Vertical Access Control**
+8. **RCE Deserialization**
If you want to know how to solve these challenges, take a look at the [PETEP website](https://petep.warxim.com/methodology/),
which describes how to use the open-source tool PETEP to exploit them.
-**Tip:** Before you start hacking, do not forget to check the data structure of messages bellow.
+**Tip 1:** Before you start hacking, do not forget to check the data structure of messages bellow.
+When modifying the network traffic, you will probably have to consider the structure,
+especially payload length bytes.
+
+**Tip 2:** Most of the challenges can be exploited through modification of network traffic.
+Therefore, it is recommended to use TCP proxy or process hooks for the testing.
+
+**Tip 3:** Some challenges have input validation and restrictions in place, which is common in thick clients,
+but it does not mean that the server uses the same validation.
+
+### Buffer Over-read (simulated) Vulnerability
+In this challenge, your goal is to manipulate the network traffic between the client and the server in a way
+that leads to buffer over-read.
+
+### Command Execution Vulnerability
+Command execution challenge represents a very simple command execution vulnerability.
+The goal is to execute malicious command on the server.
+
+### SQL Injection Vulnerability
+SQL Injection challenge contains a search input vulnerable to SQL injection,
+but as you will soon notice, the input does not allow you to input the characters you need.
+
+### Enumeration Vulnerability
+Enumeration challenge is based on simulated login form that is not protected from enumeration.
+Will you be able to find all 5 users and guess their passwords?
+
+### XML Vulnerabilities
+In this challenge, you can find multiple XML vulnerabilities:
+- XML External Entity Attack (XXE Injection)
+- XInclude Attack
+- XML Bomb Attack
+
+### Horizontal Access Control Vulnerability
+Horizontal Access Control challenge represents document reader that allows the user to see
+own documents and read their content.
+The goal is to find 5 documents of other users.
+
+### Vertical Access Control Vulnerability
+Vertical Access Control challenge is based on simulated user panel, which shows basic user
+information. The goal is to find a hidden admin functionality and check if it is possible
+to use it as a Guest user.
+
+### RCE Deserialization Vulnerability
+RCE Deserialization vulnerability uses Java deserialization/serialization for transmitting data through the network.
+The application contains two paths that you can use to achieve remote code execution through
+the vulnerable Java deserialization.
+
+You can find both paths by examining the server's JAR file
+or by looking into the [source code](vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization).
+
+The goal is to create exploits for both paths and execute malicious command on the server.
+
+**Tip:** You can use the server JAR as library to make the exploit creation easier.
## How to Run
In order to run the vulnerable server and client, you can use one of releases on GitHub
@@ -24,6 +79,8 @@ These packages contain sh/bat scripts that will run the server and client using
You need Java 11 or newer version to run VuCSA.
+***Note:** For Mac with ARM64 architecture (M1, M2 chips), use special build for Java 17.*
+
## Project Structure
Project is divided into three modules:
- **vucsa-common** - common functionality for both client and server (including protocol processing utilities)
@@ -38,6 +95,18 @@ Messages transmitted between server and client have the following simple format:
These four parts have the following meaning:
- **type** - type of the message (used for serialization/deserialization)
-- **target** - target handler that will receive the message
+- **target** - target handler that will receive the message (identifier)
- **length** - length of the payload
- **payload** - data serialized into bytes
+
+In order to send custom payloads, you might have to update the payload length.
+Otherwise, it will not work properly. In the [tutorial](https://petep.warxim.com/methodology/analysis/),
+automatic script is developed to auto-fix the payload length bytes.
+
+# Tutorial (Solutions)
+Vulnerable client-server application (VuCSA) contains multiple vulnerabilities,
+which can be exploited in various ways. Official guide for exploiting these vulnerabilities
+uses open-source PEnetration TEsting Proxy (see [PETEP Methodology](https://petep.warxim.com/methodology/)).
+
+In the PETEP methodology, the whole process of exploiting the challenges is explained,
+including useful payloads.
diff --git a/build.gradle b/build.gradle
index de99886..016ede1 100644
--- a/build.gradle
+++ b/build.gradle
@@ -4,7 +4,7 @@ plugins {
}
group 'com.warxim'
-version '1.0'
+version '1.1'
repositories {
mavenCentral()
diff --git a/vucsa-client/build.gradle b/vucsa-client/build.gradle
index 8c29067..2d08a6b 100644
--- a/vucsa-client/build.gradle
+++ b/vucsa-client/build.gradle
@@ -12,7 +12,7 @@ javafx {
}
group 'com.warxim'
-version '1.0'
+version '1.1'
mainClassName = 'com.warxim.vucsa.client.Main'
repositories {
diff --git a/vucsa-client/src/main/java/com/warxim/vucsa/client/challenge/rcedeserialization/RceDeserializationController.java b/vucsa-client/src/main/java/com/warxim/vucsa/client/challenge/rcedeserialization/RceDeserializationController.java
new file mode 100644
index 0000000..a19e37d
--- /dev/null
+++ b/vucsa-client/src/main/java/com/warxim/vucsa/client/challenge/rcedeserialization/RceDeserializationController.java
@@ -0,0 +1,78 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see .
