Error while generating or serializing payload

[DoMINAToR98]

OS: macOS High Sierra Version 10.13.6 $ java -jar ysoserial-master-30099844c6-1.jar Spring1 "/usr/bin/nc -l -p 9999 -e /bin/sh" 70 ↵ WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by ysoserial.payloads.util.Gadgets (file:/Users/~/Desktop/ysoserial-master-30099844c6-1.jar) to constructor com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl() WARNING: Please consider reporting this to the maintainers of ysoserial.payloads.util.Gadgets WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release Error while generating or serializing payload com.nqzero.permit.Permit$InitializationFailed: initialization failed, perhaps you're running with a security manager at com.nqzero.permit.Permit.setAccessible(Permit.java:22) at ysoserial.payloads.util.Reflections.setAccessible(Reflections.java:17) at ysoserial.payloads.util.Reflections.getField(Reflections.java:24) at ysoserial.payloads.util.Reflections.setFieldValue(Reflections.java:34) at ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:129) at ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:102) at ysoserial.payloads.Spring1.getObject(Spring1.java:57) at ysoserial.GeneratePayload.main(GeneratePayload.java:34) Caused by: com.nqzero.permit.Permit$FieldNotFound: field "override" not found at com.nqzero.permit.Permit.(Permit.java:222) at com.nqzero.permit.Permit.build(Permit.java:117) at com.nqzero.permit.Permit.(Permit.java:16) ... 7 more

Trying the same command on some Linux Distro worked for me, any solutions for this on macOSX?

[neubauek]

Same here on Catalina.

java -jar ysoserial.jar CommonsCollections1 'calc.exe' Error while generating or serializing payload com.nqzero.permit.Permit$InitializationFailed: initialization failed, perhaps you're running with a security manager at com.nqzero.permit.Permit.setAccessible(Permit.java:22) at ysoserial.payloads.util.Reflections.setAccessible(Reflections.java:17) at ysoserial.payloads.util.Reflections.getFirstCtor(Reflections.java:45) at ysoserial.payloads.util.Gadgets.createMemoizedInvocationHandler(Gadgets.java:72) at ysoserial.payloads.util.Gadgets.createMemoitizedProxy(Gadgets.java:67) at ysoserial.payloads.CommonsCollections1.getObject(CommonsCollections1.java:71) at ysoserial.payloads.CommonsCollections1.getObject(CommonsCollections1.java:43) at ysoserial.GeneratePayload.main(GeneratePayload.java:34) Caused by: com.nqzero.permit.Permit$FieldNotFound: field "override" not found at com.nqzero.permit.Permit.(Permit.java:222) at com.nqzero.permit.Permit.build(Permit.java:117) at com.nqzero.permit.Permit.(Permit.java:16) ... 7 more

[XhstormR]

Same here on Windwos.

D:\Download>java --version
java 13.0.1 2019-10-15
Java(TM) SE Runtime Environment (build 13.0.1+9)
Java HotSpot(TM) 64-Bit Server VM (build 13.0.1+9, mixed mode, sharing)

D:\Download>java -jar ysoserial-master-30099844c6-1.jar Groovy1 calc.exe
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass$3$1 (file:/D:/Download/ysoserial-master-30099844c6-1.jar) to method java.lang.Object.finalize()
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.reflection.CachedClass$3$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Error while generating or serializing payload
com.nqzero.permit.Permit$InitializationFailed: initialization failed, perhaps you're running with a security manager
        at com.nqzero.permit.Permit.setAccessible(Permit.java:22)
        at ysoserial.payloads.util.Reflections.setAccessible(Reflections.java:17)
        at ysoserial.payloads.util.Reflections.getFirstCtor(Reflections.java:45)
        at ysoserial.payloads.util.Gadgets.createMemoizedInvocationHandler(Gadgets.java:72)
        at ysoserial.payloads.Groovy1.getObject(Groovy1.java:39)
        at ysoserial.payloads.Groovy1.getObject(Groovy1.java:29)
        at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
Caused by: com.nqzero.permit.Permit$FieldNotFound: field "override" not found
        at com.nqzero.permit.Permit.<init>(Permit.java:222)
        at com.nqzero.permit.Permit.build(Permit.java:117)
        at com.nqzero.permit.Permit.<clinit>(Permit.java:16)
        ... 6 more

[bestlzk]

I have the same problem when I use jdk13, and I solve this problem by using jdk8.

[RiRa12621]

you can mitigate this by specifically using java 8 /Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/bin/java -jar on MacOS assuming you have Java 8 installed as an option

you can find that out like

$ /usr/libexec/java_home -V
Matching Java Virtual Machines (3):
    15, x86_64: "AdoptOpenJDK 15"       /Library/Java/JavaVirtualMachines/adoptopenjdk-15.jdk/Contents/Home
    14.0.1, x86_64:     "OpenJDK 14.0.1"        /Library/Java/JavaVirtualMachines/openjdk.jdk/Contents/Home
    1.8.0_265, x86_64:  "AdoptOpenJDK 8"        /Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home

/Library/Java/JavaVirtualMachines/adoptopenjdk-15.jdk/Contents/Home

[wh1tenoise]

PS C:\Malware> java -version
java version "15.0.1" 2020-10-20
Java(TM) SE Runtime Environment (build 15.0.1+9-18)
Java HotSpot(TM) 64-Bit Server VM (build 15.0.1+9-18, mixed mode, sharing)

PS C:\Malware> java -cp .\ysoserial-master-6eca5bc740-1.jar ysoserial.exploit.JRMPListener 4444 CommonsCollections5 'nslookup google.com'
Exception in thread "main" java.lang.IllegalArgumentException: Failed to construct payload
        at ysoserial.payloads.ObjectPayload$Utils.makePayloadObject(ObjectPayload.java:72)
        at ysoserial.exploit.JRMPListener.main(JRMPListener.java:113)
Caused by: com.nqzero.permit.Permit$InitializationFailed: initialization failed, perhaps you're running with a security manager
        at com.nqzero.permit.Permit.setAccessible(Permit.java:22)
        at ysoserial.payloads.util.Reflections.setAccessible(Reflections.java:17)
        at ysoserial.payloads.CommonsCollections5.getObject(CommonsCollections5.java:83)
        at ysoserial.payloads.CommonsCollections5.getObject(CommonsCollections5.java:51)
        at ysoserial.payloads.ObjectPayload$Utils.makePayloadObject(ObjectPayload.java:69)
        ... 1 more
Caused by: com.nqzero.permit.Permit$FieldNotFound: field "override" not found
        at com.nqzero.permit.Permit.<init>(Permit.java:222)
        at com.nqzero.permit.Permit.build(Permit.java:117)
        at com.nqzero.permit.Permit.<clinit>(Permit.java:16)
        ... 5 more

This problem seems to persist. Will this be fixed or is Java8 the way to go?

[Alexandre-Bartel]

Java >=12 does not allow access to private fields of certain sensitive classes (which Permit tries to do). Note that there is not portable Java trick anymore to access these fields. See https://bugs.openjdk.java.net/browse/JDK-8210522 for details. A fix is in PR #149

[frohoff]

Closed by #149