# Exploit Title: Oracle Java lookupByteBI function heap buffer overflow # Google Dork: # Date: 2013-09-03 # Exploit Author: GuHe # Vendor Homepage: http://www.oracle.com/ # Software Link: http://www.oracle.com/technetwork/java/javase/downloads/index.html # Version: 7u21 and eariler # Tested on: Windows 7 # CVE : CVE-2013-2470 PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/28050.zip CVE-2013-2470 - Java_sun_awt_image_ImagingLib_lookupByteBI heap buffer overflow 1. Affected Software JRE 7 update 21 and earlier JRE 6 update 45 and earlier 2. Root cause analysis The "Java_sun_awt_image_ImagingLib_lookupByteBI" performs byte lookup operation on two BufferedImage. In the following code: /* Mlib needs 16bit lookuptable and must be signed! */ if (src->type == MLIB_SHORT) { unsigned short *sdataP = (unsigned short *) src->data; unsigned short *sP; if (dst->type == MLIB_BYTE) { unsigned char *cdataP = (unsigned char *) dst->data; unsigned char *cP; if (nbands > 1) { retStatus = 0; } else { int x, y; for (y=0; y < src->height; y++) { cP = cdataP; sP = sdataP; for (x=0; x < src->width; x++) { *cP++ = table[0][*sP++]; } /* * 4554571: increment pointers using the scanline stride * in pixel units (not byte units) */ cdataP += dstImageP->raster.scanlineStride; sdataP += srcImageP->raster.scanlineStride; } } } /* How about ddata == null? */ } It tries to map data in src raster to the dst raster. The total bytes written to dst rater buffer is: (src->width) * (src->height). However, it does not correctly check the size of the dst buffer, if the size of the dst buffer is smaller than (src->width) * (src->height), it will be overflowed. 3. Poc See "TestByteBI.java" for the source code. And you can test the poc by directly open the "HelloApplet.html" in a web browser. 4. Tested on JRE 7 update 21 on Windows 7 Enterprise