+ */
+package com.warxim.vucsa.client.challenge.rcedeserialization;
+
+import com.warxim.vucsa.client.Bundle;
+import com.warxim.vucsa.client.challenge.ChallengeController;
+import com.warxim.vucsa.common.ChallengeConstant;
+import com.warxim.vucsa.common.message.rcedeserialization.MessageContent;
+import com.warxim.vucsa.common.message.rcedeserialization.TextMessage;
+import javafx.application.Platform;
+import javafx.event.ActionEvent;
+import javafx.fxml.FXML;
+import javafx.fxml.Initializable;
+import javafx.scene.control.TextArea;
+
+import java.net.URL;
+import java.util.ResourceBundle;
+
+/**
+ * RCE Deserialization controller handles RCE Deserialization challenge, which acts as echo server using object serialization.
+ */
+public class RceDeserializationController extends ChallengeController implements Initializable {
+ private final RceDeserializationHandler handler = new RceDeserializationHandler(this);
+
+ @FXML
+ private TextArea dataInput;
+ @FXML
+ private TextArea dataOutput;
+
+ @Override
+ public void initialize(URL location, ResourceBundle resources) {
+ initHandler();
+ }
+
+ /**
+ * Sets data to the output component
+ * @param data Output to be set
+ */
+ public void setOutput(String data) {
+ Platform.runLater(() -> dataOutput.setText(data));
+ }
+
+ /**
+ * Sends items to the server.
+ */
+ @FXML
+ private void onSendClick(ActionEvent event) {
+ var data = dataInput.getText();
+ var messageContent = new MessageContent(data);
+
+ var message = TextMessage.builder()
+ .target(ChallengeConstant.RCE_DESERIALIZATION_TARGET)
+ .content(messageContent)
+ .build();
+ sendMessage(message);
+ }
+
+ /**
+ * Initializes RCE deserialization message handler.
+ */
+ private void initHandler() {
+ Bundle.getInstance().getClientManager().registerHandler(ChallengeConstant.RCE_DESERIALIZATION_TARGET, handler);
+ }
+}
diff --git a/vucsa-client/src/main/java/com/warxim/vucsa/client/challenge/rcedeserialization/RceDeserializationHandler.java b/vucsa-client/src/main/java/com/warxim/vucsa/client/challenge/rcedeserialization/RceDeserializationHandler.java
new file mode 100644
index 0000000..c428185
--- /dev/null
+++ b/vucsa-client/src/main/java/com/warxim/vucsa/client/challenge/rcedeserialization/RceDeserializationHandler.java
@@ -0,0 +1,42 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see .
+ */
+package com.warxim.vucsa.client.challenge.rcedeserialization;
+
+import com.warxim.vucsa.common.connection.Connection;
+import com.warxim.vucsa.common.message.Message;
+import com.warxim.vucsa.common.message.MessageHandler;
+import com.warxim.vucsa.common.message.rcedeserialization.TextMessage;
+import lombok.RequiredArgsConstructor;
+
+/**
+ * Handler for handling messages for RCE Deserialization challenge.
