Skip to content

Commit

Permalink
init
Browse files Browse the repository at this point in the history
  • Loading branch information
uk0 committed Oct 20, 2022
1 parent 069b89e commit 5480c9d
Show file tree
Hide file tree
Showing 31 changed files with 579 additions and 1 deletion.
8 changes: 8 additions & 0 deletions .idea/.gitignore

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 13 additions & 0 deletions .idea/compiler.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions .idea/copyright/me.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 7 additions & 0 deletions .idea/copyright/profiles_settings.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

20 changes: 20 additions & 0 deletions .idea/jarRepositories.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 14 additions & 0 deletions .idea/misc.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

124 changes: 124 additions & 0 deletions .idea/uiDesigner.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 7 additions & 0 deletions .idea/vcs.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 18 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,2 +1,19 @@
# cve-2022-42889-intercept
### cve-2022-42889-intercept

通过 jvm 启动参数 以及 jps pid进行拦截非法参数


#### quick start


```bash

-----------------------load......
cve-2022-42889 check start
cve-2022-42889 is_deep_match org.apache.commons.text.StringSubstitutor
md.getReturnType().getActualName() java.lang.String
[cve-2022-42899] class found!: class org.apache.commons.text.StringSubstitutor
(StringSubstitutor replace disabled)
[CVE 2022-42889] StringSubstitutorclass org.apache.commons.text.StringSubstitutor: (sanitized) PoC Output: %_script:javascript:195 + 324_
by arksec.cn
```
88 changes: 88 additions & 0 deletions pom.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>

<groupId>org.example</groupId>
<artifactId>CVE-2022-42889-Agent</artifactId>
<version>1.0-SNAPSHOT</version>

<properties>
<maven.compiler.source>19</maven.compiler.source>
<maven.compiler.target>19</maven.compiler.target>
</properties>
<dependencies>
<!-- https://mvnrepository.com/artifact/net.bytebuddy/byte-buddy -->
<dependency>
<groupId>net.bytebuddy</groupId>
<artifactId>byte-buddy</artifactId>
<version>1.12.18</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
<version>1.9</version>
</dependency>
</dependencies>

<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>copy-dependencies</id>
<phase>package</phase>
<goals>
<goal>copy-dependencies</goal>
</goals>
<configuration>
<outputDirectory>${project.build.directory}/lib</outputDirectory>
<overWriteReleases>false</overWriteReleases>
<overWriteSnapshots>false</overWriteSnapshots>
<overWriteIfNewer>true</overWriteIfNewer>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<artifactId>maven-assembly-plugin</artifactId>
<configuration>
<archive>
<manifest>
<addClasspath>true</addClasspath>
</manifest>
<manifestEntries>
<Premain-Class>cn.arksec.java.agent.PreMain</Premain-Class>
<Can-Redefine-Classes>true</Can-Redefine-Classes>
<Can-Retransform-Classes>true</Can-Retransform-Classes>
<Can-Set-Native-Method-Prefix>true</Can-Set-Native-Method-Prefix>
</manifestEntries>
</archive>
<descriptorRefs>
<descriptorRef>jar-with-dependencies</descriptorRef>
</descriptorRefs>
</configuration>
<executions>
<execution>
<id>make-assembly</id>
<phase>package</phase>
<goals>
<goal>single</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.8</source>
<target>1.8</target>
</configuration>
</plugin>
</plugins>
</build>
</project>
62 changes: 62 additions & 0 deletions src/main/java/cn/arksec/java/agent/Agent.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
package cn.arksec.java.agent;

import cn.arksec.java.agent.hooks.Cve202242889;

import java.lang.instrument.Instrumentation;

import java.util.HashMap;

/**
* @auther firsh.me
* @2022-10-210
*/
@SuppressWarnings("unused")
public class Agent {

public static void load(String _args, Instrumentation inst) {
System.out.println("-----------------------load......");
boolean deep_match = true;

try {
HashMap<String, String> args = new HashMap<String, String>();
if (_args != null && !"".equals(_args)) {
String[] pairs = _args.split("$");
for (String pair : pairs) {
int epos = pair.indexOf("=");
if (epos == -1) {
System.err.println("[cve-2022-42889] ignoring invalid agent argument: " + pair);
continue;
}
String k = pair.substring(0, epos);
String v = pair.substring(epos + 1, pair.length());
if (v.indexOf("=") != -1) {
System.err.println("[cve-2022-42889] ignoring invalid agent argument: " + pair);
continue;
}
args.put(k, v);
}

String structureMatch = null;
if (args.containsKey("structureMatch")) {
structureMatch = args.get("structureMatch");
} else {
structureMatch = "1";
}
if ("0".equals(structureMatch)) {
deep_match = false;
} else if (!"1".equals(structureMatch)) {
System.err.println("[cve-2022-42889] ignoring invalid structureMatch argument: " + structureMatch);
}
}

if (deep_match) {
Cve202242889.hook_deep_match(inst);
} else {
Cve202242889.hook(inst);
}
} catch (Throwable t) {
System.err.println("[cve-2022-42889] Exception raised in agent.");
t.printStackTrace();
}
}
}
Loading

0 comments on commit 5480c9d

Please sign in to comment.