Here is a little tool which help finding and dumping any serialized Java objects in a binary stream. It accepts just one parameter -- the name of the file to load the binary stream.
First run:
$ java -jar jsersearch.jar /tmp/payload.dat
Found objectStream at offset 55, dumping ...
Caught exception while dumping java.lang.ClassNotFoundException: XXXRequestBase
End of dump (from offset 55)
Offset 1756 exception java.io.EOFException
The tool has found Java object stream, but can't instantiate objects without having a compiled Java class file. There should be a way around it I guess, but for now we assume the class file is available.
On the second run we give JRE a JAR file containing necessary class file. Now it can dump the object.
$ java -cp jsersearch.jar:/tmp/shared.jar com.gremwell.jsersearch.Main /tmp/payload.dat
Found objectStream at offset 55, dumping ...
#0: class class XXXRequestBase
#0: XML dump:
2011-11-08 18:07:14.96 UTC
73e97f6cd1815a8df17a5469ca0b1a29
aecef3d3aa55fcd5a3429964b21780e4
3
End of dump (from offset 55)
Offset 1756 exception java.io.EOFException
The tool makes use of XStream (BSD license) and XMLPull (LGPL) libraries, so the resulting license is probably LGPL. Downloads: binary or source code (Eclipse project + ant build.xml).
