Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2012-4681 PoC — Oracle Java 任意代码执行漏洞

Source
https://github.com/benjholla/CVE-2012-4681-Armoring
Associated Vulnerability
Title:Oracle Java 任意代码执行漏洞 (CVE-2012-4681)
Description:Oracle Java 7是Java 的下一个版本,也是SUN被oracle收购以后的第一个Java版本。 Oracle Java 7 Update 6和其他版本中存在漏洞。远程攻击者可利用恶意的java applet绕过Java沙盒限制并加载其他类在应用中执行任意代码。
Description
An A/V evasion armoring experiment for CVE-2012-4681
Readme
CVE-2012-4681-Armoring
======================

## Overview

A manual antivirus evasion armoring experiment for [CVE-2012-4681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681) inspired by [http://security-obscurity.blogspot.com/2012/11/java-exploit-code-obfuscation-and.html](http://security-obscurity.blogspot.com/2012/11/java-exploit-code-obfuscation-and.html).  

Base Exploit: [http://pastie.org/4594319](http://pastie.org/4594319)

## Results as of 9/26/2014 and 8/2/2016

| **Sample**             | **Notes**                                  | **2014 Score (positive detections)**                                                                                              | **2016 Score (postive detections)**                                                                                               |
|------------------------|--------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|
| **Original Sample**    | http://pastie.org/4594319                  | [30/55](https://www.virustotal.com/en/file/d21171473400807bf969e037aca6105a8b73bed804100fd696d1f46c12853d57/analysis/1411707102/) | [36/56](https://www.virustotal.com/en/file/d21171473400807bf969e037aca6105a8b73bed804100fd696d1f46c12853d57/analysis/1470183524/) |
| **Technique A**        | Changed Class/Method names                 | [28/55](https://www.virustotal.com/en/file/efa71053583c000076bb5a80aea3aebd2b755c8fec29991683bf35a86f7eac44/analysis/1411706956/) | [36/56](https://www.virustotal.com/en/file/efa71053583c000076bb5a80aea3aebd2b755c8fec29991683bf35a86f7eac44/analysis/1470185349/) |
| **Techniques A and B** | Obfuscate strings                          | [16/55](https://www.virustotal.com/en/file/e7243e29592793a604f0945e1f47c49c77416b49b2764a5b334e426f0951ad4e/analysis/1411705332/) | [22/56](https://www.virustotal.com/en/file/e7243e29592793a604f0945e1f47c49c77416b49b2764a5b334e426f0951ad4e/analysis/1470185449/) |
| **Techniques A-C**     | Change Control Flow                        | [16/55](https://www.virustotal.com/en/file/c5dadae9aed4725128b831535b1909b6b2490f8c9d9413f13b34d3918e31b5b5/analysis/1411705224/) | [22/56](https://www.virustotal.com/en/file/c5dadae9aed4725128b831535b1909b6b2490f8c9d9413f13b34d3918e31b5b5/analysis/1470185533/) |
| **Techniques A-D**     | Reflective invocations (on sensitive APIs) | [3/55](https://www.virustotal.com/en/file/82606c62c7e8668d73c28a8c9a2a5d11d06d9cd2c22c7222dc7203d8ee223a9f/analysis/1411706854/)  | [16/56](https://www.virustotal.com/en/file/1e4de34658077beb3d02c1f87ebf04e6ce13eb54f152d019184584428610f907/analysis/1470185597/) |
| **Techniques A-E**     | Simple XOR Packer                          | [0/55](https://www.virustotal.com/en/file/1681522b34b96eff62aad072526baf9f2a9aca22c6988cca0f92d6eec6006a81/analysis/1411708071/)  | [0/56](https://www.virustotal.com/en/file/87fbc91d2a7d72c2f3360614a8d8a790c9a0de3806ede3ff7b1c10ab7cb46fca/analysis/1470185702/)  |
File Snapshot

 [4.0K]  /data/pocs/0a674d36469a967e985bdce881758f98780dda73
├── [4.0K]  CVE_2012_4681
│   ├── [4.0K]  bin
│   │   ├── [4.0K]  cve2012xxxx
│   │   │   └── [3.1K]  Gondvv.class
│   │   ├── [ 141]  java.policy.applet
│   │   └── [4.0K]  techniques
│   │       ├── [4.0K]  a
│   │       │   └── [3.1K]  Application.class
│   │       ├── [4.0K]  b
│   │       │   └── [5.2K]  Application.class
│   │       ├── [4.0K]  c
│   │       │   └── [4.7K]  Application.class
│   │       ├── [4.0K]  d
│   │       │   └── [5.9K]  Application.class
│   │       └── [4.0K]  e
│   │           ├── [ 819]  Application$1ByteArrayClassLoader.class
│   │           └── [ 10K]  Application.class
│   └── [4.0K]  src
│       ├── [4.0K]  cve2012xxxx
│       │   └── [2.6K]  Gondvv.java
│       └── [4.0K]  techniques
│           ├── [4.0K]  a
│           │   └── [2.0K]  Application.java
│           ├── [4.0K]  b
│           │   └── [3.3K]  Application.java
│           ├── [4.0K]  c
│           │   └── [2.5K]  Application.java
│           ├── [4.0K]  d
│           │   └── [3.2K]  Application.java
│           └── [4.0K]  e
│               └── [ 10K]  Application.java
├── [4.0K]  Packer
│   ├── [4.0K]  bin
│   │   ├── [1.8K]  Base64.class
│   │   └── [1.1K]  Packer.class
│   └── [4.0K]  src
│       ├── [2.2K]  Base64.java
│       └── [ 502]  Packer.java
└── [3.1K]  README.md

20 directories, 19 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.