NickstaDB
commented
2 years ago Your data is corrupt.
Firstly, the value you have there for classDescFlags is illegal according to the Java serialization format specification, hence the error you're seeing. Possible values for this field are 0x02, 0x03, 0x04, and 0x0c, but you have 0xfb.
Looking at your sample data further, I can see multiple strings that are corrupt. For example, at offset 0x2f is 0x00 04 which I believe is the length of a field name and should be followed by the string size, but your data includes some extra bytes 0x00 30 in between siz and e.
At offset 0x49 you have what should be the string Ljava/util/Comparator, but again your data includes some extra bytes 0x00 50 in the middle of that string.
I am trying to deserialize a webshell from a log4j exploit, and am running in to this error. java -jar SerializationDumper.jar -r test.bin
STREAM_MAGIC - 0xac ed STREAM_VERSION - 0x00 05 Contents TC_OBJECT - 0x73 TC_CLASSDESC - 0x72 className Length - 23 - 0x00 17 Value - java.util.PriorityQue - 0x6a6176612e75746900106c2e5072696f72697479517565 serialVersionUID - 0x75 65 94 00 20 da 30 b4 newHandle 0x00 7e 00 00 classDescFlags - 0xfb - SC_WRITE_METHOD | SC_SERIALIZABLE | SC_BLOCK_DATA Exception in thread "main" java.lang.RuntimeException: Error: Illegal classDescFlags, SC_SERIALIZABLE is not compatible with SC_BLOCK_DATA. at nb.deser.SerializationDumper.readClassDescInfo(SerializationDumper.java:635) at nb.deser.SerializationDumper.readTC_CLASSDESC(SerializationDumper.java:571) at nb.deser.SerializationDumper.readNewClassDesc(SerializationDumper.java:527) at nb.deser.SerializationDumper.readClassDesc(SerializationDumper.java:489) at nb.deser.SerializationDumper.readNewObject(SerializationDumper.java:461) at nb.deser.SerializationDumper.readContentElement(SerializationDumper.java:359) at nb.deser.SerializationDumper.parseStream(SerializationDumper.java:331) at nb.deser.SerializationDumper.main(SerializationDumper.java:113)
test.bin.txt