Metasploit mailing list archives
Re: Java AtomicReferenceArray Type exploit and java meterpreter question
From: Balint Varga-Perke <vpbalint () gmail com>
Date: Mon, 23 Apr 2012 10:32:30 +0200
My random thoughts: - Some AVs detect strings like "exploit" and "payload", you can simply try and rename those classes - no joke :) - Payload class is basically "plug-n-play" you can define arbitrary (not that suspicious) behavior in it. - Theoretically you can also pimp the buf byte array (that can be a good choice for signature generation), or build it in runtime (I would suggest this later approach first). Yes, a java obfuscator can come handy. - The Help class seems to be the most difficult to cover, since it messes with classloader permissions making it an obvious target for heuristics. Maybe you can use Reflection to initiate the proper classes (build the class name string in runtime then use Class.forName()). On 04/22/2012 09:31 PM, Miguel Rios wrote:
Hi everyone, 1) Been playing around with the Java AtomicReferenceArray Type exploit that was recently added. It works rather well in my tests but it seems to be picked up by most AVs by now. Is there a way to apply obfuscation through the framework for AV bypass? Looking at the exploit it seems that the cve-2012-0507-jar used is immediately picked up by AV. Looking inside the jar it seems that AV (Avira in my test) picks up the Help.class as EXP/Java.Carbul.Gen while the Exploit.class gets flagged as EXP/CVE-2012-0507 and Payloadx.class gets flagged as EXP/CVE-2012-0507.H. Notice that the Payloadx.class detection has an H at the end. The only class that seems clean (again I'm testing on Avira) is the PayloadX$StreamConnector.class. Now before I spend too much time trying to figure this out, is it even possible to bypass AVs by encrypting or obfuscating the jar by using something like http://zenofx.com/classguard/? Anyone tried it before or know of a different freeware or open source solution? Or am I going about this the wrong way and there's a simpler solution?
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Java AtomicReferenceArray Type exploit and java meterpreter question Miguel Rios (Apr 22)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Balint Varga-Perke (Apr 23)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Miguel Rios (Apr 23)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Jonathan Cran (Apr 23)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Joshua Smith (Apr 23)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Miguel Rios (Apr 23)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Balint Varga-Perke (Apr 25)
- Re: Java AtomicReferenceArray Type exploit and java meterpreter question Balint Varga-Perke (Apr 23)