Java deserialization can be a convenient and easy-to-implement transfer mechanism for sharing complex data, which despite known security risks is one of the reasons it’s still so prevalent today. Demonstrating the full impact of unsafe Java deserialization is a challenge because exploits rely on specific third-party classes being available in the remote classpath. Previously, this resulted in a Hail Mary of known exploits and if they didn’t work, we struggled to write custom exploits with limited information.
GadgetProbe is a tool to probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on a remote Java classpath. By taking a wordlist input of Java classes and transmitting serialized DNS callback objects, GadgetProbe enumerates what's lurking in the remote classpath.