adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tidy pass on exploit mixins

Browse Source 
git-svn-id: file:///home/svn/framework3/trunk@10487 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
Joshua Drake
2010-09-26 21:02:00 +00:00
parent e4bef2ce51
commit f07f354472
20 changed files with 273 additions and 276 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/msf/core/exploit/java.rb
+34 -30
View File
@@ -19,11 +19,11 @@ module Exploit::Java
def initialize(info = {})
super
register_advanced_options(
[
OptString.new( 'JavaCache', [true, 'Java cache location',
File.join(Msf::Config.config_directory, "javacache")]),
OptString.new( 'JavaCache', [true, 'Java cache location',
File.join(Msf::Config.config_directory, "javacache")]),
OptString.new( 'AddClassPath', [false, 'Additional java classpath', nil]),
], self.class)
@@ -53,14 +53,14 @@ module Exploit::Java
@jvm_init = true
end
def query_jvm
return @jvmInit
end
def save_to_file(classnames, codez, location)
path = File.join( Msf::Config.install_root, "external", "source", location )
if not File.exists? path
Dir.mkdir(path)
end
@@ -68,7 +68,7 @@ module Exploit::Java
i = 0
classnames.each { |fil|
file = File.join( path, fil + ".java")
fp = File.open( file, "w" )
fp = File.open( file, "wb" )
print_status "Writing #{fil} to " + file
fp.puts codez[i]
i += 1
@@ -80,34 +80,34 @@ module Exploit::Java
if !@rjb_loaded or !@jvm_init
raise RuntimeError, "Could not load rjb and/or the JVM: " + @java_error.to_s
end
if compile_options.class.to_s != "Array" && compile_options
raise RuntimeError, "Compiler options must be of type Array."
end
compile_options = [] if compile_options.nil?
# Create the directory if it doesn't exist
Dir.mkdir(datastore['JavaCache']) if !File.exists? datastore['JavaCache']
# For compatibility, some exploits need to have the target and source version
# set to a previous JRE version.
std_compiler_opts = [ "-target", "1.3", "-source", "1.3", "-d", datastore['JavaCache'] ]
compile_options += std_compiler_opts
java_compiler_klass = Rjb::import('javaCompile.CompileSourceInMemory')
# If we were passed arrays
if classnames.class == [].class && codez.class == [].class
# default compile class
begin
# Sames as java_compiler_klass.CompileFromMemory( String[] classnames,
# Sames as java_compiler_klass.CompileFromMemory( String[] classnames,
# String[] codez, String[] compilerOptions)
success = java_compiler_klass._invoke('CompileFromMemory',
# Signature explained: [ means array, Lpath.to.object; means object
# Thus, this reads as call the method with 3 String[] args.
'[Ljava.lang.String;[Ljava.lang.String;[Ljava.lang.String;',
'[Ljava.lang.String;[Ljava.lang.String;[Ljava.lang.String;',
classnames, codez, compile_options)
rescue Exception => e
print_error "Received unknown error: " + e
@@ -116,10 +116,10 @@ module Exploit::Java
raise RuntimeError, "The Java mixin received unknown argument-type combinations and cannot continue."
end
if !success
raise RuntimeError, "Compile failed."
raise RuntimeError, "Compile failed."
end
end
def build_jar(output_jar, in_files)
if output_jar.class != "".class || in_files.class != [].class
raise RuntimeError, "Building a jar requires an output_jar and an Array of in_files."
@@ -127,7 +127,7 @@ module Exploit::Java
# Add paths
in_files = in_files.map { |file| File.join(datastore['JavaCache'], file) }
create_jar_klass = Rjb::import('javaCompile.CreateJarFile')
file_class = Rjb::import('java.io.File')
@@ -141,8 +141,8 @@ module Exploit::Java
#
# http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf
#
def sign_jar(cert_cn, unsiged_jar, signed_jar, cert_alias="signFiles", msf_keystore="msfkeystore",
msf_store_pass="msfstorepass", msf_key_pass="msfkeypass")
def sign_jar(cert_cn, unsiged_jar, signed_jar, cert_alias="signFiles", msf_keystore="msfkeystore",
msf_store_pass="msfstorepass", msf_key_pass="msfkeypass")
# Dependent on $JAVA_HOME/lib/tools.jar that comes with the JDK.
signer_klass = Rjb::import('javaCompile.SignJar')
@@ -150,29 +150,33 @@ module Exploit::Java
# Check if the keystore exists from previous run. If it does, delete it.
msf_keystore = File.join(datastore['JavaCache'], msf_keystore)
File.delete msf_keystore if File.exists? msf_keystore
# Rjb pukes on a CN with a comma in it so bad that it crashes to shell
# and turns input echoing off. Simple fix for this ugly bug is
# just to get rid of commas which kinda sucks but whatever. See #1543.
keytool_opts = ["-genkey", "-alias", cert_alias, "-keystore", msf_keystore,
"-storepass", msf_store_pass, "-dname", "CN=#{cert_cn.gsub(",",'')}",
"-keypass", "msfkeypass"]
keytool_opts = [
"-genkey", "-alias", cert_alias, "-keystore", msf_keystore,
"-storepass", msf_store_pass, "-dname", "CN=#{cert_cn.gsub(",",'')}",
"-keypass", "msfkeypass"
]
# Build the cert keystore
signer_klass._invoke('KeyToolMSF','[Ljava.lang.String;',keytool_opts)
jarsigner_opts = ["-keystore", msf_keystore, "-storepass", msf_store_pass,
"-keypass", msf_key_pass, "-signedJar",
File.join(datastore['JavaCache'], signed_jar), # Signed Jar
File.join(datastore['JavaCache'], unsiged_jar), # Input Jar we're signing
cert_alias] # The cert we're using
jarsigner_opts = [
"-keystore", msf_keystore, "-storepass", msf_store_pass,
"-keypass", msf_key_pass, "-signedJar",
File.join(datastore['JavaCache'], signed_jar), # Signed Jar
File.join(datastore['JavaCache'], unsiged_jar), # Input Jar we're signing
cert_alias # The cert we're using
]
signer_klass._invoke('JarSignerMSF','[Ljava.lang.String;',jarsigner_opts)
# There are warnings in the source for KeyTool/JarSigner warning that security providers
# are not released, and if you are calling .main(foo) from another app, you need to release
# them manually. This is not done here, and should Rjb be used for anything in the future,
# this may need to be cleaned up.
end
end
end