init

uk0 · Oct 20, 2022 · a64b7af · a64b7af
1 parent 5480c9d
commit a64b7af
Show file tree

Hide file tree

Showing 16 changed files with 53 additions and 3 deletions.
diff --git a/.idea/misc.xml b/.idea/misc.xml
diff --git a/README.md b/README.md
@@ -1,5 +1,9 @@
 ### cve-2022-42889-intercept
 
+* 低于 Java11版本的需要注意，更高的版本已经取消了`Javascript`解释器
+* 本次方案针对 Java8
+
+
 通过 jvm 启动参数 以及 jps pid进行拦截非法参数
 
 
@@ -16,4 +20,32 @@ md.getReturnType().getActualName() java.lang.String
 (StringSubstitutor replace disabled)
 [CVE 2022-42889] StringSubstitutorclass org.apache.commons.text.StringSubstitutor: (sanitized) PoC Output: %_script:javascript:195 + 324_
 by arksec.cn
-```
+```
+
+
+
+### 打开方式
+
+
+>使用 Attach API 远程加载的 Java agent 不会再先于main方法执行，这取决于另一虚拟机调用 Attach API 的时机。并且，它运行的也不再是premain方法，而是名为agentmain的方法。
+ Java 虚拟机并不限制 Java agent 的数量。你可以在 java 命令后附上多个-javaagent参数，或者远程 attach 多个 Java agent，Java 虚拟机会按照定义顺序，或者 attach 的顺序逐个执行这些 Java agent。
+
+
+* premain
+* java 启动参数
+
+
+```bash
+
+-javaagent:/path/to/dir/CVE-2022-42889-Agent-1.0-SNAPSHOT-jar-with-dependencies.jar
+
+```
+
+
+* agentmain
+* jps （pid注入）
+* 执行 `Attach` 的main方法 (先引入 `tools.jar`)
+
+
+
+
diff --git a/pom.xml b/pom.xml
@@ -55,6 +55,7 @@
                             <addClasspath>true</addClasspath>
                         </manifest>
                         <manifestEntries>
+                            <Agent-Class>cn.arksec.java.agent.AgentMain</Agent-Class>
                             <Premain-Class>cn.arksec.java.agent.PreMain</Premain-Class>
                             <Can-Redefine-Classes>true</Can-Redefine-Classes>
                             <Can-Retransform-Classes>true</Can-Retransform-Classes>

diff --git a/src/main/java/cn/arksec/java/agent/Attach.java b/src/main/java/cn/arksec/java/agent/Attach.java
@@ -0,0 +1,17 @@
+package cn.arksec.java.agent;
+
+import com.sun.tools.attach.AgentInitializationException;
+import com.sun.tools.attach.AgentLoadException;
+import com.sun.tools.attach.AttachNotSupportedException;
+import com.sun.tools.attach.VirtualMachine;
+
+import java.io.IOException;
+
+public class Attach {
+    public static void main(String[] args)
+            throws AttachNotSupportedException, IOException, AgentLoadException, AgentInitializationException {
+        // -javaagent:/Users/firshme/Desktop/ark_workspace/CVE_Project/CVE-2022-42889-Agent/target/CVE-2022-42889-Agent-1.0-SNAPSHOT-jar-with-dependencies.jar
+        VirtualMachine vm = VirtualMachine.attach("39602");
+        vm.loadAgent("/Users/firshme/Desktop/ark_workspace/CVE_Project/CVE-2022-42889-Agent/target/CVE-2022-42889-Agent-1.0-SNAPSHOT-jar-with-dependencies.jar");
+    }
+}
diff --git a/target/CVE-2022-42889-Agent-1.0-SNAPSHOT-jar-with-dependencies.jar b/target/CVE-2022-42889-Agent-1.0-SNAPSHOT-jar-with-dependencies.jar
diff --git a/target/CVE-2022-42889-Agent-1.0-SNAPSHOT.jar b/target/CVE-2022-42889-Agent-1.0-SNAPSHOT.jar
diff --git a/target/classes/cn/arksec/java/agent/Agent.class b/target/classes/cn/arksec/java/agent/Agent.class
diff --git a/target/classes/cn/arksec/java/agent/AgentMain.class b/target/classes/cn/arksec/java/agent/AgentMain.class
diff --git a/target/classes/cn/arksec/java/agent/Attach.class b/target/classes/cn/arksec/java/agent/Attach.class
diff --git a/target/classes/cn/arksec/java/agent/PreMain.class b/target/classes/cn/arksec/java/agent/PreMain.class
diff --git a/target/classes/cn/arksec/java/agent/hooks/Cve202242889$1.class b/target/classes/cn/arksec/java/agent/hooks/Cve202242889$1.class
diff --git a/target/classes/cn/arksec/java/agent/hooks/Cve202242889$2.class b/target/classes/cn/arksec/java/agent/hooks/Cve202242889$2.class
diff --git a/target/classes/cn/arksec/java/agent/hooks/Cve202242889$3.class b/target/classes/cn/arksec/java/agent/hooks/Cve202242889$3.class
diff --git a/target/classes/cn/arksec/java/agent/hooks/Cve202242889$4.class b/target/classes/cn/arksec/java/agent/hooks/Cve202242889$4.class
diff --git a/target/classes/cn/arksec/java/agent/hooks/Cve202242889.class b/target/classes/cn/arksec/java/agent/hooks/Cve202242889.class
diff --git a/target/maven-archiver/pom.properties b/target/maven-archiver/pom.properties
@@ -1,5 +1,5 @@
 #Generated by Maven
-#Thu Oct 20 21:11:24 CST 2022
+#Thu Oct 20 21:42:17 CST 2022
 artifactId=CVE-2022-42889-Agent
 groupId=org.example
 version=1.0-SNAPSHOT