Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Java AtomicReferenceArray Type exploit and java meterpreter question

From: Miguel Rios <miguelrios35 () yahoo com>
Date: Mon, 23 Apr 2012 06:52:39 -0700 (PDT)
Thanks for your reply Balint. I'm going to try some of those ideas out.
I'm also looking into using ProGuard as it is FOSS and could come in handy in case someone else is researching this 
topic.


<rant>On a side note, I've received a private email off list telling me in a condescending tone "to help instead of 
hack".
While I realize that my questions about bypassing AV seems black hattish, I urge you not to assume the worst about 
people you know nothing about.
As we all know in this field, pretty much any tool or technique can be classified as a dual use good that can be used 
for good or evil.

To paraphrase from the gun enthusiasts: "Hacking doesn't hurt people. People hurt people."

In sum, I'm not a black hat so please spare me your condescending emails. 
If you want to help with my questions, great. If not, that's fine too. If you're afraid of helping out in a public list 
like this for fear of spoon feeding script kiddies and black hatters, that's a legitimate worry that I do understand. 
If that's the case just email me privately please. </rant>

Cheers,
Miguel


________________________________
 From: Balint Varga-Perke <vpbalint () gmail com>
To: framework () spool metasploit com 
Sent: Monday, April 23, 2012 8:32 AM
Subject: Re: [framework] Java AtomicReferenceArray Type exploit and java meterpreter question
 

 
My random thoughts:

- Some AVs detect strings like "exploit" and "payload", you can
    simply try and rename those classes - no joke :) 

- Payload class is basically "plug-n-play" you can define arbitrary
    (not that suspicious) behavior in it. 

- Theoretically you can also pimp the buf byte array (that can be a
    good choice for signature generation), or build it in runtime (I
    would suggest this later approach first). Yes, a java obfuscator can
    come handy. 

- The Help class seems to be the most difficult to cover, since it
    messes with classloader permissions making it an obvious target for
    heuristics. Maybe you can use Reflection to initiate the proper
    classes (build the class name string in runtime then use
    Class.forName()).

On 04/22/2012 09:31 PM, Miguel Rios wrote: 
Hi everyone,



1) Been playing around with the Java AtomicReferenceArray Type exploit that was recently added.
It works rather well in my tests but it seems to be picked up by most AVs by now. Is there a way to apply obfuscation 
through the framework for AV bypass?
Looking at the exploit it seems that the cve-2012-0507-jar used is immediately picked up by AV. Looking inside the jar 
it seems that AV (Avira in my test) picks up the Help.class as EXP/Java.Carbul.Gen while the Exploit.class gets 
flagged as EXP/CVE-2012-0507 and Payloadx.class gets flagged as EXP/CVE-2012-0507.H. Notice that the Payloadx.class 
detection has an H at the end. The only class that seems clean (again I'm testing on Avira) is the 
PayloadX$StreamConnector.class.
Now before I spend too much time trying to figure this out, is it even possible to bypass AVs by encrypting or 
obfuscating the jar by using something like http://zenofx.com/classguard/? Anyone tried it before or know of a 
different freeware or open source solution? Or am I going about this the wrong way and there's a simpler solution?





_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: