Adding CVE-2021-44228 rules and payloads

heyserial.py

@@ -172,13 +172,14 @@ def enc_combo(term, encchain, isprefix=False):
 	"""
 	new_encoded = []
 
-	# Encode the things
-	if isinstance(term, list):
+	# Encode the thing
+	if isinstance(term, (str, bytes)):
+		new_encoded = encchain[0](term, isprefix)
+
+	# Or Encode the things
+	else:
 		for t in term:
 			new_encoded.extend(encchain[0](t, isprefix))
-	# Or Encode the thing
-	else:
-		new_encoded = encchain[0](term, isprefix)
 
 	# Uncomment below for debugging
 	#print("Recursion {}:\n\tTerm:{}\n\tEncoded: {}".format(len(encchain),term,new_encoded))
@@ -214,7 +215,7 @@ def encode_all(keywords, encoders, ischain=False, isprefix=False):
 		all_keywords = "".join(keywords.split("::")[1:])
 		all_keywords = all_keywords.split("+")
 	elif not isprefix:
-		all_keywords = keywords
+		all_keywords = [keywords] if isinstance(keywords, (str,bytes)) else keywords
 
 	# Encode all keywords
 	try:
@@ -535,6 +536,7 @@ def write_report(keys, chains, format, used):
 		}
 object_types = {
 		"JavaObj": {"raw": b'\xac\xed'},
+		"JNDIObj": {"raw": b'\x24\x7b\x6a\x6e\x64\x69\x3a'},
 		"PHPObj": {"raw": b'\x4f\x3a'},
 		"PythonPickle": {"raw": b'\x80\x04\x95'},
 		# Including YSoSerial.NET formatters, but only NETViewState/LosFormatter has been tested.

rules/jndiobj/dns.snort

@@ -0,0 +1,3 @@
+alert tcp any any -> any any (msg:"M.Methodology.HTTP.SerializedObject.JNDIObj.dns.[raw]"; content:"T "; offset:2; depth:3; content:"|24 7b 6a 6e 64 69 3a|"; content:"|64 6e 73 3a 2f|"; distance:0; threshold:type limit, track by_src, count 1, seconds 1800; sid:<REPLACE_SID>; rev:1;)
+alert tcp any any -> any any (msg:"M.Methodology.HTTP.SerializedObject.JNDIObj.dns.[base64]"; content:"T "; offset:2; depth:3; content:"JHtqbmRpO"; pcre:"/(?:ZG5zOi|Ruczov|kbnM6L)/Rs"; threshold:type limit, track by_src, count 1, seconds 1800; sid:<REPLACE_SID>; rev:1;)
+alert tcp any any -> any any (msg:"M.Methodology.HTTP.SerializedObject.JNDIObj.dns.[base64base64]"; content:"T "; offset:2; depth:3; content:"|53 6b 68 30 63 57 4a 74 55 6e 42 50|"; pcre:"/(?:\x57\x6b\x63\x31\x65\x6b\x39\x70|\x70\x48\x4e\x58\x70\x50\x61|\x61\x52\x7a\x56\x36\x54\x32|\x55\x6e\x56\x6a\x65\x6d\x39\x32|\x4a\x31\x59\x33\x70\x76\x64|\x53\x64\x57\x4e\x36\x62\x33|\x61\x32\x4a\x75\x54\x54\x5a\x4d|\x74\x69\x62\x6b\x30\x32\x54|\x72\x59\x6d\x35\x4e\x4e\x6b)/Rs"; threshold:type limit, track by_src, count 1, seconds 1800; sid:<REPLACE_SID>; rev:1;)

rules/jndiobj/dns.yara

@@ -0,0 +1,30 @@
+rule M_Methodology_HTTP_SerializedObject_JNDIObj_dns_raw {
+	meta:
+		author="Auto-generated by heyserial.py - Alyssa Rahman (@ramen0x3f)"
+		description="Auto-generated rule for serialized objects with the keyword/chain: dns"
+	strings:
+		$objheader={24 7b 6a 6e 64 69 3a}
+		$keyword0 = { 64 6e 73 3a 2f}
+	condition:
+		$objheader and (@keyword0[1] > @objheader[1])
+}
+rule M_Methodology_HTTP_SerializedObject_JNDIObj_dns_base64 {
+	meta:
+		author="Auto-generated by heyserial.py - Alyssa Rahman (@ramen0x3f)"
+		description="Auto-generated rule for serialized objects with the keyword/chain: dns"
+	strings:
+		$objheader="JHtqbmRpO"
+		$keyword0 = /(ZG5zOi|Ruczov|kbnM6L)/
+	condition:
+		$objheader and (@keyword0[1] > @objheader[1])
+}
+rule M_Methodology_HTTP_SerializedObject_JNDIObj_dns_base64base64 {
+	meta:
+		author="Auto-generated by heyserial.py - Alyssa Rahman (@ramen0x3f)"
+		description="Auto-generated rule for serialized objects with the keyword/chain: dns"
+	strings:
+		$objheader={53 6b 68 30 63 57 4a 74 55 6e 42 50}
+		$keyword0 = /(\x57\x6b\x63\x31\x65\x6b\x39\x70|\x70\x48\x4e\x58\x70\x50\x61|\x61\x52\x7a\x56\x36\x54\x32|\x55\x6e\x56\x6a\x65\x6d\x39\x32|\x4a\x31\x59\x33\x70\x76\x64|\x53\x64\x57\x4e\x36\x62\x33|\x61\x32\x4a\x75\x54\x54\x5a\x4d|\x74\x69\x62\x6b\x30\x32\x54|\x72\x59\x6d\x35\x4e\x4e\x6b)/
+	condition:
+		$objheader and (@keyword0[1] > @objheader[1])
+}

rules/jndiobj/ldap.snort

@@ -0,0 +1,3 @@
+alert tcp any any -> any any (msg:"M.Methodology.HTTP.SerializedObject.JNDIObj.ldap.[raw]"; content:"T "; offset:2; depth:3; content:"|24 7b 6a 6e 64 69 3a|"; content:"|6c 64 61 70 3a 2f|"; distance:0; threshold:type limit, track by_src, count 1, seconds 1800; sid:<REPLACE_SID>; rev:1;)
+alert tcp any any -> any any (msg:"M.Methodology.HTTP.SerializedObject.JNDIObj.ldap.[base64]"; content:"T "; offset:2; depth:3; content:"JHtqbmRpO"; pcre:"/(?:bGRhcDov|xkYXA6L|sZGFwOi)/Rs"; threshold:type limit, track by_src, count 1, seconds 1800; sid:<REPLACE_SID>; rev:1;)
+alert tcp any any -> any any (msg:"M.Methodology.HTTP.SerializedObject.JNDIObj.ldap.[base64base64]"; content:"T "; offset:2; depth:3; content:"|53 6b 68 30 63 57 4a 74 55 6e 42 50|"; pcre:"/(?:\x59\x6b\x64\x53\x61\x47\x4e\x45\x62\x33|\x4a\x48\x55\x6d\x68\x6a\x52\x47\x39\x32|\x69\x52\x31\x4a\x6f\x59\x30\x52\x76\x64|\x65\x47\x74\x5a\x57\x45\x45\x32\x54|\x68\x72\x57\x56\x68\x42\x4e\x6b|\x34\x61\x31\x6c\x59\x51\x54\x5a\x4d|\x63\x31\x70\x48\x52\x6e\x64\x50\x61|\x4e\x61\x52\x30\x5a\x33\x54\x32|\x7a\x57\x6b\x64\x47\x64\x30\x39\x70)/Rs"; threshold:type limit, track by_src, count 1, seconds 1800; sid:<REPLACE_SID>; rev:1;)

rules/jndiobj/ldap.yara

@@ -0,0 +1,30 @@
+rule M_Methodology_HTTP_SerializedObject_JNDIObj_ldap_raw {
+	meta:
+		author="Auto-generated by heyserial.py - Alyssa Rahman (@ramen0x3f)"
+		description="Auto-generated rule for serialized objects with the keyword/chain: ldap"
+	strings:
+		$objheader={24 7b 6a 6e 64 69 3a}
+		$keyword0 = { 6c 64 61 70 3a 2f}
+	condition:
+		$objheader and (@keyword0[1] > @objheader[1])
+}
+rule M_Methodology_HTTP_SerializedObject_JNDIObj_ldap_base64 {
+	meta:
+		author="Auto-generated by heyserial.py - Alyssa Rahman (@ramen0x3f)"
+		description="Auto-generated rule for serialized objects with the keyword/chain: ldap"
+	strings:
+		$objheader="JHtqbmRpO"
+		$keyword0 = /(bGRhcDov|xkYXA6L|sZGFwOi)/
+	condition:
+		$objheader and (@keyword0[1] > @objheader[1])
+}
+rule M_Methodology_HTTP_SerializedObject_JNDIObj_ldap_base64base64 {
+	meta:
+		author="Auto-generated by heyserial.py - Alyssa Rahman (@ramen0x3f)"
+		description="Auto-generated rule for serialized objects with the keyword/chain: ldap"
+	strings:
+		$objheader={53 6b 68 30 63 57 4a 74 55 6e 42 50}
+		$keyword0 = /(\x59\x6b\x64\x53\x61\x47\x4e\x45\x62\x33|\x4a\x48\x55\x6d\x68\x6a\x52\x47\x39\x32|\x69\x52\x31\x4a\x6f\x59\x30\x52\x76\x64|\x65\x47\x74\x5a\x57\x45\x45\x32\x54|\x68\x72\x57\x56\x68\x42\x4e\x6b|\x34\x61\x31\x6c\x59\x51\x54\x5a\x4d|\x63\x31\x70\x48\x52\x6e\x64\x50\x61|\x4e\x61\x52\x30\x5a\x33\x54\x32|\x7a\x57\x6b\x64\x47\x64\x30\x39\x70)/
+	condition:
+		$objheader and (@keyword0[1] > @objheader[1])
+}

rules/jndiobj/ldaps.snort

@@ -0,0 +1,3 @@
+alert tcp any any -> any any (msg:"M.Methodology.HTTP.SerializedObject.JNDIObj.ldaps.[raw]"; content:"T "; offset:2; depth:3; content:"|24 7b 6a 6e 64 69 3a|"; content:"|6c 64 61 70 73 3a 2f|"; distance:0; threshold:type limit, track by_src, count 1, seconds 1800; sid:<REPLACE_SID>; rev:1;)
+alert tcp any any -> any any (msg:"M.Methodology.HTTP.SerializedObject.JNDIObj.ldaps.[base64]"; content:"T "; offset:2; depth:3; content:"JHtqbmRpO"; pcre:"/(?:bGRhcHM6L|xkYXBzOi|sZGFwczov)/Rs"; threshold:type limit, track by_src, count 1, seconds 1800; sid:<REPLACE_SID>; rev:1;)
+alert tcp any any -> any any (msg:"M.Methodology.HTTP.SerializedObject.JNDIObj.ldaps.[base64base64]"; content:"T "; offset:2; depth:3; content:"|53 6b 68 30 63 57 4a 74 55 6e 42 50|"; pcre:"/(?:\x59\x6b\x64\x53\x61\x47\x4e\x49\x54\x54\x5a\x4d|\x4a\x48\x55\x6d\x68\x6a\x53\x45\x30\x32\x54|\x69\x52\x31\x4a\x6f\x59\x30\x68\x4e\x4e\x6b|\x65\x47\x74\x5a\x57\x45\x4a\x36\x54\x32|\x68\x72\x57\x56\x68\x43\x65\x6b\x39\x70|\x34\x61\x31\x6c\x59\x51\x6e\x70\x50\x61|\x63\x31\x70\x48\x52\x6e\x64\x6a\x65\x6d\x39\x32|\x4e\x61\x52\x30\x5a\x33\x59\x33\x70\x76\x64|\x7a\x57\x6b\x64\x47\x64\x32\x4e\x36\x62\x33)/Rs"; threshold:type limit, track by_src, count 1, seconds 1800; sid:<REPLACE_SID>; rev:1;)

rules/jndiobj/ldaps.yara

@@ -0,0 +1,30 @@
+rule M_Methodology_HTTP_SerializedObject_JNDIObj_ldaps_raw {
+	meta:
+		author="Auto-generated by heyserial.py - Alyssa Rahman (@ramen0x3f)"
+		description="Auto-generated rule for serialized objects with the keyword/chain: ldaps"
+	strings:
+		$objheader={24 7b 6a 6e 64 69 3a}
+		$keyword0 = { 6c 64 61 70 73 3a 2f}
+	condition:
+		$objheader and (@keyword0[1] > @objheader[1])
+}
+rule M_Methodology_HTTP_SerializedObject_JNDIObj_ldaps_base64 {
+	meta:
+		author="Auto-generated by heyserial.py - Alyssa Rahman (@ramen0x3f)"
+		description="Auto-generated rule for serialized objects with the keyword/chain: ldaps"
+	strings:
+		$objheader="JHtqbmRpO"
+		$keyword0 = /(bGRhcHM6L|xkYXBzOi|sZGFwczov)/
+	condition:
+		$objheader and (@keyword0[1] > @objheader[1])
+}
+rule M_Methodology_HTTP_SerializedObject_JNDIObj_ldaps_base64base64 {
+	meta:
+		author="Auto-generated by heyserial.py - Alyssa Rahman (@ramen0x3f)"
+		description="Auto-generated rule for serialized objects with the keyword/chain: ldaps"
+	strings:
+		$objheader={53 6b 68 30 63 57 4a 74 55 6e 42 50}
+		$keyword0 = /(\x59\x6b\x64\x53\x61\x47\x4e\x49\x54\x54\x5a\x4d|\x4a\x48\x55\x6d\x68\x6a\x53\x45\x30\x32\x54|\x69\x52\x31\x4a\x6f\x59\x30\x68\x4e\x4e\x6b|\x65\x47\x74\x5a\x57\x45\x4a\x36\x54\x32|\x68\x72\x57\x56\x68\x43\x65\x6b\x39\x70|\x34\x61\x31\x6c\x59\x51\x6e\x70\x50\x61|\x63\x31\x70\x48\x52\x6e\x64\x6a\x65\x6d\x39\x32|\x4e\x61\x52\x30\x5a\x33\x59\x33\x70\x76\x64|\x7a\x57\x6b\x64\x47\x64\x32\x4e\x36\x62\x33)/
+	condition:
+		$objheader and (@keyword0[1] > @objheader[1])
+}

rules/jndiobj/rmi.snort

@@ -0,0 +1,3 @@
+alert tcp any any -> any any (msg:"M.Methodology.HTTP.SerializedObject.JNDIObj.rmi.[raw]"; content:"T "; offset:2; depth:3; content:"|24 7b 6a 6e 64 69 3a|"; content:"|72 6d 69 3a 2f|"; distance:0; threshold:type limit, track by_src, count 1, seconds 1800; sid:<REPLACE_SID>; rev:1;)
+alert tcp any any -> any any (msg:"M.Methodology.HTTP.SerializedObject.JNDIObj.rmi.[base64]"; content:"T "; offset:2; depth:3; content:"JHtqbmRpO"; pcre:"/(?:cm1pOi|JtaTov|ybWk6L)/Rs"; threshold:type limit, track by_src, count 1, seconds 1800; sid:<REPLACE_SID>; rev:1;)
+alert tcp any any -> any any (msg:"M.Methodology.HTTP.SerializedObject.JNDIObj.rmi.[base64base64]"; content:"T "; offset:2; depth:3; content:"|53 6b 68 30 63 57 4a 74 55 6e 42 50|"; pcre:"/(?:\x59\x32\x30\x78\x63\x45\x39\x70|\x4e\x74\x4d\x58\x42\x50\x61|\x6a\x62\x54\x46\x77\x54\x32|\x53\x6e\x52\x68\x56\x47\x39\x32|\x70\x30\x59\x56\x52\x76\x64|\x4b\x64\x47\x46\x55\x62\x33|\x65\x57\x4a\x58\x61\x7a\x5a\x4d|\x6c\x69\x56\x32\x73\x32\x54|\x35\x59\x6c\x64\x72\x4e\x6b)/Rs"; threshold:type limit, track by_src, count 1, seconds 1800; sid:<REPLACE_SID>; rev:1;)

rules/jndiobj/rmi.yara

@@ -0,0 +1,30 @@
+rule M_Methodology_HTTP_SerializedObject_JNDIObj_rmi_raw {
+	meta:
+		author="Auto-generated by heyserial.py - Alyssa Rahman (@ramen0x3f)"
+		description="Auto-generated rule for serialized objects with the keyword/chain: rmi"
+	strings:
+		$objheader={24 7b 6a 6e 64 69 3a}
+		$keyword0 = { 72 6d 69 3a 2f}
+	condition:
+		$objheader and (@keyword0[1] > @objheader[1])
+}
+rule M_Methodology_HTTP_SerializedObject_JNDIObj_rmi_base64 {
+	meta:
+		author="Auto-generated by heyserial.py - Alyssa Rahman (@ramen0x3f)"
+		description="Auto-generated rule for serialized objects with the keyword/chain: rmi"
+	strings:
+		$objheader="JHtqbmRpO"
+		$keyword0 = /(cm1pOi|JtaTov|ybWk6L)/
+	condition:
+		$objheader and (@keyword0[1] > @objheader[1])
+}
+rule M_Methodology_HTTP_SerializedObject_JNDIObj_rmi_base64base64 {
+	meta:
+		author="Auto-generated by heyserial.py - Alyssa Rahman (@ramen0x3f)"
+		description="Auto-generated rule for serialized objects with the keyword/chain: rmi"
+	strings:
+		$objheader={53 6b 68 30 63 57 4a 74 55 6e 42 50}
+		$keyword0 = /(\x59\x32\x30\x78\x63\x45\x39\x70|\x4e\x74\x4d\x58\x42\x50\x61|\x6a\x62\x54\x46\x77\x54\x32|\x53\x6e\x52\x68\x56\x47\x39\x32|\x70\x30\x59\x56\x52\x76\x64|\x4b\x64\x47\x46\x55\x62\x33|\x65\x57\x4a\x58\x61\x7a\x5a\x4d|\x6c\x69\x56\x32\x73\x32\x54|\x35\x59\x6c\x64\x72\x4e\x6b)/
+	condition:
+		$objheader and (@keyword0[1] > @objheader[1])
+}