Metasploit mailing list archives
Re: Java AtomicReferenceArray Type exploit and java meterpreter question
From: Balint Varga-Perke <vpbalint () gmail com>
Date: Wed, 25 Apr 2012 10:54:33 +0200
Just a quick test with Help.java: 45 Class perm_c=Class.forName("Perm"+"issions"); 46 Constructor perm_ct=perm_c.getConstructor(new Class[0]); 47 Permissions perm = (Permissions)perm_ct.newInstance(new Object[0]); This makes detection ratio drop from 14/42->5/42 on VirusTotal for Help.class On 04/22/2012 09:31 PM, Miguel Rios wrote:
Hi everyone, 1) Been playing around with the Java AtomicReferenceArray Type exploit that was recently added. It works rather well in my tests but it seems to be picked up by most AVs by now. Is there a way to apply obfuscation through the framework for AV bypass? Looking at the exploit it seems that the cve-2012-0507-jar used is immediately picked up by AV. Looking inside the jar it seems that AV (Avira in my test) picks up the Help.class as EXP/Java.Carbul.Gen while the Exploit.class gets flagged as EXP/CVE-2012-0507 and Payloadx.class gets flagged as EXP/CVE-2012-0507.H. Notice that the Payloadx.class detection has an H at the end. The only class that seems clean (again I'm testing on Avira) is the PayloadX$StreamConnector.class. Now before I spend too much time trying to figure this out, is it even possible to bypass AVs by encrypting or obfuscating the jar by using something like http://zenofx.com/classguard/? Anyone tried it before or know of a different freeware or open source solution? Or am I going about this the wrong way and there's a simpler solution? 2) Also, slightly off topic but I noticed that java/meterpreter doesn't handle windows environment variables like %temp% and so forth. This means that when using multicommand to say upload a binary and then execute it one needs to know the user's permissions and working directory and there's a lot of trial and guessing going on. Since most users have permissions in the %temp% directory, it's a good directory to upload to and execute in after a successful exploit. Is there a way to implement this without having to spell out the full path? Thanks _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Java AtomicReferenceArray Type exploit and java meterpreter question Miguel Rios (Apr 22)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Balint Varga-Perke (Apr 23)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Miguel Rios (Apr 23)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Jonathan Cran (Apr 23)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Joshua Smith (Apr 23)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Miguel Rios (Apr 23)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Balint Varga-Perke (Apr 25)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Balint Varga-Perke (Apr 23)