Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2015-4843 PoC — Oracle Java SE和Java SE Embedded Libraries子组件安全漏洞

Source
https://github.com/Soteria-Research/cve-2015-4843-type-confusion-phrack
Associated Vulnerability
Title:Oracle Java SE和Java SE Embedded Libraries子组件安全漏洞 (CVE-2015-4843)
Description:Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
Readme
# Description
Deatils for the vulnerability is disucssed on [confluence](https://thehut.atlassian.net/wiki/spaces/SOT/pages/3701669956/CVE-2015-4843+-+Phrack+paper). 
This repo has been picked up after a few years on being dead, not looked at the `DisabledSecurityManager` code.
## TypeConfusionDemo
## OverflowDemo
This is a demo that shows we can overflow into before the `dst` array. This demo works on `aarch64` and `morello`, although the overflow is only stopped on the WIP branch where the bounds are tightly contrained. Which is pretty cool as it shows that using cheri capabilities alone does not offer the sufficient portection for managed runtimes, and we need to constrain our heap.  
## TypeConfusionDemo
This demo should that by copying a `FakeClass oop` into an array of `RealClass` by using the overflow, we cam type confused it and make it execute the function of `FakeClass`. This demo only works on `aarch64`, as on `morello` an `oop` would not be a `MemoryAddress`, and we can't use `IntBuffer` exploit anymore. Which is an interesting side benefit to our port.
# How to run
Both the overflow and type confusion can be run from the jar witjh arg:
* `overflow`: runs the `OverflowDemo`
* `confusion`: runs the `TypeConfusionDemo`

an example is:
`./build/bsd-aarch64-template-aarch64-release/jdk/bin/java -Xmx8G -Xms8G -XX:+UnlockExperimentalVMOptions -XX:+UseEpsilonGC -jar /home/slatere/phrack/target/TestOverflow-1.0-SNAPSHOT-jar-with-dependencies.jar confusion`

the jar is generated onto the remote by using the [build-phrack.yml](https://github.com/Soteria-Research/generic-playbooks/blob/master/ansible/benchmarks/build-phrack.yml).
File Snapshot

 [4.0K]  /data/pocs/1b2952e64c7de5aecc2f99b634413e9ff1b612f0
├── [ 632]  idx_calculator.py
├── [2.0K]  pom.xml
├── [1.6K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            ├── [4.0K]  DisableSecurityManager
            │   ├── [ 494]  DefaultFakeClassLoader.java
            │   ├── [2.9K]  DisableSecurityManager.java
            │   ├── [3.1K]  FakeClassLoader.java
            │   └── [ 457]  ObjectToByteArray.java
            ├── [ 840]  Main.java
            └── [4.0K]  TypeConfusionDemo
                ├── [1.0K]  DemoHelper.java
                ├── [ 427]  FakeClass.java
                ├── [1.5K]  OverflowDemo.java
                ├── [ 173]  ParentClass.java
                ├── [ 437]  RealClass.java
                └── [1.8K]  TypeConfusionDemo.java

5 directories, 14 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →