Metasploit mailing list archives
Re: Java AtomicReferenceArray Type exploit and java meterpreter question
From: Jonathan Cran <jcran () 0x0e org>
Date: Mon, 23 Apr 2012 09:10:03 -0500
Try slightly modifying the .class file with classeditor: http://classeditor.sourceforge.net/ - Apparently AV will flag on an md5 of the .class file sometimes :) WRT the %TEMP% variable stuff, i'm not sure off the top of my head but if you jump in #metasploit i'm sure someone can help. Try this for starters: http://stackoverflow.com/questions/1048661/accessing-windows-system-variables-in-java-1-4 jcran On Mon, Apr 23, 2012 at 8:52 AM, Miguel Rios <miguelrios35 () yahoo com> wrote:
Thanks for your reply Balint. I'm going to try some of those ideas out. I'm also looking into using ProGuard as it is FOSS and could come in handy in case someone else is researching this topic. <rant>On a side note, I've received a private email off list telling me in a condescending tone "to help instead of hack". While I realize that my questions about bypassing AV seems black hattish, I urge you not to assume the worst about people you know nothing about. As we all know in this field, pretty much any tool or technique can be classified as a dual use good that can be used for good or evil. To paraphrase from the gun enthusiasts: "Hacking doesn't hurt people. People hurt people." In sum, I'm not a black hat so please spare me your condescending emails. If you want to help with my questions, great. If not, that's fine too. If you're afraid of helping out in a public list like this for fear of spoon feeding script kiddies and black hatters, that's a legitimate worry that I do understand. If that's the case just email me privately please. </rant> Cheers, Miguel ------------------------------ *From:* Balint Varga-Perke <vpbalint () gmail com> *To:* framework () spool metasploit com *Sent:* Monday, April 23, 2012 8:32 AM *Subject:* Re: [framework] Java AtomicReferenceArray Type exploit and java meterpreter question My random thoughts: - Some AVs detect strings like "exploit" and "payload", you can simply try and rename those classes - no joke :) - Payload class is basically "plug-n-play" you can define arbitrary (not that suspicious) behavior in it. - Theoretically you can also pimp the buf byte array (that can be a good choice for signature generation), or build it in runtime (I would suggest this later approach first). Yes, a java obfuscator can come handy. - The Help class seems to be the most difficult to cover, since it messes with classloader permissions making it an obvious target for heuristics. Maybe you can use Reflection to initiate the proper classes (build the class name string in runtime then use Class.forName()). On 04/22/2012 09:31 PM, Miguel Rios wrote: Hi everyone, 1) Been playing around with the Java AtomicReferenceArray Type exploit that was recently added. It works rather well in my tests but it seems to be picked up by most AVs by now. Is there a way to apply obfuscation through the framework for AV bypass? Looking at the exploit it seems that the cve-2012-0507-jar used is immediately picked up by AV. Looking inside the jar it seems that AV (Avira in my test) picks up the Help.class as EXP/Java.Carbul.Gen while the Exploit.class gets flagged as EXP/CVE-2012-0507 and Payloadx.class gets flagged as EXP/CVE-2012-0507.H. Notice that the Payloadx.class detection has an H at the end. The only class that seems clean (again I'm testing on Avira) is the PayloadX$StreamConnector.class. Now before I spend too much time trying to figure this out, is it even possible to bypass AVs by encrypting or obfuscating the jar by using something like http://zenofx.com/classguard/? Anyone tried it before or know of a different freeware or open source solution? Or am I going about this the wrong way and there's a simpler solution? _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
-- Jonathan Cran jcran () 0x0e org 515.890.0070
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Java AtomicReferenceArray Type exploit and java meterpreter question Miguel Rios (Apr 22)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Balint Varga-Perke (Apr 23)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Miguel Rios (Apr 23)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Jonathan Cran (Apr 23)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Joshua Smith (Apr 23)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Miguel Rios (Apr 23)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Balint Varga-Perke (Apr 25)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Balint Varga-Perke (Apr 23)