Java released an out-of-band patch yesterday to remedy two Zero-Day exploits. If you haven’t done so update now. The Java exploit code has been added to several underground crimeware kits rapidly accelerating its spread on the internet. The patch stops a remote exploit that would allow an attacker to run code on a system that does nothing more than browse to a malicious page. This could include a full remote shell which we will demonstrate below.
The exploit code has been publicly available for a while now and has been added to the ever popular security testing suite Metaslpoit. We will demonstrate the exploit using Backtrack 5 and the Social Engineering Toolkit.
Simply choose the “Java Applet JMX Remote Code Execution” template from the SET Browser Exploitation menu.
Then choose the type of shell you want to use. We just selected the Reverse Meterpreter Shell and chose the defaults for everything else.
Once SET is ready, it will execute Meterpreter and wait for an incoming connection. Now we just need to surf to the attacker machine from Windows:
It doesn’t seem that anything happens. No warnings or pop-ups.
But as you can see below, our Backtrack system has already sent the exploit code and created a remote session with the system:
We can now view any sessions that were created. As you see below we have one active session by Fred using a computer called Freds-PC using IP Address 192.168.0.114.
We simply connect to the session with the “sessions -i” command and run “shell” to open a full remote DOS shell:
In the example above all the user did was browse to a malicious webpage. With no warning at all a full remote shell was opened on the visiting system by an attacker.
Now, let’s go to the Java Download page and download the latest update (update 11):
Then let it install:
Finally, let’s try surfing to the same malicious site again from our Windows 7 system and see what happens.
The webpage opens and acts like it did on the victim’s side. So far no change.
But if we look at the attacker side, we get an error message and more importantly no remote shell is opened:
That’s it! One Java update takes care of one of the nastiest Java exploits I have seen in a while.
Java seems to be a favorite target of hackers, and you never know when another Zero-Day might be discovered. If you haven’t done so all ready I highly recommend downloading and using a script blocking program like NoScript to give you some extra security and control over what scripts are allowed to run.