Java is a popular vector for penetration testers and those who penetrate networks without an invitation. An attacker creates a website to host a Java applet. In the simplest case, the Java applet is signed with a certificate. The user is asked “do you want to allow this applet to run?” The user’s yes response gives the attacker control over their system.
The signed applet attack requires user interaction. Recent Java exploits take advantage of API loopholes to disable the Java security sandbox, giving the attacker control without asking the user.
Today, I’d like to introduce you to Cobalt Strike’s take on the Java Applet Attacks.
First, you may deploy the trusty self-signed Java applet attack through Cobalt Strike.
A self-signed Java applet attack, by itself, isn’t novel. The special piece is the Cobalt Strike Java payload.
Cobalt Strike’s Java payload use’s a native library to inject shellcode for your Windows listener into memory. You may deploy Beacon or Meterpreter through Java attacks. If the environment is not conducive to running a Windows listener, Cobalt Strike will dynamically link and run a Java meterpreter payload for you.
You also have the option of launching a smart applet attack. The smart applet will detect the Java version that’s running and attempt to disable the security sandbox using known exploits. This attack uses Cobalt Strike’s Java payload too.
These cross-browser and cross-platform Java attacks are part of today’s Cobalt Strike update. Read the release notes to learn what else is new. Licensed users may update with the built-in update program.
Licensed Cobalt Strike users may get the source code to Cobalt Strike’s Java injector and attacks through the Cobalt Strike arsenal. The Cobalt Strike arsenal provides source code, build files, and Cortana scripts to make Cobalt Strike use your modifications.