5

Summary: I would like to show a proof of concept of a Java exploit using an old JRE on an up-to-date machine to cut short discussions on the "but we are patched so why removing older versions" subject. (I am not a developer - apologies for possible unfortunate expressions below.)

Details: When patching Java (at least on MS Windows) the JRE us updated to the latest version (there is a single jre folder in <path to Java install>) but the JDK is updated though a new jdk<version> folder, which also contains a JRE.

Oracle allows to choose the version to run in an applet so I would like to show a proof of concept of the style

  • someone with an up-to-date Java install connects to a web page with the "malicious" applet
  • something "bad" happens showing that he/she is hacked

I was initially thinking about writing a minimal applet (I will find help on that subject locally) and using Metasploit to run the actual attack - it seems however that the Metasploit payloads are not configurable (in the sense of using java_version to hit an older version of Java)

Note: this is a practical followup of a discussion on detecting Java vulnerabilities on the nessus forum.

alecxe
  • 1,515
  • 5
  • 19
  • 34
WoJ
  • 8,957
  • 2
  • 32
  • 51
  • @Ramhound: the question would be: would someone have a ready solution, or anything (a comment, a pointer) which could help me to build mine? (I was wrong assuming this is obvious, per the downvote. It is true that I could have just posted this for the sake of expressing my dreams :)) – WoJ May 22 '13 at 13:52
  • If I'm not mistaken, a special prompt appears when an older version of the JRE is requested, stating the security risks of doing so. So you may want to take that into consideration. Also, if this is just a POC, don't bother with a Metasploit payload; just do something like `Runtime.getRuntime().exec("calc.exe");`. calc.exe works fine as a POC. – Anorov May 23 '13 at 00:06
  • 1
    @Anorov: on the browsers I tested (Chrome, IE) there is just a warning about using the applet in the first place. This is not a deterrent for users determined to get hacked :) As for the payload -- I wanted to show a true exploit (working on systems with leftovers, not working on others) – WoJ May 23 '13 at 06:34

1 Answers1

2

You can simply copy your preferred MSF module with a different name and modify the generated HTML embed code to contain the java_version attribute. Usually the generate_html() method contains this data as you can see here for example from line 117:

https://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/multi/browser/java_rhino.rb

You can also create a new configurable parameter if you want, see the Developers Guide for details!

You can also set up an intercepting proxy like MitMproxy in front of Metasploit that would automatically embed/replace the appropriate java_version attribute in the HTTP response generated by MSF, this way you can test many modules with the same setup.

buherator
  • 1,730
  • 1
  • 9
  • 15