Heyserial will Programmatically create hunting rules for deserialization exploitation with multiple

• keywords (e.g. cmd.exe)
• gadget chains (e.g. CommonsCollection)
• object types (e.g. ViewState, Java, Python Pickle, PHP)
• encodings (e.g. Base64, raw)
• rule types (e.g. Snort, Yara)

Usage

Help: python3 heyserial.py -h

Examples:

python3 heyserial.py -c ‘ExampleChain::condition1+condition2’ -t JavaObj
python3 heyserial.py -k cmd.exe whoami ‘This file cannot be run in DOS mode’
python3 heyserial.py -k Process.Start -t NETViewState -e base64 “base64+utf16le”

Utils

utils/checkyoself.py

This is a tool to automate bulk testing of Snort and Yara rules on a variety of sample files.

Usage: python3 checkyoself.py [-y rules.yara] [-s rules.snort] [-o file_output_prefix] [--matches] [--misses] -d malware.exe malware.pcap

Examples: python3 checkyoself.py -y rules/javaobj -s rules/javaobj -d payloads/javaobj pcaps --misses -o java_misses

utils/generate_payloads.ps1

YSoSerial.NET v1.34 payload generation. Run on Windows from the ./utils directory.

• Source: https://github.com/pwntester/ysoserial.net
• License: ysoserial.net_LICENSE.txt

utils/generate_payloads.sh

YSoSerial payload generation. Run on Linux from the ./utils directory.

• Source: https://github.com/frohoff/ysoserial
• License: ysoserial_LICENSE.txt

utils/install_snort.sh

Installing Snort on a Debian based system was a bit finnicky for me, so I wrote my install notes here.

Use at your own risk in a VM that you have snapshotted recently.

utils/server.py

Simple Python script that runs an HTTP server on 127.0.0.1:12345 and accepts POST requests.

Handy for generating test PCAPs.