Apple QuickTime – QuickTime.util.QTByteObject Initialization Security Checks Bypass

• Exploit Database
• 106 阅读

• 作者： Security Explorations
  日期： 2012-06-26
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/19401/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68

  /*## (c) SECURITY EXPLORATIONS2012 poland#*/ /*## http://www.security-explorations.com#*/   /* Apple QuickTime Java extensions*/ /* quicktime.util.QTByteObject initialization security checks bypass*/   In order to test the POC code for the reported Issue 22, manually add Vuln22Setup.class and Vuln22Setup$1.class to the original QTJava.zip file from your CLASSPATH environment variable. This file is usually located in lib\ext directory of your JRE base dir:   Microsoft Windows [Wersja 6.1.7601] Copyright (c) 2009 Microsoft Corporation. Wszelkie prawa zastrzezone.   c:\>set ALLUSERSPROFILE=C:\ProgramData APPDATA=C:\Users\Internet\AppData\Roaming CLASSPATH=.;C:\_SOFTWARE\jre6\lib\ext\QTJava.zip COMMANDER_DRIVE=C: ...   Both Vuln22Setup and Vuln22Setup$1 classes mimic undisclosed and not yet patched, Oracle&apos;s Issue 15.   Successfull exploit run should lead to the execution of notepad.exe and c:\se.txt file creation. Additionally, Java console output similar to the one denoted below should be observed:   Java Plug-in 1.6.0_33 Using JRE version 1.6.0_33-b03 Java HotSpot(TM) Client VM User home directory = C:\Users\Internet   ---------------------------------------------------- c: clear console window f: finalize objects on finalization queue g: garbage collect h: display this help message l: dump classloader list m: print memory usage o: trigger logging q: hide console r: reload policy configuration s: dump system and deployment properties t: dump thread list v: dump thread stack x: clear classloader cache 0-5: set trace level to <n> ----------------------------------------------------   Security manager = sun.plugin2.applet.Applet2SecurityManager@15cda3f QTSession.hasSecurityRestrictions() = true Created: MyQTByteObject using off 0x24d00000 for Windows 7 (x86) found Marker instance at 0x251e0008 Security manager = null   === PoC ===   https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19401.zip   ======== Advisory ========   https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19401.pdf