old hotfix against CVE 2012-1533

1. '
2. ' [*] patch javaws.exe (version 1.6.0_31 OR 1.7.0_03) against JNLP parsing 0day on Windows XP and Windows 7
3. ' [*] by Rh0
4. ' [*] Mar 15 2012
5. ' [*] this blown up script has mainly the sense to change only one byte in the javaws.exe of
6. ' [*] JRE 1.6.0_31 or 1.7.0_03
7. '  
8. '     CAUTION:
9. '     =======
10. ' [*] This is unofficial, use at your own risk!!
11. ' [*] Also only one JRE should be installed when running the patch !!
12. ' [*] Not tested with JDK versions of java !!
13. ' [*] Be sure to make a copy of javaws.exe always before running this
14. '
15. '     INFO:
16. '     =====
17. ' [*] In case of JRE 1.6 the double quote (") will be added to the list
18. ' [*] of characters which should be escaped with a backslash (\) in the
19. ' [*] command line of javaw.exe . In case of JRE 1.7 the tilde (~) in the list will be
20. ' [*] replaced by a double quote as the list is already full (only one
21. ' [*] terminating zero). So tildes in command line parameters will not be
22. ' [*] escaped anymore.
23. '
24. ' [*] Maybe UAC in windows 7 has be be disabled for this script to work
25.  
26.  
27. '======'
28. Main()     ' Main Call
29. '======'
30.  
31.  
32.  
33. function Main()
34.     Doit = MsgBox("This patch will alter your javaws.exe"&chr(10)&"Continue ?",65,"JRE 1.6_31/1.7_03 JNLP 0day Patch by Rh0")
35.     If Doit = 2 Then
36.         wscript.quit
37.     End If
38.  
39.     on Error resume next
40.     set FSO = CreateObject("Scripting.FileSystemObject")
41.     set WS = CreateObject("WScript.Shell")
42.  
43.     offsetJRE6 = 104890 '0x199ba offset to free place of character list in javaws.exe data section (JRE 6)
44.    offsetJRE7 = 161494 '0x276d6 offset to tilde (~) in character list in javaws.exe data section (JRE 7)
45.  
46.  
47.     ' --------------------- This stuff detects the java version ---------------------------
48.  
49.     ' get java version family, assuming to get the right java web start by targeting the JRE registry strings
50.    FamilyVersion = WS.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\CurrentVersion")
51.     checkError Err,"Cannot read CurrentVersion of Java in registry"
52.  
53.     ' check the version
54.    JavaFamily = "None"
55.     If FamilyVersion ="1.6" Then
56.         JavaFamily = "6"
57.         offset = offsetJRE6
58.     ElseIf FamilyVersion = "1.7" Then
59.         JavaFamily = "7"
60.         offset = offsetJRE7
61.     end If
62.  
63.     ' wrong version ...
64.    If JavaFamily = "None" Then
65.         WrongVersion()
66.     End If
67.  
68.     ' get exact version
69.    ExactVersion = WS.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\Java"&JavaFamily&"FamilyVersion")
70.     checkError Err,"Cannot read Java"&JavaFamily&"FamilyVersion of Java in registry"
71.  
72.     If Exactversion <> "1.6.0_31" And ExactVersion <> "1.7.0_03" Then
73.         WrongVersion()
74.     End If
75.  
76.  
77.     ' get javaws.exe path
78.    JavaWS = WS.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\"&ExactVersion&"\JavaHome") &"\bin\javaws.exe"
79.     checkError Err,"Cannot obtain Java installation path out of registry"
80.  
81.     ' check if javaws.exe exists
82.    FSO.GetFile(JavaWS)
83.     checkError Err,"Cannot find javaws.exe file"
84.  
85.     '---------------------- End of JRE version detection ------------
86.    '---------------------- JavaWS should now contain the path to javaws.exe
87.  
88.  
89.     ' make backup
90.    FSO.copyFile JavaWS, JavaWS&".bak"
91.     checkError Err,"Cannot backup copy javaws.exe to javaws.exe.bak"
92.  
93.     ' open javaws.exe as stream
94.    set Jws = CreateObject("ADODB.Stream")
95.     Jws.Type = 1    ' binary
96.    Jws.Mode = 3    ' read/write
97.    Jws.Open
98.     Jws.LoadFromFile JavaWS
99.     checkError Err,"Cannot open javaws.exe"
100.  
101.     ' seek to position where character list is stored
102.    ' and add the character 0x22 (double quote) to it.
103.    ' The characters in this list are searched in the
104.    ' command line parameters in a running javaws.exe
105.    ' process. If they are encountered they are escaped
106.    ' by a \ and the whole command line parameter is
107.    ' enclosed inside double quotes for javaw.exe
108.  
109.     Jws.Position = offset ' offset to list
110.  
111.     ' create the double quote and copy it into javaws.exe stream
112.    With CreateObject("ADODB.Stream")
113.         .Type = 2
114.         .Open
115.         .WriteText chr(34)      ' double quote
116.        .Position = 2           ' stream starts here, consists only of one "
117.        .CopyTo JWS             ' insert it into file stream
118.        .Close
119.     End With
120.  
121.     ' save the modified stream as new javaws.exe
122.    JWS.SaveToFile JavaWS,2
123.     checkError Err,"Cannot write to javaws.exe, permission problem ?"
124.     JWS.close
125.  
126.     MsgBox " Patch applied successfully",64, "JRE 1.6_31/1.7_03 JNLP 0day Patch by Rh0"
127.  
128. End Function
129.  
130.  
131. Function WrongVersion()
132.     MsgBox " Wrong Java version, nothing to do... Exiting...", 0, "JRE 1.6_31/1.7_03 JNLP 0day Patch"
133.     wscript.quit
134. End Function
135.  
136. Function checkError(Err,Msg)
137.     If Err <> 0 Then
138.         MSgBox Msg,48," [!] Error "
139.         Err.Clear
140.         wscript.quit
141.     End If
142. End Function