Jump to content
ideriev

MBAE doesn't block exploits based on Java add-on

Recommended Posts

I used Metasploit to test MBAE Free and got mixed results:

- CVE-2014-0515 (Windows 7 SP1, IE 11, Flash Player 12) was successfully blocked

- but CVE-2013-2465 (Windows 7 SP1, IE 11, JRE 1.7u5) wasn't. And the same with some other similar Java-exploits.

What is the reason? Would support team like to comment?

 

mbae-logs.zip

Share this post


Link to post
Share on other sites

Welcome to the forum and thanks for posting.

What msf payloads are you using?

Share this post


Link to post
Share on other sites

CVE-2013-2465 blocked here under similar circumstances (Win7, IE, JRE 1.7u4). Can you please share some details on your test setup?

 

post-141843-0-85032800-1403833529_thumb.

 

post-141843-0-03765700-1403833536_thumb.

 

post-141843-0-49532300-1403833646_thumb.

Share this post


Link to post
Share on other sites

Tried other payloads (down_exec and meterpreter) with same results.

 

post-141843-0-78802000-1403834113_thumb.

 

post-141843-0-27368300-1403834121_thumb.

 

Share this post


Link to post
Share on other sites

Hi pbust.

Thanks for you answer and sorry for my delay.

I also have tried (through web interface Metasploit) 4 different combination of Target setting (Generic-Java payload/Windows Universal) and Payload type (Meterpreter/Command Shell). Actually MBAE didn't block only one of them - Generic+Meterpreter and was successful in three others.

Share this post


Link to post
Share on other sites

Thanks for the info, we'll investigate further and get back to you.

 

Thanks again for testing!

Share this post


Link to post
Share on other sites

We're closing 1.04 and looking into this in parallel. As soon as we have an update I'll post here.

Share this post


Link to post
Share on other sites

The problem is not with the CVE but with the payload used. In fact they used the same payload configuration as you in the 4 fails that are shown for MBAE. So basically they found the same bypass as you but applied it to a different CVE.

Share this post


Link to post
Share on other sites

Can you please try MBAE 1.05?

https://forums.malwarebytes.org/index.php?/topic/160317-mbae-experimental-10531010/

 

When you try this again please make sure that the Metasploit machine is physically different than the attacked machine. It is a known issue that when the payload is delivered from the same machine it does not behave the same way as if it is remote.

Share this post


Link to post
Share on other sites

MBAE 1.05 still does not detect combination of Generic settings and Meterpreter payload.

(Metasploit server and exploitable machine were different VMs)

Share this post


Link to post
Share on other sites

Yes it seems that some scenarios cause the bypass. We're reviewing the findings.

 

Thanks for testing this again!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.