MCPcopy Index your code
hub / github.com/GrrrDog/ACEDcup

github.com/GrrrDog/ACEDcup @v1.0.3

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.0.3 ↗ · + Follow
6 symbols 9 edges 2 files 0 documented · 0%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

ACEDcup

ACEDcup tool is a payload generator for Java Binary Deserialization attack (ACED)

For Apache Commons FileUpload ver <= 1.3 (CVE-2013-2186) and Oracle JDK ver < 7u40

The attack works even for newer versions of the lib or Java. We can upload any content in any directory, but we cannot control a file name (smth like upload_f71d3547_72ed_4ae1_90fe_0d319115cd42_00000000.tmp) in this situation. Hovewer, it may be useful in some cases.

Also we can perform a NTLM-relay/sniffing attack (using \\evilhost\any\path) if your target is on Windows OS.

Usage

  java -jar aced_cup.jar /path/payload /path/target /path/out 1

  /path/payload - a path to a file with your payload
  /path/target - a path to a file that will be created in your victim
  /path/out - a path to a file with serialized payload
  0 - turn off null-byte ending if you attack a patched system (with null by default)

Example

java -jar aced_cup.jar D:\\cup_exploit\\payload.txt /home/user/test/any_name.txt D:\\cup_exploit\\emp1.ser

Core symbols most depended-on inside this repo

Create
called by 1
sources/src/com/greendog/jser/CommUploadSer.java
Serialize
called by 1
sources/src/com/greendog/jser/CommUploadSer.java
main
called by 0
sources/src/com/greendog/jser/Exploit.java
CommUploadSer
called by 0
sources/src/com/greendog/jser/CommUploadSer.java

Shape

Method 4
Class 2

Languages

Java100%

Modules by API surface

sources/src/com/greendog/jser/CommUploadSer.java4 symbols
sources/src/com/greendog/jser/Exploit.java2 symbols

For agents

$ claude mcp add ACEDcup \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact