browser_autopwn and Java Detction

[Kx499]

I've been spending a bit familiarizing myself with the client side exploits in msf just to get a better understanding of them and how they work. I have been testing the various exploits against some test pc's (vista with ie8 , xp sp2 (not patched) iie6 & 7, xpsp3 ie8) in my home network.

Some background on my test machines: The Vista Machine has an older version of Java (prior to 1.6 update 16) and the two xp boxes have been tested prior to Java being installed and with the most up to date versions.

One thing I noticed with the browser_autopwn is that it always chooses java_calendar_deserialize whether or not the victim has java installed or not. It also picks this when Java is installed and up to date which will fail. Other browser exploits in the list would have worked against the xp machines but it never picks them. I also noticed some relevant browser exploits were not included (like arora)

I have 2 questions:
1) The modules almost seems like it just doesn't check if java is installed or enabled. I looked through the source of the module and didn't look like it checked, but I am far from familiar with Ruby or the framework. Any ideas how to address this, just wondering if there is some configuration needed, or if I need to figure out how to check ahead time.

2) Does anyone know why it would exclude the arora exploit?

[Kx499]

I sort of found the answer, by taking a look at the slides from defcon 17 about the browser_autopwn and its functionality and looking through the source of some of the modules. I'll post it in case anyone else is curious. For #1 the aurora exploit was superceded by ie_behaviors, which was superceded by ie_css_clip. For #2 You can control what exploits are used with the module by adding/modifying this information in the exploit:

include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "8.0",
:javascript => true,
s_name => OperatingSystems::WINDOWS,
:vuln_test => nil, # no way to test without just trying it
})

The vuln_test is javascript that tests a condition for the exploit, a better example is from the mozilla_navigatorjava module

include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::FF,
:javascript => true,
:rank => NormalRanking, # reliable memory corruption
:vuln_test => %Q|
is_vuln = false;
if (window.navigator.javaEnabled && window.navigator.javaEnabled()){
is_vuln = true;
}
|,
})

My guess is that there is no reliable way to test for java being enabled across multiple platforms, but then again I'm not very good with Javascript. Does anyone know of a good way to test for Java being enabled and better yet the installed version from JavaScript?

[Kx499]

I was eventually able to find a solution to my last question as well, and again figured I would just finish up the post with my solution. After some poking around and some trial and error I found a JavaScript solution that is platform and browser independent to check for the running version of Java from here: http://javatester.org/version.html

To sum it up, Java has a deployJava.js script that contains a checkversion function. Now that function contains references to a handful of other functions in the script, so you have to reference the script in the HEAD tag of the HTTP that gets created in the browser_autopwn.rb file under the setup method (just can't throw the whole thing in the :vulntest due to | in the regex functions in the script that throws off the module). You can then reference any of those functions in the :vuln_test to check the exact version of java to make sure the target is actually vulnerable to the exploit before it tries to use it.

The vuln test would look like this for java_calendar_deserialize:

:vuln_test => %Q|
is_vuln = false;
if (deployJava.versionCheck("1.6.0_17")==false){
is_vuln = true;
}
|

To me it still could be better. It would be ideal if that script could be downloaded into the URIPATH directory when browser_autopwn runs and served up from there, but not sure how to make that happen.