Saturday, January 12, 2013

Having fun with the java zero day vulnerability

One more time, there is a java zero day in the wild. There are not yet any fix except for disabling java plugin.

This vulnerability is a great introduction to computer security, for three reasons : First it is high level and very simple to use. Second, it's very effective, and lot of people are affected (Every one using java 1.7.xxx 100% of time, mac, windows, linux, any browser (even so some browser require the user to click "execute this applet" )). Third, it's not yet patched :-)

What you need to realise the attack : 
Have your target visit a webpage that displays a custom made java applet, this java applet will have full access, that's it, game almost over... (For it to be really game over : add privilege escalation then rootkit to the list)

How do you create the custom made java applet :

You copy paste from the code source avalaible on

(or https://gist.github.com/4506143 for line by line explanation)
in a file yourfilename.java (name of the file should match class name)
Fix the (intended) small mistakes ( add line 24 :

public class yourfilename extends Applet {

and fix the missing " in place of " in ByteArrayWithSecOff )

Compile with javac from a 1.7.010 JDK. You obtain a yourfilename.class that you should put somewhere on the web.
In the webpage source your target will see add 

<applet code="pathtoyourfilename.class" width="300" height ="300">

You can now test it. The victim should see a calculator opening when executing the applet.
(If you test it locally, you need a webserver to serve the html page in http(s) so that in the address bar there is 'localhost'  (instead of file:/// ) )
Depending on browser settings, it may not require any user interaction.


If you want to modify it, you just have to substitute 
Runtime.getRuntime().exec("calc.exe"); //Adapt on linux or mac
By any java code you want. 

Of course if you don't want to enter in so much details, you could just use metasploit (where there is more documentation).

Variating the source while keeping its spirit combined by serving from infected clients should allow to circumvent many antivirus. 
This vulnerability is itself a variant of a vulnerability from august 2012.

R.I.P Aaron Swartz

Publié par à l'adresse No comments:
Libellés : ,
Subscribe to: Posts (Atom)