Advanced Exploitation (part 3) Exploiting Java

00:04

All right, now, let me take a look at Explain job us. This is going to be our first attack on our window seven system. The version of java that's on. There is no about a year old now,

00:17

but it is a little bit out of date. It is subject to some memory corruption vulnerabilities like the one we just did against the browser.

00:24

So I encourage you to see if you can find some memory corruption vulnerabilities you can use against it

00:31

on DDE.

00:32

Try those to get additional sessions, but we're not always constrained. We're working with clients. I'd attacks to memory corruption or some other flaw

00:43

in the service. Since we do have user interaction, sometimes we can get the user to help us.

00:49

So in our medicine section, for instance, who made that execute herbal and then put the user and just ran it by going to see that again a little bit later on? In this section, we look ATT, avoiding anti virus.

01:02

We'll turn on our anti virus on our window. Seven.

01:06

See if we can create inexcusable that can bypass it with various techniques, but

01:12

we could do something very similar here with Java, we can actually create a job, apple it and prompt the user. Would you like to run this apple it once the user says Yes, you know, pretty much run anything that a Java applet can run,

01:26

including

01:27

getting, um, interpreter session. Oddly enough, let's take a look at that.

01:33

What we want is exploit. Multi job is nice because its platform independent

01:40

yeah, actually run these Java once again

01:42

everything that comes in People's Max

01:46

he's done with these.

01:49

There are options again is going to be server based, So we have no Are those

01:57

on older versions of Java? You can get it, actually say that it's signed by a legitimate

02:02

source. That's not going to be the case on anything. They were wised up to this

02:08

unless you actually sign it with a legitimate

02:12

signing certificate, which you certainly can. I mean, there's nothing to stop you from by signing shirt

02:17

you do. These sorts of things regularly might be worth it,

02:23

but you can start the apple it names before his toe.

02:31

You can

02:34

do signing keys and most ourselves. There some things you don't have any of those

02:46

on. Bashar payloads are gonna be Java based halos again. That will help make it platform independent.

02:53

Actually, by default their windows very lives.

02:57

We look at feel options again.

03:00

The exploit target, right? A cult is window for whatever reasons, with producer targets.

03:07

You actually said it to Java.

03:09

The little hit everything. Since this is gonna be window, that doesn't particularly matter. We could just leave with his windows

03:17

changes.

03:21

I've seen enough windows in Sure.

03:27

Reload.

03:29

Java Interpreter

03:30

Server Ping.

03:38

Well, look, our browser. This is going to run in the background.

03:43

Bills come overto windows seven.

03:47

Don't be well, don't we have to remember what? My password.

03:55

All right, so open up,

03:59

are there? My browser's Firefox actually has a neat thing. Where if your Klingons are out of date, it'll actually prompt you

04:08

that

04:10

you have to turn them on, basically,

04:15

you know where?

04:20

Not here. But the news is today.

04:40

What do you want on this application? Depending on what brother use, you're gonna get a different one of these. If you run like, go to meetings and web exes and things like that, you probably see stuff like that. Like, do you want allow this thing to run code,

04:54

and if we actually want to attend the meeting, we have to say yes, though it specifically says that we'll have unrestricted access years to stop.

05:01

But

05:02

these things happen.

05:03

We actually want to

05:06

do what's on the other side. We, even our security conscious users, have a tendency to say yes.

05:12

So

05:14

it's all a matter of making the user think what's on the other side is more important than security.

05:19

The run,

05:21

he said. Nothing really happened.

05:24

What would you get? A session

05:27

the interactive session for So we now do have access or wonder seven Machine Don't have has John.

05:33

The job lovers are

05:36

of this.

05:39

Plus, we'll see won't get into post exploitation that week.

05:43

We'll have a little more we have to do in order to get

05:46

publicists to do. Has dump on Windows seven. It has some additional restrictions in place that we will have to bypass, but we will be able to do so

06:01

begin. Our drama is going to have some vulnerabilities. Job is one that gets a fair amount of attention.

06:08

It is so ubiquitous, and it does allow you some platform independence only attack.

06:14

So there are issues that will

06:18

attacked this particular version of Java that's on there as well as some later versions.

06:24

So I encourage you to spend some time looking at those. Certainly we haven't would get every single possible way to exploit the system.

06:32

But this is another example where we

06:36

did something a little bit different. We asked the user, Hey, can I exploit you on? It doesn't matter whether whether there's a vulnerability at all. In that case, it's the user says yes, and we run codes are very similar to downloading any XY