Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson discusses how to exploit Java to attack a Windows 7 system so programmers can do client side attacks. Participants learn step by step instruction using the msf command to exploit Java and discover system vulnerabilities.

Video Transcription

00:04
All right, now, let me take a look at Explain job us. This is going to be our first attack on our window seven system. The version of java that's on. There is no about a year old now,
00:17
but it is a little bit out of date. It is subject to some memory corruption vulnerabilities like the one we just did against the browser.
00:24
So I encourage you to see if you can find some memory corruption vulnerabilities you can use against it
00:31
on DDE.
00:32
Try those to get additional sessions, but we're not always constrained. We're working with clients. I'd attacks to memory corruption or some other flaw
00:43
in the service. Since we do have user interaction, sometimes we can get the user to help us.
00:49
So in our medicine section, for instance, who made that execute herbal and then put the user and just ran it by going to see that again a little bit later on? In this section, we look ATT, avoiding anti virus.
01:02
We'll turn on our anti virus on our window. Seven.
01:06
See if we can create inexcusable that can bypass it with various techniques, but
01:12
we could do something very similar here with Java, we can actually create a job, apple it and prompt the user. Would you like to run this apple it once the user says Yes, you know, pretty much run anything that a Java applet can run,
01:26
including
01:27
getting, um, interpreter session. Oddly enough, let's take a look at that.
01:33
What we want is exploit. Multi job is nice because its platform independent
01:40
yeah, actually run these Java once again
01:42
everything that comes in People's Max
01:46
he's done with these.
01:49
There are options again is going to be server based, So we have no Are those
01:57
on older versions of Java? You can get it, actually say that it's signed by a legitimate
02:02
source. That's not going to be the case on anything. They were wised up to this
02:08
unless you actually sign it with a legitimate
02:12
signing certificate, which you certainly can. I mean, there's nothing to stop you from by signing shirt
02:17
you do. These sorts of things regularly might be worth it,
02:23
but you can start the apple it names before his toe.
02:31
You can
02:34
do signing keys and most ourselves. There some things you don't have any of those
02:46
on. Bashar payloads are gonna be Java based halos again. That will help make it platform independent.
02:53
Actually, by default their windows very lives.
02:57
We look at feel options again.
03:00
The exploit target, right? A cult is window for whatever reasons, with producer targets.
03:07
You actually said it to Java.
03:09
The little hit everything. Since this is gonna be window, that doesn't particularly matter. We could just leave with his windows
03:17
changes.
03:21
I've seen enough windows in Sure.
03:27
Reload.
03:29
Java Interpreter
03:30
Server Ping.
03:38
Well, look, our browser. This is going to run in the background.
03:43
Bills come overto windows seven.
03:47
Don't be well, don't we have to remember what? My password.
03:55
All right, so open up,
03:59
are there? My browser's Firefox actually has a neat thing. Where if your Klingons are out of date, it'll actually prompt you
04:08
that
04:10
you have to turn them on, basically,
04:15
you know where?
04:20
Not here. But the news is today.
04:40
What do you want on this application? Depending on what brother use, you're gonna get a different one of these. If you run like, go to meetings and web exes and things like that, you probably see stuff like that. Like, do you want allow this thing to run code,
04:54
and if we actually want to attend the meeting, we have to say yes, though it specifically says that we'll have unrestricted access years to stop.
05:01
But
05:02
these things happen.
05:03
We actually want to
05:06
do what's on the other side. We, even our security conscious users, have a tendency to say yes.
05:12
So
05:14
it's all a matter of making the user think what's on the other side is more important than security.
05:19
The run,
05:21
he said. Nothing really happened.
05:24
What would you get? A session
05:27
the interactive session for So we now do have access or wonder seven Machine Don't have has John.
05:33
The job lovers are
05:36
of this.
05:39
Plus, we'll see won't get into post exploitation that week.
05:43
We'll have a little more we have to do in order to get
05:46
publicists to do. Has dump on Windows seven. It has some additional restrictions in place that we will have to bypass, but we will be able to do so
06:01
begin. Our drama is going to have some vulnerabilities. Job is one that gets a fair amount of attention.
06:08
It is so ubiquitous, and it does allow you some platform independence only attack.
06:14
So there are issues that will
06:18
attacked this particular version of Java that's on there as well as some later versions.
06:24
So I encourage you to spend some time looking at those. Certainly we haven't would get every single possible way to exploit the system.
06:32
But this is another example where we
06:36
did something a little bit different. We asked the user, Hey, can I exploit you on? It doesn't matter whether whether there's a vulnerability at all. In that case, it's the user says yes, and we run codes are very similar to downloading any XY
06:49
on running it saying, Hey, can I run this piece of code?

Up Next

Advanced Penetration Testing

This course covers how to attack from the web using cross-site scripting, SQL injection attacks, remote and local file inclusion and how to understand the defender of the network you're breaking into to. You'll also learn tricks for exploiting a network.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor