/*## (c) SECURITY EXPLORATIONS 2012 poland #*/ /*## http://www.security-explorations.com #*/ /* Apple QuickTime Java extensions */ /* quicktime.util.QTByteObject initialization security checks bypass */ In order to test the POC code for the reported Issue 22, manually add Vuln22Setup.class and Vuln22Setup$1.class to the original QTJava.zip file from your CLASSPATH environment variable. This file is usually located in lib\ext directory of your JRE base dir: Microsoft Windows [Wersja 6.1.7601] Copyright (c) 2009 Microsoft Corporation. Wszelkie prawa zastrzezone. c:\>set ALLUSERSPROFILE=C:\ProgramData APPDATA=C:\Users\Internet\AppData\Roaming CLASSPATH=.;C:\_SOFTWARE\jre6\lib\ext\QTJava.zip COMMANDER_DRIVE=C: ... Both Vuln22Setup and Vuln22Setup$1 classes mimic undisclosed and not yet patched, Oracle's Issue 15. Successfull exploit run should lead to the execution of notepad.exe and c:\se.txt file creation. Additionally, Java console output similar to the one denoted below should be observed: Java Plug-in 1.6.0_33 Using JRE version 1.6.0_33-b03 Java HotSpot(TM) Client VM User home directory = C:\Users\Internet ---------------------------------------------------- c: clear console window f: finalize objects on finalization queue g: garbage collect h: display this help message l: dump classloader list m: print memory usage o: trigger logging q: hide console r: reload policy configuration s: dump system and deployment properties t: dump thread list v: dump thread stack x: clear classloader cache 0-5: set trace level to ---------------------------------------------------- Security manager = sun.plugin2.applet.Applet2SecurityManager@15cda3f QTSession.hasSecurityRestrictions() = true Created: MyQTByteObject using off 0x24d00000 for Windows 7 (x86) found Marker instance at 0x251e0008 Security manager = null === PoC === https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19401.zip ======== Advisory ======== https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19401.pdf