+ */
+@RequiredArgsConstructor
+public class RceDeserializationHandler implements MessageHandler {
+ private final RceDeserializationController controller;
+
+ @Override
+ public boolean supports(Message message) {
+ return message instanceof TextMessage;
+ }
+
+ @Override
+ public boolean handleMessage(Connection connection, Message message) {
+ controller.setOutput(((TextMessage) message).getContent().getText());
+ return true;
+ }
+}
diff --git a/vucsa-client/src/main/java/com/warxim/vucsa/client/gui/controller/ApplicationController.java b/vucsa-client/src/main/java/com/warxim/vucsa/client/gui/controller/ApplicationController.java
index 70c90f0..207383c 100644
--- a/vucsa-client/src/main/java/com/warxim/vucsa/client/gui/controller/ApplicationController.java
+++ b/vucsa-client/src/main/java/com/warxim/vucsa/client/gui/controller/ApplicationController.java
@@ -19,6 +19,7 @@
import com.warxim.vucsa.client.Bundle;
import com.warxim.vucsa.client.challenge.commandexecution.CommandExecutionController;
import com.warxim.vucsa.client.challenge.enumeration.EnumerationController;
+import com.warxim.vucsa.client.challenge.rcedeserialization.RceDeserializationController;
import com.warxim.vucsa.client.challenge.verticalaccesscontrol.VerticalAccessControlController;
import com.warxim.vucsa.client.challenge.ChallengeController;
import com.warxim.vucsa.client.challenge.ChallengeWrapper;
@@ -191,5 +192,10 @@ private void initChallengeTabs() {
"/fxml/challenge/verticalaccesscontrol/VerticalAccessControlTab.fxml",
new VerticalAccessControlController(),
++tabOrder);
+ initChallengeTab(
+ "RCE Deserialization",
+ "/fxml/challenge/rcedeserialization/RceDeserializationTab.fxml",
+ new RceDeserializationController(),
+ ++tabOrder);
}
}
diff --git a/vucsa-client/src/main/resources/css/Main.css b/vucsa-client/src/main/resources/css/Main.css
index dda8ff1..7211499 100644
--- a/vucsa-client/src/main/resources/css/Main.css
+++ b/vucsa-client/src/main/resources/css/Main.css
@@ -1,4 +1,14 @@
+@font-face {
+ src: url('../fonts/NotoSans-Regular.ttf');
+}
+
+@font-face {
+ font-weight: bold;
+ src: url('../fonts/NotoSans-Bold.ttf');
+}
+
{
+ -fx-font-family: 'Noto Sans', 'sans-serif';
-fx-font-size: 12px;
-fx-color-background-light: #fff;
-fx-color-text-primary: #000;
diff --git a/vucsa-client/src/main/resources/fonts/NotoSans-Bold.ttf b/vucsa-client/src/main/resources/fonts/NotoSans-Bold.ttf
new file mode 100644
index 0000000..ab11d31
Binary files /dev/null and b/vucsa-client/src/main/resources/fonts/NotoSans-Bold.ttf differ
diff --git a/vucsa-client/src/main/resources/fonts/NotoSans-Regular.ttf b/vucsa-client/src/main/resources/fonts/NotoSans-Regular.ttf
new file mode 100644
index 0000000..a1b8994
Binary files /dev/null and b/vucsa-client/src/main/resources/fonts/NotoSans-Regular.ttf differ
diff --git a/vucsa-client/src/main/resources/fxml/challenge/bufferoverread/BufferOverreadTab.fxml b/vucsa-client/src/main/resources/fxml/challenge/bufferoverread/BufferOverreadTab.fxml
index 7a6fe7e..341d3bc 100644
--- a/vucsa-client/src/main/resources/fxml/challenge/bufferoverread/BufferOverreadTab.fxml
+++ b/vucsa-client/src/main/resources/fxml/challenge/bufferoverread/BufferOverreadTab.fxml
@@ -18,6 +18,6 @@
-
+
diff --git a/vucsa-client/src/main/resources/fxml/challenge/commandexecution/CommandExecutionTab.fxml b/vucsa-client/src/main/resources/fxml/challenge/commandexecution/CommandExecutionTab.fxml
index c644d13..4f8e797 100644
--- a/vucsa-client/src/main/resources/fxml/challenge/commandexecution/CommandExecutionTab.fxml
+++ b/vucsa-client/src/main/resources/fxml/challenge/commandexecution/CommandExecutionTab.fxml
@@ -10,7 +10,7 @@
-
+
diff --git a/vucsa-client/src/main/resources/fxml/challenge/enumeration/EnumerationTab.fxml b/vucsa-client/src/main/resources/fxml/challenge/enumeration/EnumerationTab.fxml
index 6846f10..fc81b10 100644
--- a/vucsa-client/src/main/resources/fxml/challenge/enumeration/EnumerationTab.fxml
+++ b/vucsa-client/src/main/resources/fxml/challenge/enumeration/EnumerationTab.fxml
@@ -10,7 +10,7 @@
-
+
diff --git a/vucsa-client/src/main/resources/fxml/challenge/rcedeserialization/RceDeserializationTab.fxml b/vucsa-client/src/main/resources/fxml/challenge/rcedeserialization/RceDeserializationTab.fxml
new file mode 100644
index 0000000..ae87c58
--- /dev/null
+++ b/vucsa-client/src/main/resources/fxml/challenge/rcedeserialization/RceDeserializationTab.fxml
@@ -0,0 +1,23 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/vucsa-client/src/main/resources/fxml/challenge/sqlinjection/SqlInjectionTab.fxml b/vucsa-client/src/main/resources/fxml/challenge/sqlinjection/SqlInjectionTab.fxml
index f3174d1..68ab038 100644
--- a/vucsa-client/src/main/resources/fxml/challenge/sqlinjection/SqlInjectionTab.fxml
+++ b/vucsa-client/src/main/resources/fxml/challenge/sqlinjection/SqlInjectionTab.fxml
@@ -11,7 +11,7 @@
-
+
