Immunity Canvas: JAVA_DOCBASE

2010-10-19T18:00:02
ID JAVA_DOCBASE
Type canvas
Reporter Immunity Canvas
Modified 2010-10-19T18:00:02

Description

Name| java_docbase
---|---
CVE| CVE-2010-3552
Exploit Pack| CANVAS
Description| Java IE Plugin "docparam" Overflow
Notes| CVE Name: CVE-2010-3552
Vendor: Oracle
Notes:
This exploit can only be used from clientd.

Tested on:
Windows XP Professional SP3 EN under IE 8 updated.
Windows XP Home SP3 EN with IE7
Windows 7 Ultimate with IE 8.
Windows Vista with IE 7

This exploit essentially works only under clientd. It does not work with HTTP MOSDEF as the shellcode
can only be of limited size.

This exploit defeats DEP. We don't do a heap-spray for this exploit - instead
doing some clever anti-DEP techniques detailed in the exploit itself.

Other possible anti-DEP techniques include:
Shockwave DLL
.Net 2.0 DLL

We do not currently do process recovery in this exploit.

VersionsAffected: Oracle Java 6 <= Update 21
Repeatability: Infinite
References: ['http://code.google.com/p/skylined/issues/detail?id=23']
Date public: 10/12/2010