Thursday, April 7, 2011

Client site attack using java codebase trust

Some times you have to play the bad guy card in order to achieve results. When XSS attacks are not helping you to redirect a victim to your exploit, during a pentest, a more indirect approach can do the trick. Using a normal legitimate URL to do your bits. The latest exploit module for java_codebase_trust from metasploit is ideal for such attacks.  The setup, one domain, any dyndns service or simply a short/tiny url service. These days i prefer a normal domain name, dyndns services and tiny url addresses don't sound so legit for someone to trust. Another idea is a notification for newsletter removal, nobody likes unwanted newsletters, so a removal link is highly appreciated many times.

Our metasploit server, running on msfconsole with the following settings,

I prefer to use local port on 443 for the metasploit listener, since many firewalls won't even check if the traffic is actual https, they will just check the port number and allow the traffic. As for the payload the normal java meterpreter is sufficient and goes undetected on many antiviruses still now.

Adding a backdoor that will redirect a client from the website to the metasploit server can be done with the use of an iframe embedded on the actual html code of our site. Using an encoder also like, http://www.htmlguard.com/articles/wp-content/uploads/html-encryption.html we can encode our actual address to make it a bit harder on the first look to raise suspicion. In our case a redirect to the server with ip address 192.168.2.23 can be encoded ,

and from the options my favorite encoding is base64,

Adding html tags to the code, the following line can be inserted on any html/php file on our website.

What will happen is, that when some user will go to look on our website he will be redirected also with no warning or any other notice to the metasploit server running the java_codebase_trust exploit on ip address 192.168.2.23. If the client will be running a vulnerable java version we will have a meterpreter connection.

No comments:

Post a Comment