Freddy The (De)serialization Killer

This is a plugin for Burp Suite Pro that helps to detect and exploit deserialization vulnerabilities in web applications. Often this kind of vulnerability leads to remote code or command execution on the affected server.

The plugin is capable of passively detecting, and actively scanning for deserialization vulnerabilities in over 30 Java and .NET libraries and APIs dealing with a range of data serialization formats from binary to JSON and XML.

The plugin can be downloaded from the BApp store within Burp Suite Pro.

BMC BladeLogic Server Automation RSCD Exploit

The RSCD agent used by BMC’s server automation platform was found to be affected by a serious vulnerability in 2016 (CVE-2016-1542). A vulnerability scan of affected systems will detect this vulnerability but it was difficult for security professionals to take advantage of the vulnerability or to demonstrate the full impact due to a lack of public exploit code.

Cognitous Cyber Security’s Nicky Bloor reverse-engineered the exploit used by a vulnerability scanner in order to produce a fully working exploit.

The exploit and further information can be found at the following links:

BaRMIe Java RMI Assessment Tool

BaRMIe is a tool for enumerating and attacking services built using Java’s Remote Method Invocation (RMI), including Java Management Extensions (JMX).

The tool enables security professionals to identify weaknesses affecting applications and services that use the RMI protocol, and to exploit those weaknesses to gain a foothold during a penetration test.

Visit BaRMIe on GitHub for more information and to download the tool and source code.