diff --git a/vucsa-client/src/main/resources/fxml/challenge/verticalaccesscontrol/VerticalAccessControlTab.fxml b/vucsa-client/src/main/resources/fxml/challenge/verticalaccesscontrol/VerticalAccessControlTab.fxml
index f745662..178d5cf 100644
--- a/vucsa-client/src/main/resources/fxml/challenge/verticalaccesscontrol/VerticalAccessControlTab.fxml
+++ b/vucsa-client/src/main/resources/fxml/challenge/verticalaccesscontrol/VerticalAccessControlTab.fxml
@@ -8,7 +8,7 @@
-
+
@@ -27,7 +27,7 @@
-
+
diff --git a/vucsa-client/src/main/resources/fxml/challenge/xml/XmlTab.fxml b/vucsa-client/src/main/resources/fxml/challenge/xml/XmlTab.fxml
index 4a4f7f9..35c7bd0 100644
--- a/vucsa-client/src/main/resources/fxml/challenge/xml/XmlTab.fxml
+++ b/vucsa-client/src/main/resources/fxml/challenge/xml/XmlTab.fxml
@@ -35,6 +35,6 @@
-
+
diff --git a/vucsa-client/src/main/resources/fxml/tab/SettingsTab.fxml b/vucsa-client/src/main/resources/fxml/tab/SettingsTab.fxml
index 20316ae..7940d23 100644
--- a/vucsa-client/src/main/resources/fxml/tab/SettingsTab.fxml
+++ b/vucsa-client/src/main/resources/fxml/tab/SettingsTab.fxml
@@ -22,6 +22,6 @@
-
+
diff --git a/vucsa-common/build.gradle b/vucsa-common/build.gradle
index 88adb1f..3165ed0 100644
--- a/vucsa-common/build.gradle
+++ b/vucsa-common/build.gradle
@@ -3,7 +3,7 @@ plugins {
}
group 'com.warxim'
-version '1.0'
+version '1.1'
repositories {
mavenCentral()
diff --git a/vucsa-common/src/main/java/com/warxim/vucsa/common/ChallengeConstant.java b/vucsa-common/src/main/java/com/warxim/vucsa/common/ChallengeConstant.java
index 977e9ba..8e43cb2 100644
--- a/vucsa-common/src/main/java/com/warxim/vucsa/common/ChallengeConstant.java
+++ b/vucsa-common/src/main/java/com/warxim/vucsa/common/ChallengeConstant.java
@@ -28,6 +28,7 @@ public final class ChallengeConstant {
public static final int VERTICAL_ACCESS_CONTROL_USER_INFO_TARGET = 1006;
public static final int VERTICAL_ACCESS_CONTROL_SECRET_TARGET = 1007;
public static final int HORIZONTAL_ACCESS_CONTROL_DOCUMENT_CONTENT_TARGET = 1008;
+ public static final int RCE_DESERIALIZATION_TARGET = 1009;
public static final String CHALLENGES_DIRECTORY = "server/challenge/";
diff --git a/vucsa-common/src/main/java/com/warxim/vucsa/common/Constant.java b/vucsa-common/src/main/java/com/warxim/vucsa/common/Constant.java
index 0542d69..506850e 100644
--- a/vucsa-common/src/main/java/com/warxim/vucsa/common/Constant.java
+++ b/vucsa-common/src/main/java/com/warxim/vucsa/common/Constant.java
@@ -20,7 +20,7 @@
* Global constants.
*/
public final class Constant {
- public static final String VERSION = "1.0.1";
+ public static final String VERSION = "1.1.0";
public static final String WEB = "https://vucsa.warxim.com";
public static final String DEFAULT_SERVER_HOST = "127.0.0.1";
diff --git a/vucsa-common/src/main/java/com/warxim/vucsa/common/message/MessageType.java b/vucsa-common/src/main/java/com/warxim/vucsa/common/message/MessageType.java
index fbf3f31..a1f78f1 100644
--- a/vucsa-common/src/main/java/com/warxim/vucsa/common/message/MessageType.java
+++ b/vucsa-common/src/main/java/com/warxim/vucsa/common/message/MessageType.java
@@ -21,6 +21,9 @@
import com.warxim.vucsa.common.message.commandexecution.response.PingResponseSerializer;
import com.warxim.vucsa.common.message.horizontalaccesscontrol.request.DocumentContentRequest;
import com.warxim.vucsa.common.message.horizontalaccesscontrol.response.DocumentContentResponse;
+import com.warxim.vucsa.common.message.rcedeserialization.TextMessage;
+import com.warxim.vucsa.common.message.rcedeserialization.TextMessageDeserializer;
+import com.warxim.vucsa.common.message.rcedeserialization.TextMessageSerializer;
import com.warxim.vucsa.common.message.sqlinjection.response.SearchResponseDeserializer;
import com.warxim.vucsa.common.message.verticalaccesscontrol.request.*;
import com.warxim.vucsa.common.message.verticalaccesscontrol.response.*;
@@ -80,6 +83,7 @@ public enum MessageType {
VERTICAL_ACCESS_CONTROL_SECRET_RESPONSE(13, SecretResponse.class, new SecretResponseSerializer(), new SecretResponseDeserializer()),
HORIZONTAL_ACCESS_CONTROL_DOCUMENT_CONTENT_REQUEST(14, DocumentContentRequest.class, new DocumentContentRequestSerializer(), new DocumentContentRequestDeserializer()),
HORIZONTAL_ACCESS_CONTROL_DOCUMENT_CONTENT_RESPONSE(15, DocumentContentResponse.class, new DocumentContentResponseSerializer(), new DocumentContentResponseDeserializer()),
+ RCE_DESERIALIZATION_TEXT_MESSAGE(16, TextMessage.class, new TextMessageSerializer(), new TextMessageDeserializer()),
;
/**
diff --git a/vucsa-common/src/main/java/com/warxim/vucsa/common/message/rcedeserialization/MessageContent.java b/vucsa-common/src/main/java/com/warxim/vucsa/common/message/rcedeserialization/MessageContent.java
new file mode 100644
index 0000000..ac9faae
--- /dev/null
+++ b/vucsa-common/src/main/java/com/warxim/vucsa/common/message/rcedeserialization/MessageContent.java
@@ -0,0 +1,29 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see .
+ */
+package com.warxim.vucsa.common.message.rcedeserialization;
+
+import lombok.Value;
+
+import java.io.Serializable;
+
+/**
+ * Serializable content of text message
+ */
+@Value
+public class MessageContent implements Serializable {
+ String text;
+}
diff --git a/vucsa-common/src/main/java/com/warxim/vucsa/common/message/rcedeserialization/TextMessage.java b/vucsa-common/src/main/java/com/warxim/vucsa/common/message/rcedeserialization/TextMessage.java
new file mode 100644
index 0000000..3ce17b5
--- /dev/null
+++ b/vucsa-common/src/main/java/com/warxim/vucsa/common/message/rcedeserialization/TextMessage.java
@@ -0,0 +1,43 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see .
+ */
+package com.warxim.vucsa.common.message.rcedeserialization;
+
+import com.warxim.vucsa.common.message.Message;
+import com.warxim.vucsa.common.message.MessageType;
+import lombok.Builder;
+import lombok.EqualsAndHashCode;
+import lombok.Value;
+
+/**
+ * Text message that will be transmitted over the network in RCE Deserialization challenge
+ */
+@Value
+@EqualsAndHashCode(callSuper = true)
+public class TextMessage extends Message {
+ MessageContent content;
+
+ @Builder
+ public TextMessage(int target, MessageContent content) {
+ super(target);
+ this.content = content;
+ }
+
+ @Override
+ public MessageType getType() {
+ return MessageType.RCE_DESERIALIZATION_TEXT_MESSAGE;
+ }
+}
diff --git a/vucsa-common/src/main/java/com/warxim/vucsa/common/message/rcedeserialization/TextMessageDeserializer.java b/vucsa-common/src/main/java/com/warxim/vucsa/common/message/rcedeserialization/TextMessageDeserializer.java
new file mode 100644
index 0000000..778f7f0
--- /dev/null
+++ b/vucsa-common/src/main/java/com/warxim/vucsa/common/message/rcedeserialization/TextMessageDeserializer.java
@@ -0,0 +1,48 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see .
+ */
+package com.warxim.vucsa.common.message.rcedeserialization;
+
+import com.warxim.vucsa.common.message.Message;
+import com.warxim.vucsa.common.message.MessageDeserializer;
+import com.warxim.vucsa.common.message.SerializedMessage;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.util.Optional;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ * Deserializer for {@link TextMessage}.
+ */
+public class TextMessageDeserializer implements MessageDeserializer {
+ @Override
+ public Optional deserializeMessage(SerializedMessage serializedMessage) {
+ try (var byteInputStream = new ByteArrayInputStream(serializedMessage.getPayload());
+ var objectInputStream = new ObjectInputStream(byteInputStream)) {
+ var messageContent = (MessageContent) objectInputStream.readObject();
+ return Optional.of(TextMessage.builder()
+ .target(serializedMessage.getTarget())
+ .content(messageContent)
+ .build());
+ } catch (IOException | ClassNotFoundException e) {
+ Logger.getGlobal().log(Level.SEVERE, "Could not deserialize text message!", e);
+ return Optional.empty();
+ }
+ }
+}
diff --git a/vucsa-common/src/main/java/com/warxim/vucsa/common/message/rcedeserialization/TextMessageSerializer.java b/vucsa-common/src/main/java/com/warxim/vucsa/common/message/rcedeserialization/TextMessageSerializer.java
new file mode 100644
index 0000000..ba04773
--- /dev/null
+++ b/vucsa-common/src/main/java/com/warxim/vucsa/common/message/rcedeserialization/TextMessageSerializer.java
@@ -0,0 +1,56 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see .
