sinn3r

Let's start the week with a new Java 0-day in Metasploit

Blog Post created by sinn3r Employee on Aug 27, 2012

On late Sunday night, the Metasploit Exploit team was looking for kicks, and heard the word on the street that someone was passing around a reliable Java 0-day exploit. Big thanks to Joshua J. Drake (jduck), we got our hands on that PoC, and then once again, started our voodoo ritual. Within a couple of hours, we have a working exploit. Download Metasploit here, and apply the latest update to pick up the exploit.

 

Java zero-day vulnerability exploit in Metasploit

 

The above example is a successful attack against a fully patched Windows 7 SP1 with Java 7 Update 6.  We have also tested the module against the following environments:

  • Mozilla Firefox on Ubuntu Linux 10.04
  • Internet Explorer / Mozilla Firefox / Chrome on Windows XP
  • Internet Explorer / Mozilla Firefox on Windows Vista
  • Internet Explorer / Mozilla Firefox on Windows 7
  • Safari on OS X 10.7.4

 

As a user, you should take this problem seriously, because there is currently no patch from Oracle.  For now, our recommendation is to completely disable Java until a fix is available.  NOTE: A fix is now available (Java 7 Update 7), please patch your system ASAP!

 

To try out this exploit: Get your free Metasploit download now, or update your existing installation.  Meanwhile, we will keep this blog updated when more progress has been made.

 

---

Aug 28 2012: This vulnerability has been assigned as CVE-2012-4681.

Aug 30 2012: Oracle has released Java 7 Update 7

Outcomes