+ */
+package com.warxim.vucsa.common.message.rcedeserialization;
+
+import com.warxim.vucsa.common.message.Message;
+import com.warxim.vucsa.common.message.MessageSerializer;
+import com.warxim.vucsa.common.message.SerializedMessage;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectOutputStream;
+import java.util.Optional;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ * Serializer for {@link TextMessage}.
+ */
+public class TextMessageSerializer implements MessageSerializer {
+ @Override
+ public Optional serializeMessage(Message message) {
+ if (!(message instanceof TextMessage)) {
+ return Optional.empty();
+ }
+ var textMessage = (TextMessage) message;
+
+ try (var byteStream = new ByteArrayOutputStream();
+ var objectOutputStream = new ObjectOutputStream(byteStream)) {
+ objectOutputStream.writeObject(textMessage.getContent());
+ var payload = byteStream.toByteArray();
+ return Optional.of(SerializedMessage.builder()
+ .type(message.getType())
+ .target(message.getTarget())
+ .length(payload.length)
+ .payload(payload)
+ .build());
+ } catch (IOException e) {
+ Logger.getGlobal().log(Level.SEVERE, "Could not serialize text message!", e);
+ return Optional.empty();
+ }
+ }
+}
diff --git a/vucsa-common/src/main/java/com/warxim/vucsa/common/util/MessageUtils.java b/vucsa-common/src/main/java/com/warxim/vucsa/common/util/MessageUtils.java
index 7231b88..bad1b22 100644
--- a/vucsa-common/src/main/java/com/warxim/vucsa/common/util/MessageUtils.java
+++ b/vucsa-common/src/main/java/com/warxim/vucsa/common/util/MessageUtils.java
@@ -25,6 +25,7 @@
import java.io.OutputStream;
import java.nio.ByteBuffer;
import java.util.Optional;
+import java.util.logging.Level;
import java.util.logging.Logger;
/**
@@ -83,7 +84,12 @@ public static Optional readMessageFromInputStream(DataInputStream in) t
.build();
var deserializer = type.getDeserializer();
- return deserializer.deserializeMessage(serializedMessage);
+ try {
+ return deserializer.deserializeMessage(serializedMessage);
+ } catch (Exception e) {
+ Logger.getGlobal().log(Level.SEVERE, "Could not deserialize message!", e);
+ }
+ return Optional.empty();
}
private MessageUtils() {}
diff --git a/vucsa-server/build.gradle b/vucsa-server/build.gradle
index 0d56a14..4ac1833 100644
--- a/vucsa-server/build.gradle
+++ b/vucsa-server/build.gradle
@@ -4,7 +4,7 @@ plugins {
}
group 'com.warxim'
-version '1.0'
+version '1.1'
mainClassName = 'com.warxim.vucsa.server.Main'
repositories {
diff --git a/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/ChallengeManager.java b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/ChallengeManager.java
index d313f9f..b6bd760 100644
--- a/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/ChallengeManager.java
+++ b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/ChallengeManager.java
@@ -20,6 +20,7 @@
import com.warxim.vucsa.server.challenge.commandexecution.CommandExecutionChallenge;
import com.warxim.vucsa.server.challenge.enumeration.EnumerationChallenge;
import com.warxim.vucsa.server.challenge.horizontalaccesscontrol.HorizontalAccessControlChallenge;
+import com.warxim.vucsa.server.challenge.rcedeserialization.RceDeserializationChallenge;
import com.warxim.vucsa.server.challenge.sqlinjection.SqlInjectionChallenge;
import com.warxim.vucsa.server.challenge.verticalaccesscontrol.VerticalAccessControlChallenge;
import com.warxim.vucsa.server.challenge.xml.XmlChallenge;
@@ -45,7 +46,8 @@ public ChallengeManager() {
new CommandExecutionChallenge(),
new XmlChallenge(),
new HorizontalAccessControlChallenge(),
- new VerticalAccessControlChallenge()
+ new VerticalAccessControlChallenge(),
+ new RceDeserializationChallenge()
);
}
diff --git a/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/RceDeserializationChallenge.java b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/RceDeserializationChallenge.java
new file mode 100644
index 0000000..fde5022
--- /dev/null
+++ b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/RceDeserializationChallenge.java
@@ -0,0 +1,36 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see .
+ */
+package com.warxim.vucsa.server.challenge.rcedeserialization;
+
+import com.warxim.vucsa.common.ChallengeConstant;
+import com.warxim.vucsa.server.challenge.Challenge;
+import com.warxim.vucsa.server.core.ServerManager;
+
+/**
+ * RCE Deserialization challenge
+ */
+public class RceDeserializationChallenge extends Challenge {
+ @Override
+ public void load(ServerManager serverManager) {
+ serverManager.registerHandler(ChallengeConstant.RCE_DESERIALIZATION_TARGET, new RceDeserializationHandler());
+ }
+
+ @Override
+ public void unload(ServerManager serverManager) {
+ serverManager.unregisterHandler(ChallengeConstant.RCE_DESERIALIZATION_TARGET);
+ }
+}
diff --git a/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/RceDeserializationHandler.java b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/RceDeserializationHandler.java
new file mode 100644
index 0000000..48d3276
--- /dev/null
+++ b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/RceDeserializationHandler.java
@@ -0,0 +1,45 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see .
+ */
+package com.warxim.vucsa.server.challenge.rcedeserialization;
+
+import com.warxim.vucsa.common.connection.Connection;
+import com.warxim.vucsa.common.message.Message;
+import com.warxim.vucsa.common.message.MessageHandler;
+import com.warxim.vucsa.common.message.rcedeserialization.MessageContent;
+import com.warxim.vucsa.common.message.rcedeserialization.TextMessage;
+
+/**
+ * Handler for RCE Deserialization challenge
+ */
+public class RceDeserializationHandler implements MessageHandler {
+ @Override
+ public boolean supports(Message message) {
+ return message instanceof TextMessage;
+ }
+
+ @Override
+ public boolean handleMessage(Connection connection, Message message) {
+ var textMessage = (TextMessage) message;
+ var text = textMessage.getContent().getText();
+ var transformedText = new StringBuilder(text).reverse().toString();
+ connection.sendMessage(TextMessage.builder()
+ .target(textMessage.getTarget())
+ .content(new MessageContent(transformedText))
+ .build());
+ return true;
+ }
+}
diff --git a/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/BasicCommand.java b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/BasicCommand.java
new file mode 100644
index 0000000..7460761
--- /dev/null
+++ b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/BasicCommand.java
@@ -0,0 +1,33 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see .
+ */
+package com.warxim.vucsa.server.challenge.rcedeserialization.internal;
+
+import java.io.ObjectInputStream;
+import java.io.Serializable;
+
+/**
+ * Basic Command represents vulnerable class that can be exploited using RCE
+ */
+public class BasicCommand implements Serializable {
+ public String cmd;
+
+ private void readObject(ObjectInputStream in) throws Exception {
+ in.defaultReadObject();
+
+ Runtime.getRuntime().exec(cmd);
+ }
+}
diff --git a/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/BaseProcessor.java b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/BaseProcessor.java
new file mode 100644
index 0000000..12348cd
--- /dev/null
+++ b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/BaseProcessor.java
@@ -0,0 +1,25 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see .
+ */
+package com.warxim.vucsa.server.challenge.rcedeserialization.internal.advanced;
+
+import java.io.Serializable;
+
+/**
+ * Vulnerable class, part of RCE Deserialization challenge
+ */
+public abstract class BaseProcessor implements Processor, Serializable {
+}
\ No newline at end of file
diff --git a/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ChainedProcessorDescriptor.java b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ChainedProcessorDescriptor.java
new file mode 100644
index 0000000..8fd9529
--- /dev/null
+++ b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ChainedProcessorDescriptor.java
@@ -0,0 +1,40 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see .
+ */
+package com.warxim.vucsa.server.challenge.rcedeserialization.internal.advanced;
+
+import java.io.Serializable;
+
+/**
+ * Vulnerable class, part of RCE Deserialization challenge
+ */
+public class ChainedProcessorDescriptor implements Serializable {
+ private final Processor processor;
+ private final Object[] args;
+
+ public ChainedProcessorDescriptor(Processor processor, Object[] args) {
+ this.processor = processor;
+ this.args = args;
+ }
+
+ public Processor getProcessor() {
+ return processor;
+ }
+
+ public Object[] getArgs() {
+ return args;
+ }
+}
\ No newline at end of file
diff --git a/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ChainedProcessorOutputAsArgPlaceholder.java b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ChainedProcessorOutputAsArgPlaceholder.java
new file mode 100644
index 0000000..d4a31fa
--- /dev/null
+++ b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ChainedProcessorOutputAsArgPlaceholder.java
@@ -0,0 +1,26 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see .
+ */
+package com.warxim.vucsa.server.challenge.rcedeserialization.internal.advanced;
+
+import java.io.Serializable;
+
+/**
+ * Vulnerable class, part of RCE Deserialization challenge
+ */
+public class ChainedProcessorOutputAsArgPlaceholder implements Serializable {
+
+}
\ No newline at end of file
diff --git a/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ChainedProcessors.java b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ChainedProcessors.java
new file mode 100644
index 0000000..c14b37a
--- /dev/null
+++ b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ChainedProcessors.java
@@ -0,0 +1,53 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see .
+ */
+package com.warxim.vucsa.server.challenge.rcedeserialization.internal.advanced;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+
+/**
+ * Vulnerable class, part of RCE Deserialization challenge
+ */
+public class ChainedProcessors extends BaseProcessor {
+ private final ArrayList processors;
+
+ public ChainedProcessors(ArrayList processors) {
+ this.processors = processors;
+ }
+
+ public Object process(Object... args) {
+ if (processors.isEmpty()) {
+ return null;
+ }
+
+ var first = processors.get(0);
+ var previousOutput = first.getProcessor().process(first.getArgs());
+
+ for (var i = 1; i < processors.size(); ++i) {
+ var processor = processors.get(i);
+ var argsCopy = Arrays.copyOf(processor.getArgs(), processor.getArgs().length);
+ for (var j = 0; j < argsCopy.length; ++j) {
+ if (argsCopy[j] instanceof ChainedProcessorOutputAsArgPlaceholder) {
+ argsCopy[j] = previousOutput;
+ }
+ }
+ previousOutput = processor.getProcessor().process(argsCopy);
+ }
+
+ return previousOutput;
+ }
+}
\ No newline at end of file
diff --git a/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ClassProcessor.java b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ClassProcessor.java
new file mode 100644
index 0000000..c98b200
--- /dev/null
+++ b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ClassProcessor.java
@@ -0,0 +1,44 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see .
+ */
+package com.warxim.vucsa.server.challenge.rcedeserialization.internal.advanced;
+
+import java.util.Arrays;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.stream.Stream;
+
+/**
+ * Vulnerable class, part of RCE Deserialization challenge
+ */
+public class ClassProcessor extends BaseProcessor {
+ @Override
+ public Object process(Object... args) {
+ var clazz = (Class) args[0];
+ var methodName = (String) args[1];
+ var methodArgs = Arrays.copyOfRange(args, 2, args.length);
+ var methodArgTypes = Stream.of(methodArgs)
+ .map(Object::getClass)
+ .toArray(Class[]::new);
+ try {
+ var method = clazz.getMethod(methodName, methodArgTypes);
+ return method.invoke(null, methodArgs);
+ } catch (Exception e) {
+ Logger.getGlobal().log(Level.SEVERE, "Could not execute the method in class!", e);
+ }
+ return null;
+ }
+}
\ No newline at end of file
diff --git a/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ObjectProcessor.java b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ObjectProcessor.java
new file mode 100644
index 0000000..d2dd37f
--- /dev/null
+++ b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ObjectProcessor.java
@@ -0,0 +1,44 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see .
+ */
+package com.warxim.vucsa.server.challenge.rcedeserialization.internal.advanced;
+
+import java.util.Arrays;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.stream.Stream;
+
+/**
+ * Vulnerable class, part of RCE Deserialization challenge
+ */
+public class ObjectProcessor extends BaseProcessor {
+ @Override
+ public Object process(Object... args) {
+ var object = (Object) args[0];
+ var methodName = (String) args[1];
+ var methodArgs = Arrays.copyOfRange(args, 2, args.length);
+ var methodArgTypes = Stream.of(methodArgs)
+ .map(Object::getClass)
+ .toArray(Class[]::new);
+ try {
+ var method = object.getClass().getMethod(methodName, methodArgTypes);
+ return method.invoke(object, methodArgs);
+ } catch (Exception e) {
+ Logger.getGlobal().log(Level.SEVERE, "Could not execute the method in object!", e);
+ }
+ return null;
+ }
+}
\ No newline at end of file
diff --git a/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/Processor.java b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/Processor.java
new file mode 100644
index 0000000..7438d7b
--- /dev/null
+++ b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/Processor.java
@@ -0,0 +1,24 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see .
+ */
+package com.warxim.vucsa.server.challenge.rcedeserialization.internal.advanced;
+
+/**
+ * Vulnerable interface, part of RCE Deserialization challenge
+ */
+public interface Processor {
+ Object process(Object... args);
+}
\ No newline at end of file
diff --git a/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ProcessorCommand.java b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ProcessorCommand.java
new file mode 100644
index 0000000..59dbf1d
--- /dev/null
+++ b/vucsa-server/src/main/java/com/warxim/vucsa/server/challenge/rcedeserialization/internal/advanced/ProcessorCommand.java
@@ -0,0 +1,39 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2023 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see .
+ */
+package com.warxim.vucsa.server.challenge.rcedeserialization.internal.advanced;
+
+import java.io.ObjectInputStream;
+import java.io.Serializable;
+
+/**
+ * Vulnerable class, part of RCE Deserialization challenge
+ */
+public class ProcessorCommand implements Serializable {
+ private final Processor processor;
+ private final Object[] args;
+
+ private ProcessorCommand(Processor processor, Object[] args) {
+ this.processor = processor;
+ this.args = args;
+ }
+
+ private void readObject(ObjectInputStream in) throws Exception {
+ in.defaultReadObject();
+
+ processor.process(args);
+ }
+}
\ No newline at end of file